Re: FirePower and BGP routing not working/reporting correctly

derek.small · ‎12-20-2022

We have a pair of FirePower 2110 firewalls. They are exchanging BPG routes with a Fortigate used for a managed WAN solution. We have read-only access to the Fortigate that peers to our FirePower. We are redistributing three static routes from the FirePower to the Fortigate. 10.48.0.0/16, 192.168.10.0/24, and 192.168.70.0/24. The 10.48.0.0/16 advertisement is learned by the Fortigate, however the 192.168.x.x/24 subnet are not. We do have a route-map with a prefix-list to limit the static routes that are redistributed into BGP. I have confirmed the route-map and the prefix list are correct.

Another thing that doesn't make sense is if you try to look at the BGP prefixes being advertised to the Fortigate peer, from the FirePower, (via the FirePower CLI), the FirePower says that ZERO routes are being advertised to the Fortigate. Clearly at least the 10.48.0.0/16 route is. I've confirmed this by removing the 10.48.0.0/16 route from the prefix-list, and the 10.48.0.0/16 route goes away on the Fortigate's (BGP) routing table.

I've also tried switching the 10.48.0.0/16 route to specific subnet; 10.48.3.0/24. As a /24 subnet, I'm not able to learn the 10.48.3.0/24 subnet on the Forigate.

Is the FirePower not reporting BGP advertised routes correctly a known issue/BUG? I'm thinking it must be, because again, I confirm at least 10.48.0.0/16 is being advertised by the FirePower, but not reported. I also cannot figure out why the FirePower doesn't seem to want to redistribute anything but a /16.

Below is a partial config from the "sys suppport diagnostic-cli" (command line) of the FirePower

router bgp 65014
bgp log-neighbor-changes
bgp router-id vrf auto-assign
address-family ipv4 unicast
neighbor 172.30.254.5 remote-as 65029
neighbor 172.30.254.5 description Masergy-Fortigate
neighbor 172.30.254.5 transport path-mtu-discovery disable
neighbor 172.30.254.5 ha-mode graceful-restart disable
neighbor 172.30.254.5 activate
network 10.0.0.0
network 172.16.0.0 mask 255.240.0.0
network 172.29.0.0
network 172.30.0.0
network 10.10.1.0 mask 255.255.255.0
network 10.10.2.0 mask 255.255.255.0
network 10.10.3.0 mask 255.255.255.0
network 192.168.192.0
redistribute static metric 10 route-map Static2BGP
no auto-summary
no synchronization
exit-address-family
!
route WAN 10.48.0.0 255.255.0.0 172.30.254.160 1
route WAN 192.168.10.0 255.255.255.0 172.30.254.160 1
route WAN 192.168.70.0 255.255.255.0 172.30.254.160 1
!
prefix-list Static2BGP_Route_Filter seq 10 permit 10.48.0.0/16
prefix-list Static2BGP_Route_Filter seq 20 permit 192.168.10.0/24
prefix-list Static2BGP_Route_Filter seq 30 permit 192.168.70.0/24
!
route-map Static2BGP permit 10
match ip address prefix-list Static2BGP_Route_Filter
set local-preference 10
set origin igp
!
route-map Static2BGP deny 20

MHM Cisco World · ‎12-20-2022

I need to see the route in FPR ? please share it.

derek.small · ‎12-20-2022

Figured out why I don't see the advertised routes..... It's a failover pair, and it's failed over (was looking at the wrong one). So now I can at least confirm that the FirePower is sending the routes to the Fortigate. Now I just have to figure out why the Fortigates seem to be ignoring some of the routes I'm sending.

Cin-FirePWR2# sh bgp sum
BGP router identifier 192.168.192.1, local AS number 65014
BGP table version is 399, main routing table version 399
88 network entries using 17600 bytes of memory
88 path entries using 7040 bytes of memory
20/20 BGP path/bestpath attribute entries using 4160 bytes of memory
13 BGP AS-PATH entries using 504 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 29304 total bytes of memory
BGP activity 153/65 prefixes, 163/75 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.30.254.5 4 65029 268369 209274 399 0 0 11w4d 77

Cin-FirePWR2# sh bgp nei
Cin-FirePWR2# sh bgp neighbors 172.30.254.5 adv
Cin-FirePWR2# sh bgp neighbors 172.30.254.5 advertised-routes

BGP table version is 399, local router ID is 192.168.192.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0 172.30.254.6 3328 32768 i
*> 10.10.1.0/24 0.0.0.0 0 32768 i
*> 10.10.2.0/24 0.0.0.0 0 32768 i
*> 10.10.3.0/24 0.0.0.0 0 32768 i
*> 10.48.0.0/16 172.30.254.160 10 10 32768 i
*> 172.16.0.0/12 172.30.254.6 3072 32768 i
*> 172.29.0.0 172.30.252.1 0 32768 i
*> 172.30.0.0 172.30.252.1 0 32768 i
*> 192.168.10.0 172.30.254.160 0 32768 i
*> 192.168.70.0 172.30.254.160 0 32768 i
*> 192.168.192.0 0.0.0.0 0 32768 i

Total number of prefixes 11
Cin-FirePWR2#

MHM Cisco World · ‎12-20-2022

the only thing that make Fortigate accept some and refuse other is
1- max limit
2- there is Inbound prefix list

derek.small · ‎12-21-2022

After I looked at the correct FirePower here are the route advertisements to the Foritgate

Cin-FirePWR2# show bgp neighbors 172.30.254.5 advertised-routes

BGP table version is 405, local router ID is 192.168.192.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0 172.30.254.6 3328 32768 i

*> 10.10.1.0/24 0.0.0.0 0 32768 i

*> 10.10.2.0/24 0.0.0.0 0 32768 i

*> 10.10.3.0/24 0.0.0.0 0 32768 i

*> 10.48.0.0/16 172.30.254.160 100 10 100 i

*> 172.16.0.0/12 172.30.254.6 3072 32768 i

*> 172.29.0.0 172.30.252.1 0 32768 i

*> 172.30.0.0 172.30.252.1 0 32768 i

*> 192.168.10.0 172.30.254.160 100 10 100 i

*> 192.168.70.0 172.30.254.160 100 10 100 i

*> 192.168.192.0 0.0.0.0 0 32768 i

Total number of prefixes 11

Cin-FirePWR2#

Since the metric, LocalPref and Weight are all the same for the three routes in question, I have to conclude that the Fortigate is messed up somehow.

MHM Cisco World · ‎12-21-2022

*> 192.168.10.0 172.30.254.160 100 10 100 i

*> 192.168.70.0 172.30.254.160 100 10 100 i

*> 10.48.0.0/16 172.30.254.160 100 10 100 i

all are same so check fortigate Side, may be he run some prefix list Inbound.