Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
islam_nadim
New Contributor III

Created on ‎07-20-2023 04:27 AM

Hub and Spoke Topology Not Working as Expected

Hello,

 

I've built a Hub-and-Spoke lab as I need to deploy SD-WAN, which is my ultimate goal here. The configuration went smooth with no issues I can remember. However, after the configuration is complete, and BGP is up, the spokes are not able to reach each other. I tried troubleshooting, and found that the Hub is not passing the traffic. Below is my topology on EVE/PNet

 

Topology.png

 

I'm not sure where the issue is. But the firewalls doesn't pass the traffic through the tunnels!

 

I need to get SD-WAN fully running here.

 

All 3 firewalls are running the same version: FortiOS-VM64-KVM v7.2.4,build1396,23013 (GA.F).

 

For the IPSec Tunnels, I created the tunnels using the wizard using the Hub-and-Spoke Template

 

I'm really not sure what is missing here.

Labels:
2009
1 Solution
islam_nadim
New Contributor III
In response to mauromarme

Created on ‎10-08-2023 04:45 AM

Hello @mauromarme ,

 

I've got it to work in Hub-and-Spoke deployment after I changed the image I was using.

 

Seems that the FOS Image doesn't pass traffic. I changed to the FGT with trial license, and it worked with me. Time to work on the SD-WAN and see the outcome. It might take some time to work on it.

View solution in original post

1452
0 Kudos
12 REPLIES 12
mauromarme
Staff
Staff

Created on ‎07-20-2023 09:27 AM

Hello Islam,

Hoping you are doing well.
Could you please attach the FortiGate configuration files along with the BGP commands below?
get router info bgp summary -> This command will display your BGP neighbors IP. Use those IPs on the commands below.
get router info bgp neighbors x.x.x.x advertised-routes
get router info bgp neighbors x.x.x.x received-routes

Thanks!


Mauricio Marin
Fortinet TAC Senior Engineer
1657
npariyar
Staff
Staff
In response to mauromarme

Created on ‎07-21-2023 02:26 AM Edited on ‎07-21-2023 02:28 AM

Hello Islam,

 

Did you create a firewall policy for spoke-to-spoke communication?

 

Eg:

edit 0
set name "spoke2spoke"
set srcintf "advpn-hub"
set dstintf "advpn-hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

 

You can follow the below article for ADVPN with BGP as the routing protocol.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/820072/advpn-with-bgp-as-the...

 

Regards

Niroj Pariyar

 

Niroj Pariyar
1644
islam_nadim
New Contributor III
In response to npariyar

Created on ‎07-21-2023 09:15 AM Edited on ‎07-21-2023 09:25 AM

Hello @npariyar ,

 

I do have the policy in place. It is created automatically via the VPN Wizard

 

    edit 2
        set name "vpn_Hub-Spoke_spoke2spoke_0"
        set uuid f20a5d8c-2676-51ee-12b6-2c70588442df
        set srcintf "Hub-Spoke"
        set dstintf "Hub-Spoke"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: Hub-Spoke (Created by VPN wizard)"
    next
1630
0 Kudos
islam_nadim
New Contributor III
In response to mauromarme

Created on ‎07-21-2023 09:13 AM

Hello @mauromarme ,

 

I've checked and you can also see below the results:

 

Hub:

hub # get router info bgp summary 

VRF 0 BGP router identifier 10.10.1.1, local AS number 65100
BGP table version is 7
1 BGP AS-PATH entries
0 BGP community entries

Neighbor  V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.1.3 4      65100    1988    1992        6    0    0 1d04h47m        1
10.10.1.4 4      65100    1987    1987        7    0    0 1d04h47m        1

Total number of neighbors 2


hub # get router info bgp neighbors 10.10.1.3 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*>i10.10.10.0/24    10.10.1.1                     100  32768        0 i <-/->
*>i30.30.30.0/24    10.10.1.4                     100      0        0 i <-/->

