Solved: Re: ASA Micro BFD - Page 2

Pim Scheffers · ‎05-08-2024

Does anyone know if any cisco ASA version supports Micro-BFD (RFC 7130) ?

I'm having a hard time finding it in the documentation so probably not.

maybe in an upcoming release?

tvotna · ‎05-08-2024

Noticed above that peers are on the same subnet, so removing misleading info.

Still, I don't understand why BFD between ASA and ASR1k fails if one link of the vPC fails and why micro-BFD is needed in this topology.

Pim Scheffers · ‎05-08-2024

So it depends on the hashing of the port-channel, not all bgp neighbors go down just the ones that travel over the link that is being pulled

lets's say:

bgp neigbor A travels over link 1 of the port-channel (because of src-dst ip hashing)
bgp neigbor B travels over link 2 of the port-channel (because of src-dst ip hashing)

link 2 gets disconnected

neihgbor A stays up
neighbor B gets torn down because bfd noticed the link down, after which neighbor B re-establishes over link 1

To prevent neighbor B from even being torn down and re-establishing you can use micro-bfd (if it's supported on your hardware)

also see the blog post from Ivan i posted before

tvotna · ‎05-08-2024

In my opinion, this can only happen if BFD timers on ASA and/or ASR1k are so small that a failure of a single link leads to the loss of few consecutive BFD packets, before the hash is re-programmed, in which case session is torn down. I might be mistaken. Increase timers and test?

On ASA BFD/UDP connection should be created with a port-channel as egress interface ("show conn all protocol udp port 3784"), so ASA should be able to switch to another physical link as soon as the other link is removed from the hash by the underlying code.

Micro-BFD would be run between the Nexus switch and the ASA on one side and the Nexus switch and the ASR1k on the other side, whilst your BGP is between the ASA and the ASR1k. How would this help?