I've been trying to decrease the downtime of new ADVPN setup, as for the traffic flowing from our Spoke -> Hub -> DC internal segmented firewall (ISFW).
Our ADVPN Hub and spokes run iBGP.
On the Hub, there is a BGP-group configured with settings for all Spokes
Between our DC ISFW and ADVPN Hub, eBGP is running.
I've managed to decrease the packet-loss to ~10 sec when the ADVPN Hub cluster (two FortiGate 200Fs) are doing the failover.
I have Graceful restart enabled global between DC ISFW and ADVPN Hub + between ADVPN Hub and Spokes
I have set the following for Hub/spoke BGP speakers
Advertisement interval = 1 sec
Keepalive = 3 sec
Holetime = 9 sec
retain-stale-time 120 sec
On the Hub, I have also set globally:
graceful-update-delay = 10 sec
Towards the DC ISFW, the advertisement interval = 1 sec
When I monitor the RIB of our DC ISFW, the prefix from my ADVPN spoke advertised via ADVPN Hub is set to stale as expected. However as soon as the update-delay timer of 10 sec has expired, the stale route is removed, as the DC ISFW received an update from ADVPN hub with 0 NLRI
It does this, because the BGP peering between the ADVPN Hub and spoke doesn't get negotiated after the update delay timer has expired. And it ofcause takes a few seconds.
I wonder if there is any way to delay the update from the ADVPN hub towards the DC ISFW until, the BGP peering between Hub and Spoke is reestablished?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.