Skip to Content

How to Achieve BGP Fast Convergence over IPSec with Unstable Underlay on FortiGate

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to achieve fast BGP convergence over an IPSec overlay when the underlay connection is unstable.

Scope

FortiGate.

Solution

In a setup with two WAN connections and two corresponding overlay IPSec tunnels to a HUB, where the HUB has only one WAN connection, it is crucial to ensure rapid BGP convergence during link failures and restorations.

When the primary WAN link and its associated tunnel fail, the secondary IPSec tunnel and BGP should quickly converge.

Upon restoration of the primary connection, the BGP neighborship on the primary tunnel should re-establish and converge swiftly.

To achieve this, apply the following configurations to the IPSec phase-interface and BGP neighbor settings

Enable Dead Peer Detection (DPD) on the Tunnel:

  • Set the DPD retry count to less than 3. This sets the number of DPD retries before marking the peer as dead to 2 attempts
  • Set the DPD retry interval to less than equal to10 seconds. This sets the interval between each DPD retry attempt to 10 seconds.

These settings ensure the IPSec tunnel takes 30 seconds to detect a dead peer and initiates failover procedures.

These parameters can be modified for quicker failover. Please ensure that DPD parameters are not too low as they can cause network congestion.

Enable Link-Down Failover in BGP for Neighborship with HUB and or change the Connect, keepalive, and hold timer.

This ensures the BGP neighborship is immediately torn down when the associated IPSec tunnel goes down, preventing traffic from routing through an unavailable interface.

Configuration Steps

IPSec Tunnel Configuration

Configure DPD settings for both the primary and secondary tunnels:

config vpn ipsec phase1-interface
edit "tunnel_primary"
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "tunnel_secondary"
set dpd-retrycount 2
set dpd-retryinterval 10
next
end

BGP Neighbor Configuration

  • Lower the Keep-Alive and hold timer and connect the timer.
  • Enable link-down failover for the BGP neighbor:
config router bop
set keepalive timer 5
set holdtime-timer 15
config neighbor
edit 10.201.1.254"
set advertisement-interval set conneet-timer 1
set link-down-failover enable
next
end

Benefits

  • Fast Failover: The BGP session on the primary IPSec tunnel is immediately torn down when the primary WAN link fails, allowing the secondary tunnel to quickly take over.
  • Rapid Recovery: When the primary WAN link is restored, the BGP session on the primary tunnel re-establishes quickly, ensuring minimal downtime.

By applying these configurations, fast and reliable BGP convergence is ensured over IPSec tunnels in environments with unstable underlay connections on FortiGate devices. This enhances the network’s resilience and performance.