Hello guys
I have an issue with BFD between my FortiGate firewall (v. 6.2.4) and Juniper MX480 (v. 18.2R1-S3.2)
There is a LAG between those two devices - Three 10g links
The issue is that there is one port, when this port goes down and up again, the BFD goes down and there for the BGP goes down for couple of seconds then up again
This port on the FortiGate is the egress port for the BFD traffic
Doesn't matter from which side the port goes down, from the Juniper side and from the FortiGate side, same behavior
If I disable port8 in FortiGate, the BGP still up and bfd trigger nothing. But then after I bring it up, the BGP flap, goes down for couple of seconds and then back again
Same behavior from juniper MX side: If I disable the port in juniper MX that is connected to port8 in FortiGate, the BGP still up and bfd trigger nothing. But then after I bring it up, the BGP flap, goes down for couple of seconds and then back again
On the Juniper MX those are the configurations:
set protocols bgp group Customers neighbor 1.2.3.4 bfd-liveness-detection minimum-interval 300
set protocols bgp group Customers neighbor 1.2.3.4 bfd-liveness-detection multiplier 3
set protocols bgp group Customers neighbor 1.2.3.4 bfd-liveness-detection transmit-interval minimum-interval 300
The algorithm for traffic distribution used on the juniper MX:
set routing-options forwarding-table export load-balancing-policy
set routing-options forwarding-table indirect-next-hop
set policy-options policy-statement load-balancing-policy then load-balance per-packet
I know that the small downtime is expected as BFD is set to detect link failure over fiber
The FortiOS is able to recover when the egress port for BFD traffic is down
It's not able to do that when the ingress port is down because it considers that the path is not operational for that direction, So BFD is doing its job in this case
Fortinet TAC tried in there lab to increase the downtime but in case of link failure they don't have positive result
Timer might be tuned on fortigate to match the Juniper Needs
https://kb.fortinet.com/kb/documentLink.do?externalID=FD41408They (Fortinet TAC) assume that It looks like Juniper implements micro BFD session per lag member (RFC 7130). This feature is not available on FortiGate
They asked me to verify if the juniper could change it egress quickly enough to not fail the BFD session
So, my questions is, Could Juniper MX device change it egress quickly enough to not fail the BFD session?
------------------------------
Abed AL-Rahman Bishara
------------------------------