Description
- The BGP peering up between two Fortigates over an IPsec tunnel.
- The routes are being advertised by hub towards spoke, however, spoke is not receiving all the routes.
- Checking the advertised-routes on hub, it can be seen that almost 2250 are being advertised.
- The spoke is only receiving a single default route.
Routes Advertised.
HUB # get router info bgp neighbors 10.10.10.2 advertised-routes
BGP table version is 52383, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
Total number of prefixes 2250 <----- Advertised routes by Hub FortiGate.
Spoke received.
Spoke # get router info bgp neighbors 10.10.10.1 received-routes
BGP table version is 35, local router ID is 10.10.10.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 10.10.10.1 0 0 64831 13009 64753 i
Total number of prefixes 1 <----- Received routes by Spoke FortiGate.
Troubleshooting Commands.
# diag ip router bgp all disable
# diag ip router bgp updates enable
# diag ip router bgp level info
Spoke Debugs.
BGP: 10.10.10.1-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (44), msg_size (44)
BGP: 10.10.10.1-Outgoing [DECODE] Update: NLRI Len(1)
BGP: 10.10.10.1-Outgoing [FSM] State: Established Event: 27
BGP: 10.10.10.1-Outgoing [RIB] Update: Received Prefix 0.0.0.0/0 <----- Only default prefix is received.
Scope
With larger updates, ESP packets are dropped or blocked because of a firewall or routing issue somewhere in the path between the FortiGate's WAN interface and the remote VPN peer, which prevents VPN traffic from flowing properly.
Solution 1
In such case, enforce NAT-T over the IPsec tunnel can help in fixing the issue.
# config vpn ipsec phase1-interface
edit "s2s-ipsec"
set interface "wan1"
set peertype any
set nattraversal forced Add the following command
set proposal aes128-sha256 aes256-sha256 3des-sha256
set npu-offload disable
set remote-gw x.x.x.x
set psksecret ENC
next
Solution 2
If NAT-T does not help, it is advised to lower the MTU on the IPsec interface. This can be seen in scenarios where GRE over IPsec might be used.
# config system interface
edit "s2s-ipsec"
set mtu-override enable/disable
set mtu 1300
end
end
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.