cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1144
Views
7
Helpful
17
Replies

Enable BGP HA Graceful Restart

johnlloyd_13
Level 9
Level 9

hi,

i'm running IPSec VPN betwen HQ and a branch.

i need to add the BGP HA graceful restart in the branch dual internet edge router.

there's an iBGP between the branch's dual internet edge router and fortigate HA FW (which runs IPSec).

my question, is it "safe" to add "ha-mode graceful restart" between internet edge and FW. this is for fast failover/BGP convergence if primary fortigate or its BGP went down.

doing this remotely so i'm trying to avoid being cutoff or worst be lockout.

HQ --- INTERNET/IPSEC VPN --- BRANCH IGW1/2 --- iBGP --- FG HA

IGW1/2

router bgp 65000    <<< iBGP WITH FORTIGATE
neighbor 1.2.3.4 ha-mode graceful-restart   

 

johnlloyd_13_0-1728028701402.png

 

1 Accepted Solution

Accepted Solutions

Hello @johnlloyd_13 ,.

I'm starting to understand what you would like to achieve.

BGP graceful restart is a feature where a router with two Route Processors in SSO can send out a special BGP message to say "I'm going to perform a RP switchover and I ask to all my neighbors a grace period the sender device will not be able to send routing messages but I'm still able to route and forwards packets in the data plane.

The point is that your ISR1, ISR2 are two separate devices with single RP, They may have a separation between control plane and data plane.

The ISRs cannot perform GR but they can help a device that is able to do it.

By the way what is the model of the Fortinet fW and its nos type and version.

Hope to help

Giuseppe

 

 

View solution in original post

17 Replies 17

Hello
Do your rtr have dual Rps?
Do the fortinets support GR?
Are you using BFD or just relying the bgp timers, if the later its not recommended to enable GR


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hi paul,

Do your rtr have dual Rps? - no
Do the fortinets support GR? - yes
Are you using BFD or just relying the bgp timers, if the later its not recommended to enable GR - just BGP timers

aim here is the speed up iBGP failover/convergence if primary fortigate fails or being upgraded, secondary will take over seamlessly and avoid packet loss to downstream device/users.

Hello
so based on the rtr having no dual RPs and you are not using BFD enabling GR in my opinion would negate convergence by an additional 120 sec plus the fact there is a potential for loops to be incurred if for some reason the GR rtr rebooted or loss power and didn’t save its routing state 

Suggest for ibgp fast failover you use ibgp neighbour fall-back bfd 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello @johnlloyd_13 ,

you have described your topology with the following :

>> HQ --- INTERNET/IPSEC VPN --- BRANCH IGW1/2 --- iBGP --- FG HA

and your goal as the following :

>> aim here is the speed up iBGP failover/convergence if primary fortigate fails or being upgraded, secondary will take over seamlessly and avoid packet loss to downstream device/users

So you have two internet facing routers in the branch office that you have named as IGW1 and IGW2, behind them there is an HA pair made of two Fortinet Firewalls.

so you have IGW1 -----------|| L2 switch || ------- FW1

                   IGW2 -----------|| L2 switch  ||------- FW2

and you run iBGP sessions between IGW1, IGW2 and the FW active (whoever is the active FW at the moment)

you cannot have a second session with the standby FW. They usually are reachable on the mgmt interface when they are the acitve unit.

How do you think of making the two routers IGW1 and IGW2 able to detect who is the active FW  that uses always the same IP and potentially the same MAC address?

And more important why should the routers do this ?   My understanding is that in a scenario like yours the ones responsible are the FW themselves.

Hope to help

Giuseppe

 

hi giueseppe,

your description and toplogy is what we've got.

How do you think of making the two routers IGW1 and IGW2 able to detect who is the active FW that uses always the same IP and potentially the same MAC address? - FG FW is active/passive setup so my understanding there's a virtual MAC used (and GARP) so IGW1/2 knows which FW to communicate.

And more important why should the routers do this ? My understanding is that in a scenario like yours the ones responsible are the FW themselves. - i want BGP GR explicitly configured on both cisco IGW1/2 and FG FW. so you're saying i don't need BGP GR on the cisco side/IGW?

Hello @johnlloyd_13 ,.

I'm starting to understand what you would like to achieve.

BGP graceful restart is a feature where a router with two Route Processors in SSO can send out a special BGP message to say "I'm going to perform a RP switchover and I ask to all my neighbors a grace period the sender device will not be able to send routing messages but I'm still able to route and forwards packets in the data plane.

The point is that your ISR1, ISR2 are two separate devices with single RP, They may have a separation between control plane and data plane.

The ISRs cannot perform GR but they can help a device that is able to do it.

By the way what is the model of the Fortinet fW and its nos type and version.

Hope to help

Giuseppe

 

 

hi giuseppe,

it's a fortigate 400 and runs OS 7.2.x.

not sure what "nos type" is. can you elaborate/expound?

Hello @johnlloyd_13 ,

>> t's a fortigate 400 and runs OS 7.2.x

NOS type I mean the exact name of the Network Operating System it is a neutral vendor terms , however a single vendor can have multiple NOSes supported on different address famlies.

We have two  sets  of 1000D in HA pair running like 7.x.y they use multi VDOM features but we use only static routes towards the internal network . I cannot add details on the public Internet Handoffs we have in each datacenter or how they connect to the edge Routers.

Juniper SRX run JUNOS. Checkpoint and Palo Alto are considered the top for performance/features.

Cisco NG FW run Firepower  ( actually is a little more complex then this in higher end platforms there is an underlyin syste m, with ASA OS  and Firepower Service modules on top of thi common ground to implemented a SHARED memory for data plane packets).

My personal favorite is Juniper SRX that do almost anything it can be a multilayer switch a PE node  a stateful FW. The greatest platforms

I like also ASA and now after 3 years working on them I'm strarting  to like NGFW Firepower too but they are NG FW they cannot be also a PE node or a multilayer switch at the same time.

Hint: I'm a little an MPLS fan.

Hope to help

Giuseppe

 

balaji.bandi
Hall of Fame
Hall of Fame

Personally i avoide BGP graceful reset, if BFD supoported use that as optio with right timer.

fortigate HA FW (which runs IPSec)  - in this case you have only 1 FW doing load-sharing between both IPSEC right ?

i need to add the BGP HA graceful restart in the branch dual internet edge router.  - this means you have Dual routers

they load-balance traffic between both IPSEC tunnel ? how is your BGP network anoucement ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hi balaji,

there's no BFD and only BGP timers are configured on both dual IGW and FG.

there's only 1 primary/active FW doing ipsec VPN. this is an active/passive HA setup.

I am afraid that - then you do not have any other option to rely only on that option. may be tweak the timers and keep Monitor

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

M02@rt37
VIP
VIP

Hello @johnlloyd_13 

 

 
Yes, enabling ha-mode graceful restart in your setup is generally safe and can improve BGP convergence during failovers. However, since there are no BFD timers, you should be cautious and ensure that BGP timers are optimized.
 
 
 
 
Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

 

MHM

hi,

i'm using fortigate in this case not ASA FW. different vendors implement/behave differently, i.e. BGP/routing protocols.

Review Cisco Networking for a $25 gift card