FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 189402

Description


- The BGP peering up between two Fortigates over an IPsec tunnel.

- The routes are being advertised by hub towards spoke, however, spoke is not receiving all the routes.

- Checking the advertised-routes on hub, it can be seen that almost 2250 are being advertised.

- The spoke is only receiving a single default route.

Routes Advertised.

HUB # get router info bgp neighbors 10.10.10.2 advertised-routes
BGP table version is 52383, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
Total number of prefixes 2250                                                                               <----- Advertised routes by Hub FortiGate.

Spoke received.

Spoke # get router info bgp neighbors 10.10.10.1 received-routes
BGP table version is 35, local router ID is 10.10.10.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 10.10.10.1 0 0 64831 13009 64753 i
Total number of prefixes 1                                                                                  <----- Received routes by Spoke FortiGate.

Troubleshooting Commands.

# diag ip router bgp all disable
# diag ip router bgp updates enable
# diag ip router bgp level info

Spoke Debugs.

BGP: 10.10.10.1-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (44), msg_size (44)
BGP: 10.10.10.1-Outgoing [DECODE] Update: NLRI Len(1)
BGP: 10.10.10.1-Outgoing [FSM] State: Established Event: 27
BGP: 10.10.10.1-Outgoing [RIB] Update: Received Prefix 0.0.0.0/0                                            <----- Only default prefix is received.


Scope


With larger updates, ESP packets are dropped or blocked because of a firewall or routing issue somewhere in the path between the FortiGate's WAN interface and the remote VPN peer, which prevents VPN traffic from flowing properly.

 

Solution 1
In such case, enforce NAT-T over the IPsec tunnel can help in fixing the issue.

# config vpn ipsec phase1-interface
    edit "s2s-ipsec"
        set interface "wan1"
        set peertype any
        set nattraversal forced    Add the following command
        set proposal aes128-sha256 aes256-sha256 3des-sha256
        set npu-offload disable
        set remote-gw x.x.x.x
        set psksecret ENC
    next

Solution 2

 

 If NAT-T does not help, it is advised to lower the MTU on the IPsec interface. This can be seen in scenarios where GRE over IPsec might be used. 

 

# config system interface
    edit "s2s-ipsec"
        set mtu-override enable/disable
        set mtu 1300
    end
end

 

Related Articles

Technical Note: Troubleshooting issue with traffic not flowing through previously working IPsec VPN ...

 

Contributors