Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: eBGP routes not showing up
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eBGP routes not showing up
Hi,
I am doing a lab setup where I have hit a problem with ebgp routes disappearing from the routing-database when ibgp routes shows up. I have not done any route manipulation on my BGP session at the moment. I would have thought that even if the route is not active it would appear in the routing-database (get router info routing-table database). I can see the routes being advertised and also received (get router info routing-table bgp neigh received-routes).
The BGP sessions are over the tunnel and I am assuming that there would not be any difference.
Any help is appreciated.
San
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate adds below config by default to set local-preference to 100.
FGT # config router bgp
FGT (bgp) # show full | grep local-pre
set default-local-preference 100
IBGP carries the local-prefernce values within same AS and due to that reason you get route with local-preference 100 and thats the reason IBGP route is getting activated.
You can either set the "set default-local-preference 0" on the advertising device (IBGP neighbor) or apply a route-map in the receiving fortigate to make local-preference 0 for IBGP or another route-map to increase the local-preference to 200 for EBGP route.
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
25 REPLIES 25
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check if you are hitting the scenario given in https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-routes-not-added-into-the-routing-tabl...
This article is about BGP and OSPF, but I think EBGP and IBGP are similar scenario
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Suraj,
This is slightly different.
In the example both routes are visible in the routing database (#get router info routing-table database), but in my case the eBGP route is not visible in the database when the iBGP is learned. I am trying to learn default route from eBGP peer and iBGP peer.
However, when I do #get router info bgp network --> I can see all the learned routes there. In the output below there are 2 default route from iBGP and 1 from eBGP (neighbour 203.116.1.5). The local preference for the iBGP is 100 but the eBGP does not have any - could that be the reason? Weigh and metric is the same.
here is the output:
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i0.0.0.0/0 172.21.1.1 0 100 0 0 i <256/1>
*>i 172.22.1.1 0 100 0 0 i <256/2>
* 203.116.1.5 0 0 0 65111 i <-
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Even if you will change local-pref for eBGP route, at some point if all metrics are the same, eBGP route will win over iBGP route.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd say very much may be the reason, look at selection criteria for the best path:
- Choose the route with the highest weight.
- If weight is not set, choose the route with the highest local preference.
- Choose routes that this router originated.
- Choose the path with the shortest Autonomous System path.
- Choose the path with the lowest origin code (i is lowest, e is next, ? is last).
- Choose the route with the lowest MED, if the same Autonomous System advertises the possible routes.
- Choose an EBGP route over an IBGP route.
- Choose the route through the nearest IGP neighbor as determined by the lowest IGP metric.
- Choose the oldest route
- Choose a path through the neighbor with the lowest router ID.
- Choose a path through the neighbor with the lowest IP address.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you mean your FGT gets the same routes both - via eBGP and iBGP? AD of eBGP is 20 while of iBGP is 200, so unless you do some manipulation on FGT (redistribute, route-map assigning weight etc. to the learned routes) this should not be possible.
Personal opinion: I've seen bugs and problems with routing protocols in FGT over years, but not like that, and is strongly inclined that something in setup/configuration is causing this, not FGT itself.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri,
Yeah I will have a further look at my configuration. I was also hoping that the eBGP route would be installed as well. On the advertising FTGT I have tried capability-default-originate to redistribute static just to see if that matters as well and played with few other configs. The BGP is over a tunnel but I don't think that would matter.
Here is the neighbor config on the router that is receiving the route. 203.116.1.5 neighbor is external and the second neighbor is internal.
edit "203.116.1.5"
set soft-reconfiguration enable
set interface "Prisma"
set remote-as 65111
set keep-alive-timer 10
set holdtime-timer 30
set connect-timer 5
set update-source "Prisma"
next
config neighbor
edit "172.21.1.1"
set next-hop-self enable
set soft-reconfiguration enable
set interface "Spoke-HUB1"
set remote-as 65001
set keep-alive-timer 10
set holdtime-timer 30
set connect-timer 5
set update-source "Spoke-HUB1"
set additional-path both
set adv-additional-path 8
I will have a second look at the config.
san
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting behavior. I tested the same and I can see the IBGP route is preferred by default and we need to apply a route-map to increase the local-preference of EBGP route to make it preferred.
I will update if I manage to find the possible reasons for this behavior.
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate adds below config by default to set local-preference to 100.
FGT # config router bgp
FGT (bgp) # show full | grep local-pre
set default-local-preference 100
IBGP carries the local-prefernce values within same AS and due to that reason you get route with local-preference 100 and thats the reason IBGP route is getting activated.
You can either set the "set default-local-preference 0" on the advertising device (IBGP neighbor) or apply a route-map in the receiving fortigate to make local-preference 0 for IBGP or another route-map to increase the local-preference to 200 for EBGP route.
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Suraj,
Thank you for testing it out. I was suspecting of the local preference in on of my messages but did not have the time to test it out. I will find sometime to try it out hopefully today.
BTW, what version are you running on. I was on an older version 6.4.8. I had some ebgp and ibgp set up before but had not encountered this issues.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,680 -
FortiClient
1,755 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
469 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
317 -
6.2
251 -
SSL-VPN
242 -
FortiAuthenticator v5.5
234 -
IPsec
207 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiGate-VM
11 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1705 | |
| 1093 | |
| 752 | |
| 446 | |
| 230 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.