Solved: Re: L3out not receiving routes

JlassiAhmed0345 · ‎11-23-2023

in my ACI fabric, I have an L3out BGP peering between Border Leaf and a Fortinet Firewalls, my problem is that I don't receive the default route that is advertised by the firewall via the L3out, in the other hand in firewall I can see the routes of BD that are advertised by ACI . for further investigation related to the issue, I've checked the BGP peering is OK on the firewalls side as well as on the Border leaf, also I've checked the advertised routes from the firewalls towards ACI and I clearly see that there is a default route is advertised . on the ACI side, I've checked the BGP routing Table of the appropriate VRF and I cannot see any routes that come from the BGP peering except the routes of the local BD.

as you see below the configuration of the external epg of the L3out

here is the Vzany contract that is provided by the external EPG

here is the config of the vzany :

here as you see the routes advertised by the firewall to ACI

here is the routing table of Border leaf : as you see i cannot received the default-route .

please is there any idea concerning the issue?

M02@rt37 · ‎11-27-2023

Perfect @JlassiAhmed0345

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

RedNectar · ‎11-23-2023

Hi @JlassiAhmed0345 ,

First a tip:

When posting a screenshot, you'll probably then want to click on the image and make the image large - like this.

This means you pictures are actually SEEN (a) in the email that gets sent to subscribers and (b) anyone who looks at this post in the future. Adding pictures as attachments... puts your submission into the TL;DR category.

Now to your default route problem: (This is from the top of my head - I may be wrong)

You'll need to check the [x] Shared Route Control Subnet and [x] Aggregate Shared Routes check boxes to get to see the 0.0.0.0/0 route.

[Note: Reserving the right to edit this later if I find a better answer ]

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

JlassiAhmed0345 · ‎11-23-2023

thank you for your quick response

I think that it should work when I enable only the External Subnets for External EPG tags on 0.0.0.0/0, I already have another L3out on another VRF, and it is configured in the same way as this L3out and I can receive routes on it.

M02@rt37 · ‎11-23-2023

Hello @JlassiAhmed0345

Basicly, check AS PATH of the default route ; you don't have the ASN of the ACI Fabric on that list? That should explain why ACI Fabric (Border Leaf) drop that announce as loop prevention.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JlassiAhmed0345 · ‎11-24-2023

Hello,

Thanks

for your help

here i share with you the AS-PATH of the default route on the firewall as well as the config BGP of the border Leaf .

Firewall :

and this for the BGP summary on the Border Leaf :

as you see the AS-PATH does not have the ASN of the fabric.

M02@rt37 · ‎11-24-2023

Ok @JlassiAhmed0345

Thanks for these clear pictures!

Also, on your border leaf please do:

#sh ip bgp vrf <VRF NAME> neighbor <IP neig Fortigate> received-routes

Do you see that default route ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JlassiAhmed0345 · ‎11-24-2023

as you see this command is not supported by ACI , do you have another way to see the received routes ?

M02@rt37 · ‎11-24-2023

@JlassiAhmed0345

the CLI tell what the problem is....

%inbound soft reconfiguration for ipv4 unicast not enabled on 10.104.9.81

So on 10.104.9.81 add the command "soft reconfiguration inbound always" and re type this command on your border leaf please.

Seems to be on your Fortigate....depend of your version, look on the bgp neighbor profile and check that box:

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JlassiAhmed0345 · ‎11-24-2023

it's already configured on the firewall side .

M02@rt37 · ‎11-24-2023

Hello @JlassiAhmed0345

remote-as 65338? is not 65189 ? based on :

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JlassiAhmed0345 · ‎11-24-2023

Hello M02@rt37

yes you are right remote AS is 65338 ( AS of the Fabric ) .

M02@rt37 · ‎11-24-2023

Ok @JlassiAhmed0345

Then why on that output form Leaf Border we have local AS 65189?

Other things, on Leaf border do you have route-map in inbound applied on FortiGate's IP neighbor ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JlassiAhmed0345 · ‎11-24-2023

sorry the AS of fabric is 65189 and the AS 65338 is the local-AS of the L3out .

for the route-map : yes i have a route-map in inbound that allow default-route.

M02@rt37 · ‎11-24-2023

OK @JlassiAhmed0345

Could you please share your route map ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JlassiAhmed0345 · ‎11-24-2023

yes for sure :

if you return to the previous screenshot of the BGP table of the firewall, you will see that the AS-PATH of the default route contains the ASN 65189 of the Fabric ACI, it may could be the reason why the Fabric can't receive this default route.