Hello,
I have HA cluster Active-Passive, and I i configured the BGP
When I change their roles, we have a downtime of 2-3 minutes. I found:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD31743
But I have:
get router info bgp neighbors x.x.x.x
For address family: IPv4 Unicast BGP table version 3, neighbor version 2 Index 1, Offset 0, Mask 0x2 AF-dependant capabilities: Community attribute sent to this neighbor (both) 2 accepted prefixes 5 announced prefixes
You have a few options.
1> does the upstream bgp-peer support bfd ? if yes , you can see if they will do bfd with you.
https://socpuppet.blogspot.com/2019/10/bfd-fortiagte-and-junos-firewalls.html
Make sure to disable capability for graceful restart for that bgp-neighbor for ipv4/6 or whatever AFI you're supporting
config neighbor edit "2001:db8:88::2"
set capability-graceful-restart disable set capability-graceful-restart6 disable
end
2> or reduce the bgp-keep alive timers
config neighbor edit "2001:db8:88::2"
set keep-alive-timer 5 set holdtime-timer 15
end
BFD is quicker but you might see higher loads and some ISP upstreams will not do BFD to customer bgp-peers
Ken Felix
PCNSE
NSE
StrongSwan
BFD enable
Do you have "set session-pickup enable" in HA config?
OP, I would also see if the upstream device received the graceful restart NOTIFICATION if you're failing over the FGT. There might be an issue where the notification was not sent from the FGT. And are you on the most updated fortiOS versions for you major release?
Ken Felix
PCNSE
NSE
StrongSwan
I use special fortiOS for my country
On base FortiOS 5.4.1
Yes "set session-pickup enable", but it doesn't help
Problem solved.
FG (global) # show system ha config system ha set route-ttl 190 end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.