Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1363
Views
13
Helpful
20
Replies

L3out not receiving routes

Go to solution
JlassiAhmed0345
Level 1
Level 1

‎11-23-2023 01:24 PM

in my ACI fabric, I have an L3out BGP peering between  Border Leaf and a Fortinet Firewalls, my problem is that I don't receive the default route that is advertised by the firewall via the L3out, in the other hand in firewall I can see the routes of BD that are advertised by ACI . for further investigation related to the issue, I've checked the BGP peering is OK on the firewalls side as well as on the Border leaf, also I've checked the advertised routes from the firewalls towards ACI and I clearly see that there is a default route is advertised . on the ACI side, I've checked the BGP routing Table of the appropriate VRF and I cannot see any routes that come from the BGP peering except the routes of the local BD.  

as you see below the configuration of the external epg of the L3out 

JlassiAhmed0345_0-1700773415245.png

here is the Vzany contract that is provided by the external EPG

JlassiAhmed0345_1-1700773494637.png

here is the config of the vzany :

JlassiAhmed0345_2-1700773579502.png

here as you see the routes advertised by the firewall to ACI 

JlassiAhmed0345_3-1700773793666.png

here is the routing table of Border leaf : as you see i cannot received the default-route .

 

JlassiAhmed0345_5-1700773893938.png

please is there any idea concerning the issue?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to JlassiAhmed0345

‎11-27-2023 12:47 AM

Perfect @JlassiAhmed0345 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

20 Replies 20

Go to solution
RedNectar
VIP
VIP

‎11-23-2023 01:43 PM

Hi @JlassiAhmed0345 ,

First a tip:

When posting a screenshot, you'll probably then want to click on the image and make the image large - like this.

 

RedNectar_1-1685651021448.png

 

This means you pictures are actually SEEN (a) in the email that gets sent to subscribers and (b) anyone who looks at this post in the future. Adding pictures as attachments... puts your submission into the TL;DR category.

Now to your default route problem: (This is from the top of my head - I may be wrong)

You'll need to check the [x] Shared Route Control Subnet and [x] Aggregate Shared Routes check boxes to get to see the 0.0.0.0/0 route.

RedNectar_0-1700775783484.png

 

[Note: Reserving the right to edit this later if I find a better answer ]

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to RedNectar

‎11-23-2023 01:52 PM

thank you for your quick response

I think that it should work when I enable only the External Subnets for External EPG tags on 0.0.0.0/0, I already have another L3out on another VRF, and it is configured in the same way as this L3out and I can receive routes on it.

Go to solution
M02@rt37
VIP
VIP

‎11-23-2023 10:33 PM

Hello @JlassiAhmed0345 

Basicly, check AS PATH of the default route ; you don't have the ASN of the ACI Fabric on that list? That should explain why ACI Fabric (Border Leaf) drop that announce as loop prevention.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to M02@rt37

‎11-24-2023 12:57 AM

Hello, 

Thanks

for your help 

here i share with you the AS-PATH of the default route on the firewall as well as the config BGP of the border Leaf .

Firewall :

JlassiAhmed0345_0-1700815905977.png

JlassiAhmed0345_1-1700815971190.png

and this for the BGP summary on the Border Leaf :

JlassiAhmed0345_3-1700816243611.png

as you see the AS-PATH does not have the ASN of the fabric. 

 

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to JlassiAhmed0345

‎11-24-2023 01:24 AM

Ok @JlassiAhmed0345 

Thanks for these clear pictures!

Also, on your border leaf please do:

#sh ip bgp vrf <VRF NAME> neighbor <IP neig Fortigate> received-routes

Do you see that default route ?

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to M02@rt37

‎11-24-2023 01:36 AM

as you see this command is not supported by ACI , do you have another way to see the received routes ?

JlassiAhmed0345_0-1700818493921.png

JlassiAhmed0345_1-1700818567783.png

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to JlassiAhmed0345

‎11-24-2023 01:50 AM - edited ‎11-24-2023 01:52 AM

@JlassiAhmed0345 

the CLI tell what the problem is....

%inbound soft reconfiguration for ipv4 unicast not enabled on 10.104.9.81

So on 10.104.9.81 add the command "soft reconfiguration inbound always" and re type this command on your border leaf please.

Seems to be on your Fortigate....depend of your version, look on the bgp neighbor profile and check that box:

M02rt37_0-1700819536966.png

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to M02@rt37

‎11-24-2023 02:03 AM

it's already configured on the firewall side .

JlassiAhmed0345_0-1700820168832.png

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to JlassiAhmed0345

‎11-24-2023 04:42 AM

Hello @JlassiAhmed0345 

M02rt37_0-1700829622613.png

remote-as 65338? is not 65189 ? based on :

M02rt37_1-1700829725344.png

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to M02@rt37

‎11-24-2023 05:00 AM

Hello M02@rt37 

yes you are right remote AS is  65338 ( AS of the Fabric )  .

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to JlassiAhmed0345

‎11-24-2023 07:38 AM - edited ‎11-24-2023 07:41 AM

Ok @JlassiAhmed0345 

Then why on that output form Leaf Border we have local AS 65189? 

M02rt37_0-1700840318683.png

Other things, on Leaf border do you have route-map in inbound applied on FortiGate's IP neighbor ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to M02@rt37

‎11-24-2023 08:20 AM

sorry the AS of fabric is 65189 and the AS 65338 is the local-AS of the L3out .

for the route-map : yes i have a route-map in inbound that allow default-route.

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to JlassiAhmed0345

‎11-24-2023 09:15 AM

OK @JlassiAhmed0345 

Could you please share your route map ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
JlassiAhmed0345
Level 1
Level 1
In response to M02@rt37

‎11-24-2023 02:25 PM

yes for sure :

JlassiAhmed0345_0-1700864303287.png

JlassiAhmed0345_1-1700864357897.png

if you return to the previous screenshot of the BGP table of the firewall, you will see that the AS-PATH of the default route contains the ASN  65189 of the Fabric ACI, it may could be the reason why the Fabric can't receive this default route.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License