Hello,
I've been trying to decrease the downtime of new ADVPN setup, as for the traffic flowing from our Spoke -> Hub -> DC internal segmented firewall (ISFW).
Our ADVPN Hub and spokes run iBGP.
Between our DC ISFW and ADVPN Hub, eBGP is running.
I've managed to decrease the packet-loss to ~10 sec when the ADVPN Hub cluster (two FortiGate 200Fs) are doing the failover.
I have Graceful restart enabled global between DC ISFW and ADVPN Hub + between ADVPN Hub and Spokes
I have set the following for Hub/spoke BGP speakers
On the Hub, I have also set globally:
Towards the DC ISFW, the advertisement interval = 1 sec
When I monitor the RIB of our DC ISFW, the prefix from my ADVPN spoke advertised via ADVPN Hub is set to stale as expected. However as soon as the update-delay timer of 10 sec has expired, the stale route is removed, as the DC ISFW received an update from ADVPN hub with 0 NLRI
It does this, because the BGP peering between the ADVPN Hub and spoke doesn't get negotiated after the update delay timer has expired. And it ofcause takes a few seconds.
I wonder if there is any way to delay the update from the ADVPN hub towards the DC ISFW until, the BGP peering between Hub and Spoke is reestablished?
I've look here for answers:
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/466620/router-bgp
I'm not sure what the following exactly does:
Pr. neighbor;
The description is: "Graceful restart delay time (sec, 0 = global default)."
Is that the Graceful restart time referred to, or the Graceful restart update-delay ?
In anyway I wonder if it can be tweaked to delay furher for one specific neighbor (Hub -> DC ISFW)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 01-10-2022 10:57 AM
did you find a solution?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.