Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  BFD issue between firewall and MX480

    Posted 10-15-2021 12:45
    Hello guys

    I have an issue with BFD between my FortiGate firewall (v. 6.2.4) and Juniper MX480 (v. 18.2R1-S3.2)

    There is a LAG between those two devices - Three 10g links

    The issue is that there is one port, when this port goes down and up again, the BFD goes down and there for the BGP goes down for couple of seconds then up again

    This port on the FortiGate is the egress port for the BFD traffic

    Doesn't matter from which side the port goes down, from the Juniper side and from the FortiGate side, same behavior

    If I disable port8 in FortiGate, the BGP still up and bfd trigger nothing. But then after I bring it up, the BGP flap, goes down for couple of seconds and then back again

    Same behavior from juniper MX side: If I disable the port in juniper MX that is connected to port8 in FortiGate, the BGP still up and bfd trigger nothing. But then after I bring it up, the BGP flap, goes down for couple of seconds and then back again

    On the Juniper MX those are the configurations:
    set protocols bgp group Customers neighbor 1.2.3.4 bfd-liveness-detection minimum-interval 300
    set protocols bgp group Customers neighbor 1.2.3.4 bfd-liveness-detection multiplier 3
    set protocols bgp group Customers neighbor 1.2.3.4 bfd-liveness-detection transmit-interval minimum-interval 300​
    The algorithm for traffic distribution used on the juniper MX:
    set routing-options forwarding-table export load-balancing-policy
    set routing-options forwarding-table indirect-next-hop
    set policy-options policy-statement load-balancing-policy then load-balance per-packet​

    I know that the small downtime is expected as BFD is set to detect link failure over fiber

    The FortiOS is able to recover when the egress port for BFD traffic is down

    It's not able to do that when the ingress port is down because it considers that the path is not operational for that direction, So BFD is doing its job in this case

    Fortinet TAC tried in there lab to increase the downtime but in case of link failure they don't have positive result

    Timer might be tuned on fortigate to match the Juniper Needs
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD41408

    They (Fortinet TAC) assume that It looks like Juniper implements micro BFD session per lag member (RFC 7130). This feature is not available on FortiGate

    They asked me to verify if the juniper could change it egress quickly enough to not fail the BFD session

    So, my questions is, Could Juniper MX device change it egress quickly enough to not fail the BFD session?

    ------------------------------
    Abed AL-Rahman Bishara
    ------------------------------


  • 2.  RE: BFD issue between firewall and MX480
    Best Answer

     
    Posted 10-16-2021 11:44
    I've found that on LAG connections the BFD timers need to be set to 1000 to avoid these types of drops.  The 300 level we use on most single links is just too sensitive and causes flapping.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: BFD issue between firewall and MX480

    Posted 10-16-2021 11:44
    That indeed helped!
    Thanks Steve

    ------------------------------
    Abed AL-Rahman Bishara
    ------------------------------