Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JonasV
New Contributor III

FortiGate BGP - Graceful restart with ADVPN

Hello,

I've been trying to decrease the downtime of new ADVPN setup, as for the traffic flowing from our Spoke -> Hub -> DC internal segmented firewall (ISFW).

 

Our ADVPN Hub and spokes run iBGP.

  • On the Hub, there is a BGP-group configured with settings for all Spokes

Between our DC ISFW and ADVPN Hub, eBGP is running.

I've managed to decrease the packet-loss to ~10 sec when the ADVPN Hub cluster (two FortiGate 200Fs) are doing the failover.

I have Graceful restart enabled global between DC ISFW and ADVPN Hub + between ADVPN Hub and Spokes

I have set the following for Hub/spoke BGP speakers

  • Advertisement interval = 1 sec
  • Keepalive = 3 sec
  • Holetime = 9 sec
  • capability-graceful-restart enabled
  • stale-route enable
  • retain-stale-time 120 sec

 

On the Hub, I have also set globally:

  • graceful-end-on-timer enable
  • graceful-update-delay = 10 sec

Towards the DC ISFW, the advertisement interval = 1 sec

 

When I monitor the RIB of our DC ISFW, the prefix from my ADVPN spoke advertised via ADVPN Hub is set to stale as expected. However as soon as the update-delay timer of 10 sec has expired, the stale route is removed, as the DC ISFW received an update from ADVPN hub with 0 NLRI


It does this, because the BGP peering between the ADVPN Hub and spoke doesn't get negotiated after the update delay timer has expired. And it ofcause takes a few seconds.

 

I wonder if there is any way to delay the update from the ADVPN hub towards the DC ISFW until, the BGP peering between Hub and Spoke is reestablished?

 

I've look here for answers:

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/466620/router-bgp

 

I'm not sure what the following exactly does:

Pr. neighbor;

  • set restart-time

The description is: "Graceful restart delay time (sec, 0 = global default)."

Is that the Graceful restart time referred to, or the Graceful restart update-delay ?

 

In anyway I wonder if it can be tweaked to delay furher for one specific neighbor (Hub -> DC ISFW)

Kind regards
Kind regards
1 REPLY 1
Anonymous
Not applicable

Hello @JonasV 
 
Welcome to Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!
 
We see you are looking to find if there is a way to delay the update from the hub to spoke in an ADVPN set up.  We will have this looked and reach back to you as soon as possible.
 
You should receive an update from one of the team member. Thanks for your patience on this.
 
Regards
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors