10-04-2024 01:03 AM - edited 10-04-2024 01:20 AM
hi,
i'm running IPSec VPN betwen HQ and a branch.
i need to add the BGP HA graceful restart in the branch dual internet edge router.
there's an iBGP between the branch's dual internet edge router and fortigate HA FW (which runs IPSec).
my question, is it "safe" to add "ha-mode graceful restart" between internet edge and FW. this is for fast failover/BGP convergence if primary fortigate or its BGP went down.
doing this remotely so i'm trying to avoid being cutoff or worst be lockout.
HQ --- INTERNET/IPSEC VPN --- BRANCH IGW1/2 --- iBGP --- FG HA
IGW1/2
router bgp 65000 <<< iBGP WITH FORTIGATE
neighbor 1.2.3.4 ha-mode graceful-restart
Solved! Go to Solution.
10-04-2024 08:08 PM
Hello @johnlloyd_13 ,.
I'm starting to understand what you would like to achieve.
BGP graceful restart is a feature where a router with two Route Processors in SSO can send out a special BGP message to say "I'm going to perform a RP switchover and I ask to all my neighbors a grace period the sender device will not be able to send routing messages but I'm still able to route and forwards packets in the data plane.
The point is that your ISR1, ISR2 are two separate devices with single RP, They may have a separation between control plane and data plane.
The ISRs cannot perform GR but they can help a device that is able to do it.
By the way what is the model of the Fortinet fW and its nos type and version.
Hope to help
Giuseppe
10-04-2024 02:01 AM
Hello
Do your rtr have dual Rps?
Do the fortinets support GR?
Are you using BFD or just relying the bgp timers, if the later its not recommended to enable GR
10-04-2024 04:03 AM
hi paul,
Do your rtr have dual Rps? - no
Do the fortinets support GR? - yes
Are you using BFD or just relying the bgp timers, if the later its not recommended to enable GR - just BGP timers
aim here is the speed up iBGP failover/convergence if primary fortigate fails or being upgraded, secondary will take over seamlessly and avoid packet loss to downstream device/users.
10-04-2024 10:53 AM
Hello
so based on the rtr having no dual RPs and you are not using BFD enabling GR in my opinion would negate convergence by an additional 120 sec plus the fact there is a potential for loops to be incurred if for some reason the GR rtr rebooted or loss power and didn’t save its routing state
Suggest for ibgp fast failover you use ibgp neighbour fall-back bfd
10-04-2024 02:00 PM
Hello @johnlloyd_13 ,
you have described your topology with the following :
>> HQ --- INTERNET/IPSEC VPN --- BRANCH IGW1/2 --- iBGP --- FG HA
and your goal as the following :
>> aim here is the speed up iBGP failover/convergence if primary fortigate fails or being upgraded, secondary will take over seamlessly and avoid packet loss to downstream device/users
So you have two internet facing routers in the branch office that you have named as IGW1 and IGW2, behind them there is an HA pair made of two Fortinet Firewalls.
so you have IGW1 -----------|| L2 switch || ------- FW1
IGW2 -----------|| L2 switch ||------- FW2
and you run iBGP sessions between IGW1, IGW2 and the FW active (whoever is the active FW at the moment)
you cannot have a second session with the standby FW. They usually are reachable on the mgmt interface when they are the acitve unit.
How do you think of making the two routers IGW1 and IGW2 able to detect who is the active FW that uses always the same IP and potentially the same MAC address?
And more important why should the routers do this ? My understanding is that in a scenario like yours the ones responsible are the FW themselves.
Hope to help
Giuseppe
10-04-2024 05:08 PM
hi giueseppe,
your description and toplogy is what we've got.
How do you think of making the two routers IGW1 and IGW2 able to detect who is the active FW that uses always the same IP and potentially the same MAC address? - FG FW is active/passive setup so my understanding there's a virtual MAC used (and GARP) so IGW1/2 knows which FW to communicate.
And more important why should the routers do this ? My understanding is that in a scenario like yours the ones responsible are the FW themselves. - i want BGP GR explicitly configured on both cisco IGW1/2 and FG FW. so you're saying i don't need BGP GR on the cisco side/IGW?
10-04-2024 08:08 PM
Hello @johnlloyd_13 ,.
I'm starting to understand what you would like to achieve.
BGP graceful restart is a feature where a router with two Route Processors in SSO can send out a special BGP message to say "I'm going to perform a RP switchover and I ask to all my neighbors a grace period the sender device will not be able to send routing messages but I'm still able to route and forwards packets in the data plane.
The point is that your ISR1, ISR2 are two separate devices with single RP, They may have a separation between control plane and data plane.
The ISRs cannot perform GR but they can help a device that is able to do it.
By the way what is the model of the Fortinet fW and its nos type and version.
Hope to help
Giuseppe
10-07-2024 06:22 AM
hi giuseppe,
it's a fortigate 400 and runs OS 7.2.x.
not sure what "nos type" is. can you elaborate/expound?
10-07-2024 12:24 PM
Hello @johnlloyd_13 ,
>> t's a fortigate 400 and runs OS 7.2.x
NOS type I mean the exact name of the Network Operating System it is a neutral vendor terms , however a single vendor can have multiple NOSes supported on different address famlies.
We have two sets of 1000D in HA pair running like 7.x.y they use multi VDOM features but we use only static routes towards the internal network . I cannot add details on the public Internet Handoffs we have in each datacenter or how they connect to the edge Routers.
Juniper SRX run JUNOS. Checkpoint and Palo Alto are considered the top for performance/features.
Cisco NG FW run Firepower ( actually is a little more complex then this in higher end platforms there is an underlyin syste m, with ASA OS and Firepower Service modules on top of thi common ground to implemented a SHARED memory for data plane packets).
My personal favorite is Juniper SRX that do almost anything it can be a multilayer switch a PE node a stateful FW. The greatest platforms
I like also ASA and now after 3 years working on them I'm strarting to like NGFW Firepower too but they are NG FW they cannot be also a PE node or a multilayer switch at the same time.
Hint: I'm a little an MPLS fan.
Hope to help
Giuseppe
10-04-2024 04:50 AM
Personally i avoide BGP graceful reset, if BFD supoported use that as optio with right timer.
fortigate HA FW (which runs IPSec) - in this case you have only 1 FW doing load-sharing between both IPSEC right ?
i need to add the BGP HA graceful restart in the branch dual internet edge router. - this means you have Dual routers
they load-balance traffic between both IPSEC tunnel ? how is your BGP network anoucement ?
10-04-2024 04:54 AM
hi balaji,
there's no BFD and only BGP timers are configured on both dual IGW and FG.
there's only 1 primary/active FW doing ipsec VPN. this is an active/passive HA setup.
10-04-2024 10:50 AM
I am afraid that - then you do not have any other option to rely only on that option. may be tweak the timers and keep Monitor
10-04-2024 05:59 AM - edited 10-04-2024 06:00 AM
Hello @johnlloyd_13
10-04-2024 11:12 AM - edited 10-07-2024 06:24 AM
MHM
10-04-2024 05:11 PM
hi,
i'm using fortigate in this case not ASA FW. different vendors implement/behave differently, i.e. BGP/routing protocols.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide