Troubleshooting Tip: BGP neighbor does not go down immediately after IPsec DPD failure when using non-default VRF.

Description

This article describes a scenario where Border Gateway Protocol neighbor sessions do not go down immediately after an IPsec Dead Peer Detection failure when the tunnel is associated with a non-default VRF.

In this condition, the BGP session remains established until the hold timer expires, even though the underlying IPsec tunnel is already down.

Scope

FortiGate (All platforms using BGP over IPsec with VRF configuration).

Solution

In environments where BGP is configured over IPsec tunnels associated with a non-default VRF, the expected behavior is for the BGP neighbor to go down immediately when the tunnel becomes unavailable.

However, it is observed that BGP continues to maintain the session until the hold timer expires.

Event logs confirm that the IPsec tunnel goes down earlier due to DPD failure, while the BGP neighbor state changes only after the hold timer expiration.

Example VPN event log showing DPD failure:

date=2026-04-23 time=10:24:19 logdesc='IPsec DPD failed' msg='IPsec DPD failure' 
status='dpd_failure' vpntunnel='Overlay_VPN'

Example router event log showing delayed BGP neighbor down state:

date=2026-04-23 time=10:26:48 logdesc='BGP neighbor status changed' msg='BGP: %BGP-5-
ADJCHANGE: VRF 1 neighbor 198.168.16.1 Down Hold Timer Expired'

The time difference between the IPsec failure and BGP neighbor down event indicates that BGP is not reacting to the tunnel state change.

This behavior occurs due to a limitation in the implementation where the IKE event callback responsible for notifying BGP of tunnel state changes only performs lookup in the default BGP instance. As a result, BGP peers configured in non-zero VRF instances are not identified during IPsec DPD failure events. Therefore, the BGP session remains active until the hold timer expires.

To validate the behavior, a BGP debug flow can be used:

diagnose debug reset 
diagnose debug application bgp -1 
diagnose debug enable

The debug output confirms that no immediate neighbor teardown event is triggered upon IPsec DPD failure.

Workaround:

There is no direct configuration-based workaround to force immediate BGP neighbor teardown for non-default VRF in affected versions. As a form of mitigation, reducing BGP hold and keepalive timers can help minimize convergence delay.

Example configuration:

config router bgp 
    set keepalive-timer 10
    set holdtime-timer 30 
end

Resolution:

This issue is resolved in FortiOS 7.6.7 and FortiOS 8.0.0 or above. The fix ensures that the IKE event callback performs BGP instance lookup based on the VRF associated with the tunnel, allowing proper detection of IPsec tunnel failures and immediate BGP neighbor teardown.