hi paul,

Do your rtr have dual Rps? - no
Do the fortinets support GR? - yes
Are you using BFD or just relying the bgp timers, if the later its not recommended to enable GR - just BGP timers

aim here is the speed up iBGP failover/convergence if primary fortigate fails or being upgraded, secondary will take over seamlessly and avoid packet loss to downstream device/users.

Hello
so based on the rtr having no dual RPs and you are not using BFD enabling GR in my opinion would negate convergence by an additional 120 sec plus the fact there is a potential for loops to be incurred if for some reason the GR rtr rebooted or loss power and didn’t save its routing state 

Suggest for ibgp fast failover you use ibgp neighbour fall-back bfd 

Hello @johnlloyd_13 ,

you have described your topology with the following :

>> HQ --- INTERNET/IPSEC VPN --- BRANCH IGW1/2 --- iBGP --- FG HA

and your goal as the following :

>> aim here is the speed up iBGP failover/convergence if primary fortigate fails or being upgraded, secondary will take over seamlessly and avoid packet loss to downstream device/users

So you have two internet facing routers in the branch office that you have named as IGW1 and IGW2, behind them there is an HA pair made of two Fortinet Firewalls.

so you have IGW1 -----------|| L2 switch || ------- FW1

                   IGW2 -----------|| L2 switch  ||------- FW2

and you run iBGP sessions between IGW1, IGW2 and the FW active (whoever is the active FW at the moment)

you cannot have a second session with the standby FW. They usually are reachable on the mgmt interface when they are the acitve unit.

How do you think of making the two routers IGW1 and IGW2 able to detect who is the active FW  that uses always the same IP and potentially the same MAC address?

And more important why should the routers do this ?   My understanding is that in a scenario like yours the ones responsible are the FW themselves.

Hope to help

Giuseppe

hi giueseppe,

your description and toplogy is what we've got.

How do you think of making the two routers IGW1 and IGW2 able to detect who is the active FW that uses always the same IP and potentially the same MAC address? - FG FW is active/passive setup so my understanding there's a virtual MAC used (and GARP) so IGW1/2 knows which FW to communicate.

And more important why should the routers do this ? My understanding is that in a scenario like yours the ones responsible are the FW themselves. - i want BGP GR explicitly configured on both cisco IGW1/2 and FG FW. so you're saying i don't need BGP GR on the cisco side/IGW?

hi giuseppe,

it's a fortigate 400 and runs OS 7.2.x.

not sure what "nos type" is. can you elaborate/expound?

Hello @johnlloyd_13 ,

>> t's a fortigate 400 and runs OS 7.2.x

NOS type I mean the exact name of the Network Operating System it is a neutral vendor terms , however a single vendor can have multiple NOSes supported on different address famlies.

We have two  sets  of 1000D in HA pair running like 7.x.y they use multi VDOM features but we use only static routes towards the internal network . I cannot add details on the public Internet Handoffs we have in each datacenter or how they connect to the edge Routers.

Juniper SRX run JUNOS. Checkpoint and Palo Alto are considered the top for performance/features.

Cisco NG FW run Firepower  ( actually is a little more complex then this in higher end platforms there is an underlyin syste m, with ASA OS  and Firepower Service modules on top of thi common ground to implemented a SHARED memory for data plane packets).

My personal favorite is Juniper SRX that do almost anything it can be a multilayer switch a PE node  a stateful FW. The greatest platforms

I like also ASA and now after 3 years working on them I'm strarting  to like NGFW Firepower too but they are NG FW they cannot be also a PE node or a multilayer switch at the same time.

Hint: I'm a little an MPLS fan.

Hope to help

Giuseppe

hi balaji,

there's no BFD and only BGP timers are configured on both dual IGW and FG.

there's only 1 primary/active FW doing ipsec VPN. this is an active/passive HA setup.

I am afraid that - then you do not have any other option to rely only on that option. may be tweak the timers and keep Monitor

hi,

i'm using fortigate in this case not ASA FW. different vendors implement/behave differently, i.e. BGP/routing protocols.