Description
This article addresses an issue where BGP peering may not be able to establish even though connectivity (PING, TCP) is OK.
Scope
FortiOS v5.2 and above.
Solution
Collect a sniffer trace on the FortiGate using:
diag sniff packet any 'host <remote peer> and tcp port 179' 4 0 l
The TCP 3 way handshake (Syn/Syn-Ack/Ack) will be seen but quickly followed by FIN, RST.
v501 out syn 4224897778
v501 in syn 1861781389 ack 4224897779
v501 out ack 1861781390
v501 in psh 1861781390 ack 4224897840
v501 out ack 1861781456
v501 out psh 4224897840 ack 1861781456
v501 out fin 4224897861 ack 1861781456
v501 in ack 4224897862
v501 in psh 1861781456 ack 4224897862
v501 out rst 4224897862
Collect the output of:
diag ip router bgp all enable
diag debug enable
If the output shows messages as below:
Outgoing [FSM] State: OpenSent Event: 22"
Outgoing [DECODE] Open Cap: Cap Code 66, Cap Len 0"
Outgoing [DECODE] Open Cap: unrecognized capability code 66 len 0"
id=20301 logdesc="Routing log" msg="BGP: [GRST] Timer Announce Defer: Check"
Outgoing [DECODE] Open Cap: Cap Code 67, Cap Len 3"
Outgoing [DECODE] Open DYN: Cap-length error 3"
Outgoing [ENCODE] Msg-Hdr: Type 3"
id=20301 logdesc="Routing log" msg="BGP: %BGP-3-NOTIFICATION
then the issue is the capability 66 which is deprecated (2003-03-06).
Since FortiGate "bpg capability-dynamic" is disabled by default, one solution is to disable BGP dynamic capability on the CISCO unit:
N7K(config-router-neighbor)#
router bgp 65100
neighbor x.x.x.x
no dynamic-capability
