Technical Tip: Reducing BGP convergence delay and packet loss during HA failover using route-ttl and stale routes

In HA failover scenarios involving BGP, the following behavior can commonly be observed, especially in environments using overlay VPNs:

• Temporary packet loss during failover events.
• Delay in BGP route convergence.
• Traffic disruption while routing protocols re-establish adjacencies.
• This can occur even when session pickup is enabled, as traffic forwarding depends on routing convergence, which may take additional time after failover.

Failover process:

During failover, The primary unit goes down and Secondary unit takes over, BGP sessions are re-established and routes are relearned. If the Traffic is dropped until BGP reconvergence is completed, then the below config changes will resolve the issue. See Technical Tip: Controlling how HA synchronizes routing table updates.

Step 1: Configure HA route-ttl.

The route-ttl parameter allows FortiGate to retain routes temporarily after failover.

Configuration:

config system ha

    set route-ttl 210

end

Step 2: Enable BGP graceful restart and stale routes.

To further improve convergence, enable stale route retention on BGP neighbors.

Global configuration:

config router bgp

    set graceful-restart enable

    set graceful-restart enable

    set graceful-restart-time 120

    set stale-route enable

   end

Per-neighbor configuration:

config router bgp

    config neighbor

        edit <neighbor-ip>

            set capability-graceful-restart enable

        next

    end

   end

• Routes are retained for the configured route-ttl seconds and prevents immediate route removal.
• This allows BGP sessions to re-establish without traffic loss.
• Neighbor devices retain routes during session interruption and traffic continues using stale routes.
• HA failover can introduce routing gaps if routes are flushed prematurely, route-ttl ensures temporary route retention.
• BGP graceful restart allows control-plane recovery without data-plane impact, combining both provides near hitless failover.

Notes:

• Set route-ttl higher than expected BGP convergence time. For example, if the reconvergence takes 200 seconds, then configure route-ttl to 210 seconds.
• Some ISPs might not support graceful-restart capability.

Related articles:

• Technical Tip: Facilitating the fastest BGP route failovers
• Technical Tip: Configuring FortiGate HA and BGP graceful-restart to avoid traffic interruption during an HA failover