ExpressRoute and FortiGate BGP Issue in a Azure Virtual WAN

Question

Good evening.

We have deployed an Azure virtual WAN with a secured hub. The Azure virtual WAN has a VPN and ExpressRoute gateway deployed. The Azure virtual WAN routing preference is configured as ASPATH. All internet and private traffic is routed through the Azure Firewall first.

We have configured a site-to-site VPN between the Azure Virtual WAN and the on-premises FortiGate firewall. BGP has been configured for routing. This connection has been in place for three months and works well.

The ExpressRoute, recently provisioned, we attempted to connect it to the same FortiGate firewall, and the connectivity seems to be established, but BGP doesn't seem to work. Establishing a BGP connection between the FortiGate Firewall and ExpressRoute fails. The ExpressRoute provider is not providing a layer three service, so this is a layer two service.

I am struggling to see if it's an Azure problem or a FortiGate problem. Any suggestions are welcome.

Answer 1

@Jonathan Bell

Thank you for reaching out. I understand you are facing connectivity issues with Azure Express Route and on-prem FortiGate Firewall.

It will help if you could verify ExpressRoute connectivity using this troubleshooting documentation

• Verify circuit provisioning and state
• Validate ARP : ARP tables can help validate layer 2 configuration
• Validate BGP and routes on the MSEE

To get the routing table from MSEE on the primary path for the private routing context, use the following command:

Get-AzExpressRouteCircuitRouteTable -DevicePath Primary -ExpressRouteCircuitName ******* -PeeringType AzurePriv

• Test private peering connectivity as shown here to diagnose any issue. You can also perform a packet capture on FortiGate Firewall to determine the exact cause of the issue.

Thank you!