question

FortiSASE-Man avatar image
0 Likes"
FortiSASE-Man asked

Why is BGP not coming up in SPA (Secure Private Access)?! Health check and VPN tunnel are up, but no BGP.

Why is BGP not coming up in SPA (Secure Private Access)?! Health check and VPN tunnel are up, but no BGP.

FortiSASEBGP
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

FortiSASE-Man avatar image
1 Like"
FortiSASE-Man answered

This is typically caused by a misconfiguration on the hub or mismatched information between the FortiSASE portal and what is configured on the hub. My example working configuration can be found below. The intent of this article is to make the SPA setup easy, quick and successful.


The first stop should be to read the official documentation. You can find links to the most important sections below.


SPA with a FortiGate (FGT) SD-WAN deployment guide:


https://docs.fortinet.com/document/fortisase/22.4.12/spa-with-a-fortigate-sd-wan-deployment-guide/443423/configuring-spa-to-the-fortigate-sd-wan-hub-in-fortisase-private-access


BGP Configuration:


https://docs.fortinet.com/document/fortisase/22.4.5/spa-with-a-fortigate-sd-wan-deployment-guide/568255/bgp-configuration


IPsec VPN Configuration:


https://docs.fortinet.com/document/fortisase/22.4.5/spa-with-a-fortigate-sd-wan-deployment-guide/656405/ipsec-vpn-configuration


Notes and example for initial SPA set up.


I found that mapping it out in a table was helpful for me to understand what needs to be configured on the FGT hub to match the SASE UI config. That and having the output of an example config for ‘config router bgp’ and ‘config vpn ipsec phase1-interface’. Both sides, the SASE side and the FGT hub need configuration that matches to have a successful turn up. Note that the router-id network is only ‘logical’ as it is required for the SDWAN overlay network.



Example table for SASE UI and corresponding FGT hub configuration:


FortiSASE UI

FGT hub




Remote Gateway

FGT Hub Public IP

n/a (dynamic tunnel)

BGP Router ID Subnet

192.168.254.0/24


BGP Peer IP

10.125.0.253


Network Overlay ID

0

0

ASN

65000

65000

Health Check IP

172.20.100.1





Router ID


10.125.0.253

Local AS


65000

Neighbor Group


SASE-SPA

Neighbor Ranges


10.125.0.0/24

Advertised BGP Network


172.20.100.0 255.255.255.0

Logical Tunnel Interface Local IP


10.125.0.253

Logical Tunnel Interface Remote IP


10.125.0.254 255.255.255.0

Ipsec phase1-interface DHCP Range


10.125.0.1-10.125.0.252 255.255.255.0



Example of a working config below:


SPA config example in SASE UI:


1671656780192.png



FGT hub config in UI and CLI. Please make sure to include BGP and IPsec tunnel configs via CLI:


  1. BGP
  2. IPsec tunnel
  3. Hub tunnel interface



  1. BGP config example FGT hub UI and CLI


1671656780218.png



config router bgp
    set as 65000
    set router-id 10.125.0.253
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    set additional-path-select 4
    config neighbor-group
        edit "SASE-SPA"
            set capability-graceful-restart enable
            set link-down-failover enable
            set next-hop-self enable
            set remote-as 65000
            set additional-path send
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 1
            set prefix 10.125.0.0 255.255.255.0
            set neighbor-group "SASE-SPA"
        next
    end
    config network
        edit 2
            set prefix 172.20.100.0 255.255.255.0
        next


  1. IPsec config example FGT hub UI and CLI


1671656780238.png



config vpn ipsec phase1-interface
    edit "SASE-HUB"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 8.8.8.8
        set proposal aes128-sha256 aes256-sha256 aes256-sha1 aes128-sha1
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 0
        set ipv4-start-ip 10.125.0.1
        set ipv4-end-ip 10.125.0.252
        set ipv4-netmask 255.255.255.0


  1. FGT hub logical tunnel interface UI


1671656780259.png



Lastly, don’t forget to permit traffic for health check in the firewall policy!


Useful troubleshooting commands:


get router info routing-table bgp
get router info bgp summary
get router info bgp network
exec ping <SASE remote logical tunnel IP (10.125.0.1-10.125.0.4 in the above example)>



1671656780238.png (214.2 KiB)
1671656780192.png (220.7 KiB)
1671656780259.png (246.4 KiB)
1671656780218.png (339.0 KiB)
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

vpolovnikov avatar image
0 Likes"
vpolovnikov answered

Fantastic article. Thank you!

10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space