Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎05-29-2024 09:32 PM Edited on ‎01-23-2025 10:42 PM By Community Manager

Article Id 318006

Technical Tip: BGP Fast Convergence over IPSec with unstable Underlay on FortiGate

Description This article describes how to achieve fast BGP convergence over an IPSec overlay when the underlay connection is unstable.
Scope FortiGate.
Solution

In a setup with two WAN connections and two corresponding overlay IPSec tunnels to a HUB, where the HUB has only one WAN connection, it is crucial to ensure rapid BGP convergence during link failure and recovery.

When the primary WAN link and its associated tunnel fail, the secondary IPSec tunnel and BGP should quickly converge.

Upon recovery of the primary connection, the BGP neighborship on the primary tunnel should re-establish and converge swiftly.

 

To achieve this, apply the following configurations to the IPSec phase-interface and BGP neighbor settings.

 

Enable Dead Peer Detection (DPD) on the Tunnel:

  • Set the DPD retry count to 2. This sets the number of DPD retries before marking the peer as dead to 2.
  • Set the DPD retry interval to less than or equal to 10 seconds. This defines the interval between each DPD retry.

 

These settings ensure the IPSec tunnel takes 30 seconds to detect a dead peer and initiates failover procedures.

These parameters can be modified for quicker failover. Ensure that DPD parameters are not too low as they can cause network congestion. 

 

Enable Link-Down Failover in BGP for Neighborship with HUB and adjust the connect, keepalive, and hold timer. 

This ensures the BGP neighborship is immediately torn down when the associated IPSec tunnel goes down, preventing traffic from routing through an unavailable interface.

 

Configuration Steps:

 

IPSec Tunnel Configuration:

  • Configure DPD settings for both the primary and secondary tunnels:

 

config vpn ipsec phase1-interface
    edit "tunnel_primary"
        set dpd-retrycount 2
        set dpd-retryinterval 10
    next
    edit "tunnel_secondary"
        set dpd-retrycount 2
        set dpd-retryinterval 10
    next
end

 

BGP Neighbor Configuration:

  • Lower the keep-alive, holdtime, and connect timers.
  • Enable link-down failover.
  • Below, the keep-alive-timer is 5 seconds, the hold timer is 15 seconds and connect timer is set to 1.

 

config router bgp
    config neighbor
        edit "10.201.1.254"
            set keep-alive-timer 5

            set holdtime-timer 15
            set advertisement-interval 2

            set connect-timer 1
            set link-down-failover enable
        next
    end

end

 

Benefits:

  • Fast Failover: The BGP session on the primary IPSec tunnel is immediately torn down when the primary WAN link fails, allowing the secondary tunnel to quickly take over.
  • Rapid Recovery: When the primary WAN link is restored, the BGP session on the primary tunnel re-establishes quickly, ensuring minimal downtime.

 

By applying these configurations, fast and reliable BGP convergence is ensured over IPSec tunnels in environments with unstable underlay connections on FortiGate devices. This enhances the network's resilience and performance.

Related documents:
Optimize eBGP settings for faster VPN routing failover

Facilitating the fastest BGP route failovers

Timers used for speedup Convergence, Failover and Recovery in ADVPN/SD-WAN setup
2711
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.