Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff

Created on ‎12-19-2014 07:34 AM Edited on ‎01-30-2024 02:42 AM By Community Manager

Article Id 190889

Technical Note: Should a BGP session be up even though BFD is down ?

Purpose
This article will show BFD states at different situations.

BFD is configured between both peers to make faster the convergence of a routing protocol.
If the BFD communication fails, BFD communicates this info to the routing protocol which will update the routing status.

Should a BGP session be up even though BFD is down ?

Below two cases where the answer is yes :
- if BFD is configured on one peer only
- if BFD is blocked by a firewall - BFD is based on UDP port 3784



Diagram
Network diagram:

(vdom1) port10 ----port12 (TP vdom) port14 ------port16 (vdom2)




Expectations, Requirements
OSPF, BGP, static routing protocol
BFD

Configuration
Configuration:

3 vdoms configured: vdom1, vdom2 and TP vdom
BGP and BFD neighbors are configured in vdom1 and vdom2.
TP vdom allows to manage the BFD protocol communication via firewall policy on service port UDP 3784.

vdom1: IP on port10 is 10.130.0.139/22
vdom2: IP on port16 is 10.130.0.38/22

FG200P-1 (vdom1) # show  system settings
config system settings
    set bfd enable
end
FG200P-1 (vdom1) # show router bfd
config router bfd
        config neighbor
            edit 10.130.0.38
                set interface "port10"
            next
        end
end
FG200P-1 (vdom1) # sh router bgp
config router bgp
    set as 65001
    set router-id 0.0.0.1
        config neighbor
            edit "10.130.0.38"
                set bfd enable
                set remote-as 65002
                set send-community6 disable
            next
        end
end

FG200P-1 (vdom2) # show sys settings
config system settings
    set bfd enable
end
FG200P-1 (vdom2) # show  ro bgp
config router bgp
    set as 65002
    set router-id 0.0.0.2
        config neighbor
            edit "10.130.0.139"
                set bfd enable
                set remote-as 65001
                set send-community6 disable
            next
        end
end
FG200P-1 (vdom2) # show router bfd
config router bfd
        config neighbor
            edit 10.130.0.139
                set interface "port16"
            next
        end
end
Verification
BFD is configured on one peer only: BGP is up and BFD is down

FG200P-1 (vdom2) # con sys settings

FG200P-1 (settings) # get
comments            :
opmode              : nat
firewall-session-dirty: check-all
bfd                 : disable    <===== BFD not activated yet
bfd-desired-min-tx  : 250
bfd-required-min-rx : 250
bfd-detect-mult     : 3
bfd-dont-enforce-src-port: disable
utf8-spam-tagging   : enable
.../...

FG200P-1 (vdom1) # get ro info bgp summary

BGP router identifier 0.0.0.1, local AS number 65001
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.130.0.38     4        65002   42367   42364        0        0      0       03:04:41        0

Total number of neighbors 1

FG200P-1 (vdom1) # get router info bfd neighbor detail

OurAddress      NeighAddress    State       Interface       LDesc/RDesc
10.130.0.139    10.130.0.38     DOWN        port10          2/1
Local Diag: 1, Demand mode: no, Poll bit: unset
MinTxInt: 250, MinRxInt: 250, Multiplier: 3
Received: MinRxInt: 250 (ms), MinTxInt: 250 (ms),Multiplier: 3
Transmit Interval: 250 (ms), Detection Time: 750 (ms)
Rx Count: 4532, Rx Interval (ms) min/max/avg 0/5000/190 last 1000000380 (ms) ago
Tx Count: 448861, Tx Interval (ms) min/max/avg 0/5010/247  last: 250 (ms) ago
Registered protocols: Static BGP


FG200P-1 (vdom2) # get ro info bgp summary
BGP router identifier 0.0.0.2, local AS number 65002
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.130.0.139    4      65001   42349   42366        0            0    0       02:57:48        0

Total number of neighbors 1

FG200P-1 (vdom2) # get router info bfd  neighbor detail

FG200P-1 (vdom2) # config system  settings
FG200P-1 (settings) # set bfd enable
FG200P-1 (settings) # end

BFD is configured on both peers: BGP remains up while BFD becomes up

FG200P-1 (vdom2) # config system  settings
FG200P-1 (settings) # set bfd enable
FG200P-1 (settings) # end

