Redistribute OSPF over BGP Between to FotiGates (wrong next hop ip)

Sowie · ‎06-14-2023

Hi,

I'm trying to redistribute OSPF over BGP. The Neighbors are getting the routes but the routes are using wrong recursive next hop IP on one of the sides...

When you look at the routing table on the right side it is using the WAN IP instead of the tunnel IP

DEFLE-FW01 $ get router info routing-table bgp
Routing table for VRF=0
B 10.1.2.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.3.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.4.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.5.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.6.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.90.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.91.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.91.100/32 [200/0] via 172.30.0.254 (recursive via ADVPN tunnel "WAN IP"), 02:32:12
B 10.1.100.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 172.21.1.0/30 [200/0] via 172.30.0.1 (recursive via ADVPN tunnel "WAN IP"), 02:32:12
B 172.21.1.4/30 [200/0] via 172.30.0.1 (recursive via ADVPN tunnel "WAN IP"), 02:32:12
B 192.168.4.0/24 [200/0] via 172.30.0.1 (recursive via ADVPN tunnel "WAN IP"), 02:27:33

But when you look on the left side everything seems fine

DKAAR-FW01 $ get router info routing-table bgp
Routing table for VRF=0
B 10.2.2.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.3.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.4.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.5.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.6.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.90.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.91.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.91.100/32 [200/0] via 172.30.0.1 (recursive is directly connected, ADVPN), 03:21:57
B 10.2.100.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.254), 01:48:55
B 172.21.2.0/30 [200/0] via 172.30.0.1 (recursive is directly connected, ADVPN), 03:21:57

If you have idea on how to fix this please let me know.

Both Fortigates are running version 7.0.11

(っ˘ ‸˘ς)

Sowie · ‎06-19-2023

Hi all,

I would like to express my gratitude for your assistance in resolving my issue. Your time and support have been greatly appreciated.

Upon reflection, I realized that I neglected to perform a simple ping test between the sites after resetting both Fortigates. Consequently, I am uncertain about the exact cause of the problem. However, I attempted to rectify the situation by implementing static routes instead of relying on OSPF. Surprisingly, everything appears to be functioning correctly, albeit with an incorrect tunnel IP on the recursive route. To my surprise, I successfully executed a ping test. Subsequently, I decided to remove the static routes, and to my amazement, the connection still remains functional. This turn of events has left me perplexed as to why the ADVPN tunnel now exhibits the WAN IP of the HUB instead of the tunnel IP and why it is working. Perhaps it is related to setting the remote Gateway to that address...

Thank you once again for your assistance and understanding.

(っ˘ ‸˘ς)

View solution in original post

RaniGome · ‎06-14-2023

Hi,

I think you can using the "set next-hop-self-rr enable " inside config neighbor to redistribute the routes from BGP neighbors make them the gateway for this routes. As the routers of BGP peers are directly connected, there is no need to static routes for overlays.

Here follows some information from fortinet:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-modify-BGP-next-hop-for-route-refle...

Sowie · ‎06-15-2023

Hi,

Thanks for the quick reply. Sorry I missed this command in the picture. This I've already configured.

DKAAR-FW01

config neighbor
edit "172.30.0.2"
set next-hop-self-rr enable
set remote-as 65400
set update-source "ADVPN"
set password XXX
set route-reflector-client enable

DEFLE-FW02

config neighbor
edit "172.30.0.1"
set next-hop-self-rr enable
set remote-as 65400
set update-source "ADVPN"
set password XXX
set route-reflector-client enable

(っ˘ ‸˘ς)

Demir21 · ‎06-15-2023

On the faulty site can you please check if next -hop is in the routing table and if yes, is it pointing to the VPN?

Sowie · ‎06-16-2023

Hi Demir

Here is the routing-table on the faulty site marked in red is the IP I assume should be the next-hop.

S* 0.0.0.0/0 [5/0] via 10.192.22.1, wan1, [1/0]
B 10.1.2.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.3.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.4.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.5.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.6.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.90.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.91.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.91.100/32 [200/0] via 172.30.0.254 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:49:59
B 10.1.92.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.100.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
O E2 10.2.2.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.3.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.4.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.5.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.6.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.90.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.91.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
C 10.2.91.100/32 is directly connected, NETMGMT
O E2 10.2.100.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
C 10.192.22.0/24 is directly connected, wan1
B 172.21.1.0/30 [200/0] via 172.30.0.254 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:49:59
B 172.21.1.4/30 [200/0] via 172.30.0.254 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:49:59
C 172.21.2.0/30 is directly connected, LACP DEFLE-CSW1
S 172.30.0.0/24 [5/0] via ADVPN-SPOKE tunnel ###WANIP###, [1/0]
C 172.30.0.1/32 is directly connected, ADVPN-SPOKE
S 172.30.0.254/32 [15/0] via ADVPN-SPOKE tunnel ###WANIP###, [1/0]
O E2 192.168.0.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
C 192.168.1.0/24 is directly connected, lan

(っ˘ ‸˘ς)

Demir21 · ‎06-16-2023

Hi,

Thank you. Please to also include the configuration of tunnel interface ADVPN-SPOKE.

Command as follows: show system interface ADVPN-SPOKE

Sowie · ‎06-16-2023

Hi Demir,

Here is the output from the command

DEFLE-FW01 $ show system interface ADVPN-SPOKE
config system interface
edit "ADVPN-SPOKE"
set vdom "root"
set ip 172.30.0.1 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip 172.30.0.254 255.255.255.0
set snmp-index 25
set interface "wan1"
next
end

(っ˘ ‸˘ς)

Demir21 · ‎06-17-2023

Hi,

What I see so far is that on the tunnel interface on the Spoke you specify remote-ip

172.30.0.254 255.255.255.0 but this should be the Hub tunnel ip 172.30.0.1/24

Furthermore I did a quick check on Fortigate and this will automatically add in the routing table only 2 routes:

S 172.30.0.0/24 [5/0] via advpn tunnel 172.30.0.1, [1/0]
C 172.30.0.2/32 is directly connected, advpn

I am not sure about this route in your routing table or if you have manually added/changed it:

S 172.30.0.254/32 [15/0] via ADVPN-SPOKE tunnel ###WANIP###, [1/0]

My suggestion would be to change the remote-ip accordingly and disable this route and check the behavior.

Sowie · ‎06-18-2023

Sorry for the Confusion with the Remote IP. When I had o create the VPN again I thought it would be better to have he HUB use the .254 IP instead of .1. The Route you marked in bold should be the right route.

.1 is now SPOKE

.2 Is not used
.254 is now HUB

(っ˘ ‸˘ς)

akristof · ‎06-15-2023

Hello,

I am not sure if the on right firewall the "WAN IP" means that gateway is resolved incorrectly. I would need to see whole routing-table including output from #diag vpn ike gateway list and from #diag vpn tunnel list. Ideally unredacted. I am not sure if this BGP is between spoke to spoke or between spoke to HUB.

Adrian