Total number of prefixes 2


hub # get router info bgp neighbors 10.10.1.3 received-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*>i20.20.20.0/24    10.10.1.3                     100      0        0 i <-/->

Total number of prefixes 1


hub # get router info bgp neighbors 10.10.1.4 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*>i10.10.10.0/24    10.10.1.1                     100  32768        0 i <-/->
*>i20.20.20.0/24    10.10.1.3                     100      0        0 i <-/->

Total number of prefixes 2


hub # get router info bgp neighbors 10.10.1.4 received-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*>i30.30.30.0/24    10.10.1.4                     100      0        0 i <-/->

Total number of prefixes 1

 Spoke1:

spoke1 # get router info bgp summary 

VRF 0 BGP router identifier 10.10.1.3, local AS number 65100
BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries

Neighbor  V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.1.1 4      65100    1988    1992        2    0    0 1d04h47m        2

Total number of neighbors 1


spoke1 # get router info bgp neighbors 10.10.1.1 advertised-routes
VRF 0 BGP table version is 2, local router ID is 10.10.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*>i20.20.20.0/24    10.10.1.3                     100  32768        0 i <-/->

Total number of prefixes 1


spoke1 # get router info bgp neighbors 10.10.1.1 received-routes
% Inbound soft reconfiguration not enabled
% No prefix for neighbor 10.10.1.1

Spoke2:

spoke2 # get router info bgp summary 

VRF 0 BGP router identifier 10.10.1.4, local AS number 65100
BGP table version is 3
1 BGP AS-PATH entries
0 BGP community entries

Neighbor  V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.1.1 4      65100    1982    1991        2    0    0 1d04h47m        2

Total number of neighbors 1


spoke2 # get router info bgp neighbors 10.10.1.1 advertised-routes
VRF 0 BGP table version is 3, local router ID is 10.10.1.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*>i30.30.30.0/24    10.10.1.4                     100  32768        0 i <-/->

Total number of prefixes 1


spoke2 # get router info bgp neighbors 10.10.1.1 received-routes
% Inbound soft reconfiguration not enabled
% No prefix for neighbor 10.10.1.1

I see that the routes sent from the Hub is not reflected on the spokes. However, the Hub knows about the networks behind both spokes

1631
0 Kudos
mauromarme
Staff
Staff
In response to islam_nadim

Created on ‎10-05-2023 12:37 PM

Hello Islam,

Sorry, I missed your reply.
Did you were able to make this work or are you still having the issue?

Mauricio Marin
Fortinet TAC Senior Engineer
1215
islam_nadim
New Contributor III
In response to mauromarme

Created on ‎10-08-2023 04:45 AM

Hello @mauromarme ,

 

I've got it to work in Hub-and-Spoke deployment after I changed the image I was using.

 

Seems that the FOS Image doesn't pass traffic. I changed to the FGT with trial license, and it worked with me. Time to work on the SD-WAN and see the outcome. It might take some time to work on it.

1453
0 Kudos
islam_nadim
New Contributor III
In response to balbasorus

Created on ‎07-26-2023 01:35 AM

Hi @balbasorus ,

I've already built the Hub and Spoke using the wizard but for some reason it is not working.

1539
0 Kudos
Muhammad_Haiqal
Staff
Staff

Created on ‎07-24-2023 09:33 PM

 

Hi @islam_nadim ,

That was a clear network design.

When you created a VPN on the HUB, there is an options to create a spoke.
Each spoke will have unique code. You just need to apply this code to each spoke respectively.
Do not use same code for all spoke.

Else, you may need to verify interface and BGP configuration and do manual changes.

haiqal
1575
islam_nadim
New Contributor III
In response to Muhammad_Haiqal

Created on ‎07-26-2023 01:35 AM

Hi @Muhammad_Haiqal ,

I've already built the Hub and Spoke using the wizard but for some reason it is not working.

1297
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.