BGP Failback

jokes54321 · ‎04-22-2021

We setup a 1Gb Direct Connect to AWS with an IPSec tunnel for failover. We are running BGP across both for dynamic routing/failover.

When we take down the Direct Connect interface, traffic correctly fails over to the IPSec tunnel. The issue we're running into is when the Direct Connect comes back up. AWS starts routing over the Direct Connect but the Fortigate still has the IPSec tunnel in it's routing table.

As a test, we setup a prefix list and route map to adjust the metric from 20 to 30 on the routes received from the IPSec tunnel neighbor, but this didn't help.

Any suggestions?

Denny

Toshi_Esumi · ‎04-22-2021

Generally the local preference for the preferred interface learned routes is set higher and the local pref for backup is set lower for failover/back situations with BGP. So that the local device would choose the primary routes while both are on the BGP table and RIB get the higher pref routes only. Probably AWS side is doing that already, and that's why their end can failback immediately.

jokes54321 · ‎04-22-2021

Hi Toshi,

Thank you for pointing me in the right direction. I found a great blog on it and got it added to my config. Now I just need to secure a maintenance window to test it.

Denny

emnoc · ‎04-22-2021

What I would do is look at the bgp route and record what's presented ( MED locl_pref,etc......) and after you failback reanalyze.

Ken Felix

PCNSE

NSE

StrongSwan

BGP Failback

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website