FG200P-1 (vdom2) # get router info bfd  neighbor detail

OurAddress      NeighAddress    State       Interface       LDesc/RDesc
10.130.0.38     10.130.0.139        UP          port16          3/2
Local Diag: 0, Demand mode: no, Poll bit: unset
MinTxInt: 250, MinRxInt: 250, Multiplier: 3
Received: MinRxInt: 250 (ms), MinTxInt: 250 (ms),Multiplier: 3
Transmit Interval: 250 (ms), Detection Time: 750 (ms)
Rx Count: 38, Rx Interval (ms) min/max/avg 0/250/203 last 50 (ms) ago
Tx Count: 37, Tx Interval (ms) min/max/avg 0/250/205  last: 110 (ms) ago
Registered protocols: Static BGP


FG200P-1 (vdom2) # get ro info bgp summary
BGP router identifier 0.0.0.2, local AS number 65002
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.130.0.139    4      65001   42357   42373        0          0    0        03:04:34        0

Total number of neighbors 1

FG200P-1 (vdom1) # get ro info bgp summary
BGP router identifier 0.0.0.1, local AS number 65001
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.130.0.38     4      65002   42367   42364        0           0    0         03:04:41        0

Total number of neighbors 1

FG200P-1 (vdom1) # get router info bfd neighbor detail

OurAddress      NeighAddress    State       Interface       LDesc/RDesc
10.130.0.139    10.130.0.38         UP          port10          2/3
Local Diag: 0, Demand mode: no, Poll bit: unset
MinTxInt: 250, MinRxInt: 250, Multiplier: 3
Received: MinRxInt: 250 (ms), MinTxInt: 250 (ms),Multiplier: 3
Transmit Interval: 250 (ms), Detection Time: 750 (ms)
Rx Count: 4806, Rx Interval (ms) min/max/avg 0/1000000890/208132 last 80 (ms) ago
Tx Count: 449160, Tx Interval (ms) min/max/avg 0/5010/196  last: 200 (ms) ago
Registered protocols: Static BGP

BFD is blocked by firewall between peers: BFD becomes down while BGP goes down and up

FG200P-1 (vdom1) # get ro info bgp summary
BGP router identifier 0.0.0.1, local AS number 65001
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.130.0.38     4      65002   42402   42399        0           0    0         00:22:27        0

Total number of neighbors 1

FG200P-1 (vdom1) # get router info bfd neighbor detail

OurAddress      NeighAddress    State       Interface       LDesc/RDesc
10.130.0.139    10.130.0.38         UP          port10          2/3
Local Diag: 0, Demand mode: no, Poll bit: unset
MinTxInt: 250, MinRxInt: 250, Multiplier: 3
Received: MinRxInt: 250 (ms), MinTxInt: 250 (ms),Multiplier: 3
Transmit Interval: 250 (ms), Detection Time: 750 (ms)
Rx Count: 6414, Rx Interval (ms) min/max/avg 0/1000000890/155514 last 30 (ms) ago
Tx Count: 451035, Tx Interval (ms) min/max/avg 0/5010/188  last: 100 (ms) ago
Registered protocols: Static BGP

FG200P-1 (vdom2) # get ro info bgp summary
BGP router identifier 0.0.0.2, local AS number 65002
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.130.0.139    4      65001   42392   42408        0          0    0         00:22:31        0

Total number of neighbors 1

FG200P-1 (vdom2) # get router info bfd  neighbor detail

OurAddress      NeighAddress    State       Interface       LDesc/RDesc
10.130.0.38      10.130.0.139       UP          port16          3/2
Local Diag: 0, Demand mode: no, Poll bit: unset
MinTxInt: 250, MinRxInt: 250, Multiplier: 3
Received: MinRxInt: 250 (ms), MinTxInt: 250 (ms),Multiplier: 3
Transmit Interval: 250 (ms), Detection Time: 750 (ms)
Rx Count: 1905, Rx Interval (ms) min/max/avg 0/1135750/882 last 60 (ms) ago
Tx Count: 2305, Tx Interval (ms) min/max/avg 0/5000/514  last: 80 (ms) ago
Registered protocols: Static BGP

==> In all examples described above,  BFD takes into account the previous state  before communicating the state to the routing protocol.

5606
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.