The diagram below shows the environment I’m going to test:
Active-Standby
This option supports connecting AVX transit gateways to on-prem with only one active tunnel and the other one as backup. The use case is a deployment scenario where on-prem device such as firewall does not support asymmetric routing on two tunnels. Aviatrix configuration:
- ECMP is disabled
- Active-Standby is enabled
The active/standby configuration will produce the following configuration:
- transit-us-east-1 is the primary path with a metric of 100
- transit-us-east-1 to transit-us-east-1-hagw has a metric of 200
- transit-us-east-1-ha is the backup path with a metric of 300
FortiGate config
To align the FortiGate configuration to the AVX gateways, we need to use BGP Weight attribute to prefer a route received from the AVX primary transit gateway GRE tunnel over the AVX transit gateway ha GRE tunnel.
GRE:
edit "toAVX"
set vdom "root"
set ip 169.254.102.229 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.102.230 255.255.255.252
set interface "port1"
next
edit "toAVX-HA"
set vdom "root"
set ip 169.254.62.33 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.62.34 255.255.255.252
set interface "port1"
endBGP:
config router bgp
set as 65500
set router-id 192.168.1.1
config neighbor
edit "169.254.102.230"
set soft-reconfiguration enable
set remote-as 65501
set update-source "192.168.1.1"
next
edit "169.254.62.34"
set soft-reconfiguration enable
set remote-as 65501
set update-source "192.168.1.1"
next
end
config redistribute "connected"
set status enable
end
endBGP traffic engineering:
config router prefix-list
edit "prf-10.0.0.0-8"
config rule
edit 2
set prefix 10.0.0.0 0.0.0.0
set ge 8
unset le
next
end
next
endconfig router route-map
edit "rt-map-10.0.0.0-8"
# config rule
edit 1
set match-ip-address "prf-10.0.0.0-8"
set set-weight 40000
next
end
next
endconfig router bgp
set as 65500
set router-id 192.168.1.1
config neighbor
edit "169.254.102.230"
set soft-reconfiguration enable
set remote-as 65501
set route-map-in "rt-map-10.0.0.0-8"
next
edit "169.254.62.34"
set soft-reconfiguration enable
set remote-as 65501
next
endChecking
execute router clear bgp ip 169.254.102.230 softget router info bgp network 
Testing
Shooting down the primary AVX gateway “promotes” the “surviving” routes from the AVX HA gateway GRE tunnel to the preferred path and those routes are installed into the FortiGate routing table:
Active/Active
This option supports connecting AVX transit gateways to on-prem with more than one tunnel active. Aviatrix configuration:
- BGP ECMP is enabled
- Active-Standby is disabled
The active/standby configuration will produce the following configuration:
- transit-us-east-1 is the primary path with a metric of 100
- transit-us-east-1 to transit-us-east-1-hagw has a metric of 200
- transit-us-east-1-ha is also a primary path with a metric of 100
FortiGate config
To align the FortiGate configuration to the AVX gateways, we need to configure ECMP:
config router bgp
set as 65500
set router-id 192.168.1.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
config neighbor
edit "169.254.102.230"
set soft-reconfiguration enable
set remote-as 65501
next
edit "169.254.62.34"
set soft-reconfiguration enable
set remote-as 65501
next
end
config redistribute "connected"
set status enable
endChecking
Asymmetric Routing
AVX and FortiGate ECMP enabled causes half of the traffic to get dropped. It happens on flows that takes different paths on egressing and ingressing FortiGate GRE tunnels. If a FortiGate receives the response packets, but not the requests, by default it blocks the packets as invalid. This behavior is known as asymmetric routing.
It is not recommended but if it is required that the FortiGate should permit asymmetric routing, it can be configured with the following command:
config system settings
set asymroute enable
endReferences
List of all useful BGP debug and verification commands:
show router bgp
get router info bgp summary
get router info bgp network
get router info routing-table bgp
get router info bgp neighbors
get router info bgp neighbors advertised-routes
get router info bgp neighbors routes
get router info bgp neighbors received-routes
diagnose sys tcpsock | grep 179
diagnose ip router bgp level info
diagnose ip router bgp all enable
exec router clear bgp allhttps://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
