bgp fine tuning question

fortinetuser2020 · ‎10-03-2020

hi

i have 2 fortigates that are linked with 2 point to point lines between them.

each p2p line is from another isp for redundancy.

main line is 100mbps and backup line from 2nd isp is 40mbps

i've setup a bgp, i control bgp on both sides. everything is working fine. on a regular basis, the main line works, and i fail the main line, a route failover occur and it flips to the backup line. with local preference on both sides, when the main line comes back up, it fails back to it.

my problem/question is that the failover/failback is quite long.

i know i'm supposed to "play" with : holdtimer, graceful restart and graceful-stalepath

the holdtimer part i understand, it's explained simply and understood. it states the time to "declare" the path dead and look for another one. but i didn't quite get the last two.

i'm looking for the best practice to my situation, bare in mind i'm controlling both ends, no isp bgp is involved here.

thank you

Yurisk · ‎10-04-2020

Graceful-anything is the opposite of what you are trying to achieve. Graceful restart, once enabled, tells your Fortigate to WAIT even if it detects that its BGP peer has failed, and thus NOT to tear down peering. This is done to prevent flapping in case of occasional crash/restart of the BGP peer. In other words, it will prolong fail over.

You have few options to speed up failover:

[ol]

Play with timers - holdtimer, keep alive timer. But this will take you so far, the minimum allowed by standard would be 10 seconds before failover (if I recall correctly). Downside is the increased chance of false failovers.

Enable BFD under BGP peering. BFD (vendor independent standard and feature) tests your link constantly with UDP packets and thus allows failover in case of line failure in terms of milliseconds. BUT ... the second side of the link has to support BFD as well, which is not a given. Do you have Layer 2 or Layer 3 links from your IPSs? I mean next hop of your Fortigates is IP of your equipment or ISPs? Because Fortigates support BFD just fine, but the IPSs equipment may or may not - have to ask them.

Enable on Fortigate link-monitoring on the interface that BGP peering is formed via. You just set some ping destination and Fortigate declares the link as down once pings time out. I, from personal experience, don't like that option that much as lots of things are in flux and pinging hosts you don't control inevitably causes false positives and head ache. [/ol]

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

fortinetuser2020 · ‎10-04-2020

many thanks for you great answer!

about this : "Enable BFD under BGP peering"

both sides are fortigates, so they support BFD

lines are l2 from the isp. the layer 3 is created by me. each side's opposite hop is the opposite fortigate.

Yurisk · ‎10-04-2020

In such case you can enable BFD on both sides with no fear, it will give the fastest failover possible.

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.