Greetings.
I have two vSRXes marked fw1 and fw2 on the image below. On physical level, fw1 and fw2 are connected via two separate sets of intermediate routers: ge-0/0/0<->ge-0/0/0, ge-0/0/1<->ge-0/0/1. Over these two interfaces I set up IPSec tunnels between fw1 and fw2: st0.10<->st0.20, st0.11<->st0.21. I also set OSPF+BFD based dynamic routing, st0.11<->st0.21 routes are preferred due to metrics.
Dynamic routing settings look like this:
protocols {
ospf {
area 0.0.0.0 {
interface st0.10 {
interface-type p2p;
metric 200;
bfd-liveness-detection {
minimum-interval 100;
multiplier 10;
}
}
interface st0.11 {
interface-type p2p;
metric 100;
bfd-liveness-detection {
minimum-interval 100;
multiplier 10;
}
}
}
}
}
Now I'm trying to see if BFD improves convergence time for OSPF. I'm tearing down the connection marked red, so neither physical no tunnel interfaces go down on fw1 and fw2, but traffic stops going.
When I tear down the connection only once, it works perfectly. Up to 3 seconds with my settings, and traffic switches to the working tunnel. When I restore the connection, it switches back without visible packet loss.
When I simulate interface flapping, the results aren't what I expect. For example, with my current settings, if I wait 10 seconds and then disconnect the connection a second time, the traffic stops. The routes won't switch to the working tunnel until the OSPF dead-interval timer expires, which takes up to 40 seconds. I guess, BFD session changes aren't propagated to OSPF due to BFD's holddown-interval, so that's why we are back to OSPF counters.
Is there a way to improve BFD behavior on flapping channel?
And more importantly, I don't want to return immediately to the first tunnel once BFD session is back again. Is there a way to work for example one minute on the secondary channel and only then switch back to primary?
-------------------------------------------