Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff

Created on ‎04-18-2020 12:51 AM

Article Id 193184

Technical Tip: BGP unrecognized Capability code

Description
This article discusses about BGP capability Code 71 Long-Lived Graceful Restart (LLGR) and code 70 Enhanced route refresh capability.

Solution
Consider a scenario where the FortiGate has a BGP peering with an ISP (Ex., Cisco).

If BGP debugging is enabled, it is noticed sometimes that the remote end is responding back with the following:
msg="BGP: 173.243.128.1-Outgoing [DECODE] Open Cap: unrecognized capability code 71 len 0"
msg="BGP: %BGP-3-NOTIFICATION: received from 173.243.128.1 6/5 (Cease/Connection Rejected.) 0 data-bytes []"
msg=”BGP: 10.177.250.1-Outgoing [DECODE] Open Cap: unrecognized capability code 70 len 0”
According to RFC 4486, the following information is found for 'Cease/Connection Rejected"=' received from BGP neighbor 173.243.128.1.

*** If a BGP speaker decides to disallow a BGP connection (e.g., the peer is not configured locally) after the speaker accepts a transport protocol connection, then the BGP speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode "Connection Rejected". ***

Code 71 stands for Long-Lived Graceful Restart (LLGR) Capability.

Code 70 stands for Enhanced Route Refresh Capability.

Note.
The log is received because this capability have been enabled on the remote BGP peer.

FortiGate does not support LLGR (code 71), ERR(code 70) capability in BGP.

The BGP session will not get disconnected due to lack of this feature. However, if the peer not responding then we might need to disable this feature.

Example, we can use the below commands to unset this in cisco router.

Cisco(config-router-neighbor)#
neighbor x.x.x.x dont-capability-negotiate enhanced-refresh

For LLGR, do not configure bgp long-lived-graceful-restart in the cisco.

To check the supported capabilities, run the below commands.
boson-kvm13 # config router bgp
boson-kvm13 (bgp) # config neighbor
boson-kvm13 (neighbor) # edit 1.1.1.1
boson-kvm13 (1.1.1.1) # show full-configuration | grep "set capability"
        set capability-dynamic enable
        set capability-orf none
        set capability-orf6 none
        set capability-graceful-restart disable
        set capability-graceful-restart6 disable
        set capability-route-refresh enable
        set capability-default-originate disable
        set capability-default-originate6 disable
According to RFC 4724, Graceful Restart Capability (code 64) is used by a BGP peer to indicate its ability to preserve its forwarding state during BGP restart.

Hence, the timer settings can be controlled as per Graceful restart feature which is listed in documents below.

Related links:

https://www.ietf.org/archive/id/draft-uttaro-idr-bgp-persistence-05.txt
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_failoverGracefu...
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/116189-problemsolution-tec...

All BGP capability codes:
https://www.iana.org/assignments/capability-codes/capability-codes.xhtml

Related Articles

Technical Note : Configuring FortiGate HA and BGP graceful-restart to avoid traffic interruption dur...

Labels:
13928
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.