cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2473
Views
5
Helpful
2
Replies

BFD between ASR9001 and Palo Alto

Hi everybody, hope you are fine. I'm trying to implement BFD between two ASR9001 routers and a Palo Alto PA-5250 Firewall. I've configured BFD on the routers (under OSPF process)and the Firewall but they are not seeing each other, BFD sessions are not coming up. OSPF neighboring is OK, graceful restart works fine and when the cluster mastership changes everything goes smooth. Thing is that for broadcast segments if I ever loose a Cisco Router it will take 40 seconds for the OSPF process on the Firewall to detect this (dead timer 4xHello, There's a Nexus in the middle of the devices so interfaces link will not go down). This recovery time is not acceptable, is too high.

 

Has anyone tried to implement BFD between this vendors before? How did it go? Can you help me with the config please?

 

Another important information I think... there's a bundle Ethernet link on each of the ASR 9001 Routers. There's a port aggregation as well on each of the Firewalls (active/passive cluster). Could that interfere?

 

IOS-XR Version: Cisco IOS XR Software, Version 6.0.2[Default]

Palo Alto version: 8.0.9

 

Below you can find topology diagrams and config information.

 

Cheers,

Luis

 

Logical View

2018-06-12_10h01_35.png

 

Physical

2018-06-12_10h15_54.png

 

ASR Config

router ospf FIREWALL
 log adjacency changes detail
 bfd minimum-interval 300
 bfd multiplier 3
 vrf PROXY-TMP
  router-id 172.20.5.17
  address-family ipv4
  area 0
   interface Bundle-Ether1.1010
    bfd fast-detect
   !
  !
 !
!
1 ACCEPTED SOLUTION

Accepted Solutions

Thanks for the answer Aleksandar. The actual problem was that BFD was configured over a Bundle Interface so the following line had to be added to the configuration in order for that to work.

 

bfd
multipath include location 0/0/CPU0

Just for your info if you ever configure that check the command show bfd session detail, section MP DOWNLOAD STATE:

image.png 

Cheers,

Luis

View solution in original post

2 REPLIES 2
Aleksandar Vidakovic
Cisco Employee

Use "sh bfd session status detail ..." to see whether bfd process on asr9k is receiving any BFD packets from the peer. If yes, see "sh bfd session status history ..." to see why the session is kept down. Check whether any of the BFD specific NP counters are incrementing on the asr9k side. If yes, use "sh lpts pifib hardware static-police location ..." to see where are they punted (should be "Local", meaning line card CPU). If none of the BFD specific NP counters is incrementing, I would check the BFD packet format generated by the firewall to see whether there's anything suspicious. 

 

For NP counter capture, see:

https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-troubleshooting-packet-drops-and-understanding-np/ta-p/3126715

https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-troubleshooting-packet-drops-drops-in-np-microcode/ta-p/3155145

 

For details of BFD implementation on asr9k see:

https://supportforums.cisco.com/docs/DOC-33907

 

/Aleksandar

 

Thanks for the answer Aleksandar. The actual problem was that BFD was configured over a Bundle Interface so the following line had to be added to the configuration in order for that to work.

 

bfd
multipath include location 0/0/CPU0

Just for your info if you ever configure that check the command show bfd session detail, section MP DOWNLOAD STATE:

image.png 

Cheers,

Luis

View solution in original post