Description
This article describes how to configure Bi-directional Forwarding Detection (BFD).
Scope
FortiGate.
Solution
The BFD timer variables are only available when BFD is enabled. They can be configured at global or interface level:
- Preferred minimum transmit interval for BFD packets: bfd-desired-min-tx. (Enter an integer value from <1> to <100000> (default = <250>)).
- Required minimum receive interval for BFD packets: bfd-required-min-rx. The FortiGate unit will not transmit BFD packets at a slower rate than this, or in other words at a higher value than this. (Enter an integer value from <1> to <100000> (default = <250>)).
- The number of times not detected before setting BFD status down: bfd-detect-mult. (Enter an integer value from <1> to <50> (default = <3>)).
Note:
While BFD is designed for rapid failure detection, overly aggressive timers are not always suitable across all hardware or software platforms. Vendors often recommend more conservative values in scaled environments to maintain system responsiveness and avoid CPU spikes. For large-scale networks with many BFD sessions, set the minimum interval to at least 500 ms and the multiplier to 3. An interval of 750 ms or 1000 ms is generally recommended to ensure stability and avoid session flaps during peak load.
Example configured on two FortiGates running firmware version 5.4:
FortiGate_A.
config sys settings
set bfd-desired-min-tx 1000
set bfd-required-min-rx 50000
set bfd-detect-mult 2
FortiGate_B.
config sys settings
set bfd-desired-min-tx 10000
set bfd-required-min-rx 50000
set bfd-detect-mult 2
Both bfd-desired-min-tx values satisfies bfd-required-min-rx of 50000ms.
Enable debugging:
diagnose ip router bfd all en
diagnose ip router bfd level info
diagnose debug console timestamp enable
diagnose debug enable
As of v6.0, debugging is enabled by running the commands:
diagnose debug app bfdd -1
diagnose debug console timestamp enable
diagnose debug enable
To disable BFD debugs:
diagnose ip router bfd all disable
diagnose debug application bfd 0
diagnose debug disable
Example of debug output:
2018-01-30 11:14:19 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: Sending BFD packet"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: Inactivity timer expired"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: state UP -> DOWN local_diag=0x01"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD session[10.151.1.44:10.151.1.75,port2,28]: state UP -> DOWN local_diag=0x01"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: bfd_session_send_packet_now"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD: Sending notification to protocol-id 4 client-type 8"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD register message"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Source Address: 10.151.1.44"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Destination Address: 10.151.1.75"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Interface index: 4"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Flags: Delete"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Client: OSPF"
Sample of FortiGate router log:
To sniff BFD packets:
diagnose sniffer packet any "udp port 3784" 6 0 a
Sample BFD packets seen with packet decoder:
Related articles:
