Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎08-22-2021 10:53 PM

Article Id 197139

Technical Tip: BGP routes are not installed in routing table with Loopback configured as source

Description
This article explains that with BGP configured on VPN tunnel, if loopback is used as update source in BGP configuration, the routes received from BGP peer are not installed in to the routing table and give error in debugs as 'denied due to non-connected next-hop'.

Solution
Explanation.

BGP is configured as followed to use loopback interface as the update source.
# config router bgp
    set as 65101
    set router-id 1.1.1.1
    # config neighbor
        edit "10.20.16.1"
            set soft-reconfiguration enable
            set remote-as 65102
            set update-source "Loopback_bgp"
        next
            end
            # config network
                edit 1
                    set prefix 172.17.8.0 255.255.255.0
                next
            end
        end
Loopback Interface configuration.
# config system interface
    edit "Loopback_bgp"
        set vdom "root"
        set ip 10.20.16.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 15
    next
end
Tunnel Interface configuration.
# config system interface
    edit "VPN-BGP"
        set vdom "root"
        set ip 10.20.16.4 255.255.255.255
        set allowaccess ping https http
        set type tunnel
        set remote-ip 10.20.16.1 255.255.255.255
        set role lan
        set snmp-index 4
        set interface "wan1"
    next
end
Running debugs.
FGT # diagnose ip router bgp level info
FGT # diagnose ip router bgp all enable
FGT # diagnose debug enable
In the debugs, it shows that route is denied hence is not being installed to routing table.
BGP: 10.20.16.1-Outgoing [RIB] Update: Prefix 172.17.8.0/24 path_id 0 denied due to non-connected next-hop
Solution.

In order to fix this issue, following needs to be added to BGP config.
# config router bgp
# config neighbor
    edit "10.20.16.1"
        set soft-reconfiguration enable
        set remote-as 65102
        set update-source "Loopback_bgp"
        set ebgp-enforce-multihop enable
    next
end
Since the update source is configured as Loopback, FortiGate considers the interface to be not directly connected therefore its necessary to introduce command 'set ebgp-enforce-multihop enable'.

10752
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.