topic Re: ASA Micro BFD in Network Security

ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 09:00:49 GMT

Does anyone know if any cisco ASA version supports Micro-BFD (RFC 7130) ?

I'm having a hard time finding it in the documentation so probably not.

maybe in an upcoming release?

Re: ASA Micro BFD

MHM Cisco World — Wed, 08 May 2024 09:03:17 GMT

Why you are looking for BFD?

Do you have IGP you need to fast recovery by bfd?

MHM

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 09:31:00 GMT

Do you have IGP you need to fast recovery by bfd? YES

BFD is already running on the ASA, i'm looking to convert it it to Micro-BFD because it's connected the a Nexus VPC
When 1 of the links of the port-channel now goes down bfd is killiing the igp that's why i need micro-bfd RFC 7130

Re: ASA Micro BFD

tvotna — Wed, 08 May 2024 09:32:07 GMT

One ASA BFD is used 1) to support fast BGP fall-over and 2) for health monitoring and failure detection inside failover subsystem. For LAG monitoring and failure detection ASA/FXOS uses LACP. Micro BFD is not supported. Why do you need BFD on LAG interfaces?

Re: ASA Micro BFD

MHM Cisco World — Wed, 08 May 2024 09:36:00 GMT

you run PO between ASA and vPC or redundancy interface ?

Re: ASA Micro BFD

tvotna — Wed, 08 May 2024 10:07:54 GMT

@Pim Scheffers, sorry if I'm asking something stupid, but are you talking about IGP through the ASA or to the ASA? So far as I know, ASA OSPF has not been integrated with BFD running on the ASA: the "CSCvh56774 ENH: Request to add BFD support for OSPF on ASA" enhancement has not been implemented. Also,

router ospf ...
 bfd all-interfaces

is not available on the ASA (although I don't have latest version of the code in hands). Why does OSPF fail in this case when one of port-channel links goes down?

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 10:58:56 GMT

So the setup is ASA with port-channel to nexus VPC pair - which connects to cisco asr1001-X also with a port-channel
between the ASA & ASR1001-x I have multiple bgp neigbourships with BFD fall-over configured
If i pull a link or reboot a switch from the vpc pair i see bgp neigbourships being torn down because of bfd which i can prevent if micro-bfd was supported, hope it's clear like this

Re: ASA Micro BFD

MHM Cisco World — Wed, 08 May 2024 11:08:34 GMT

Did you use bfd multihop also?

Since ebgp is multi hop then bfd need to be multi also

MHM

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 11:38:51 GMT

ebgp CAN be multi hop but it's not in this case the bgp neighbours are on the same segement.

I also don't read in the documentation that when you use bgp it MUST be multihop bfd i see loads of examples where it is single hop.

or maybe i'm misunderstanding

Re: ASA Micro BFD

MHM Cisco World — Wed, 08 May 2024 11:40:53 GMT

ASA-NSK-ASR
BGP run between ASA and ASR
the traffic pass through NSK L3 and it count as Hop
so BFD need to be multi in ASA to detect ASR
MHM

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 11:45:15 GMT

The nexus doesn't do L3 it's L2 Switch

Re: ASA Micro BFD

MHM Cisco World — Wed, 08 May 2024 11:49:33 GMT

can I see the ASA BFD and BGP config
also
show etherchannel summary <<- in NSK

MHM

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 11:53:10 GMT

Thanks for all the replies, but i think it's clear ASA doesn't support micro bfd

Re: ASA Micro BFD

MHM Cisco World — Wed, 08 May 2024 11:57:03 GMT

ASA not support micro BFD we agree
but ASA one link down loss BGP is not OK
the NSK see one link of PO not two, that Why when this link down the ASA loss BGP

anyway consider this NSK with vPC and PO sometime have issue

MHM

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 12:06:50 GMT

Ivan Pepelnjak already wrote a blogpost on it 🙂

https://blog.ipspace.net/2014/10/micro-bfd-bfd-over-lag-port-channel.html

Re: ASA Micro BFD

tvotna — Wed, 08 May 2024 12:57:34 GMT

Noticed above that peers are on the same subnet, so removing misleading info.

Still, I don't understand why BFD between ASA and ASR1k fails if one link of the vPC fails and why micro-BFD is needed in this topology.

Re: ASA Micro BFD

Pim Scheffers — Wed, 08 May 2024 13:27:55 GMT

So it depends on the hashing of the port-channel, not all bgp neighbors go down just the ones that travel over the link that is being pulled

lets's say:

bgp neigbor A travels over link 1 of the port-channel (because of src-dst ip hashing)
bgp neigbor B travels over link 2 of the port-channel (because of src-dst ip hashing)

link 2 gets disconnected

neihgbor A stays up
neighbor B gets torn down because bfd noticed the link down, after which neighbor B re-establishes over link 1

To prevent neighbor B from even being torn down and re-establishing you can use micro-bfd (if it's supported on your hardware)

also see the blog post from Ivan i posted before

Re: ASA Micro BFD

tvotna — Wed, 08 May 2024 14:54:07 GMT

In my opinion, this can only happen if BFD timers on ASA and/or ASR1k are so small that a failure of a single link leads to the loss of few consecutive BFD packets, before the hash is re-programmed, in which case session is torn down. I might be mistaken. Increase timers and test?

On ASA BFD/UDP connection should be created with a port-channel as egress interface ("show conn all protocol udp port 3784"), so ASA should be able to switch to another physical link as soon as the other link is removed from the hash by the underlying code.

Micro-BFD would be run between the Nexus switch and the ASA on one side and the Nexus switch and the ASR1k on the other side, whilst your BGP is between the ASA and the ASR1k. How would this help?