Hello,

I've been trying to decrease the downtime of new ADVPN setup, as for the traffic flowing from our Spoke -> Hub -> DC internal segmented firewall (ISFW).

Our ADVPN Hub and spokes run iBGP.

• On the Hub, there is a BGP-group configured with settings for all Spokes

Between our DC ISFW and ADVPN Hub, eBGP is running.

I've managed to decrease the packet-loss to ~10 sec when the ADVPN Hub cluster (two FortiGate 200Fs) are doing the failover.

I have Graceful restart enabled global between DC ISFW and ADVPN Hub + between ADVPN Hub and Spokes

I have set the following for Hub/spoke BGP speakers

• Advertisement interval = 1 sec
• Keepalive = 3 sec
• Holetime = 9 sec
• capability-graceful-restart enabled
• stale-route enable
• retain-stale-time 120 sec

On the Hub, I have also set globally:

• graceful-end-on-timer enable
• graceful-update-delay = 10 sec

Towards the DC ISFW, the advertisement interval = 1 sec

When I monitor the RIB of our DC ISFW, the prefix from my ADVPN spoke advertised via ADVPN Hub is set to stale as expected. However as soon as the update-delay timer of 10 sec has expired, the stale route is removed, as the DC ISFW received an update from ADVPN hub with 0 NLRI

It does this, because the BGP peering between the ADVPN Hub and spoke doesn't get negotiated after the update delay timer has expired. And it ofcause takes a few seconds.

I wonder if there is any way to delay the update from the ADVPN hub towards the DC ISFW until, the BGP peering between Hub and Spoke is reestablished?

I've look here for answers:

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/466620/router-bgp

I'm not sure what the following exactly does:

Pr. neighbor;

• set restart-time

The description is: "Graceful restart delay time (sec, 0 = global default)."

Is that the Graceful restart time referred to, or the Graceful restart update-delay ?

In anyway I wonder if it can be tweaked to delay furher for one specific neighbor (Hub -> DC ISFW)