Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎01-02-2024 09:56 PM

Article Id 292053

Technical Tip: Timers used for speedup Convergence, Failover and Recovery in ADVPN/SD-WAN setup

Description This article describes that in a complex ADVPN environment with SD-WAN enabled, multiple links are used to make sure the network is up and running at all times. During a failover and in a recovery process from one link to another, the time taken to normalize the traffic is significant, especially in a critical production environment. 
Scope

In an ADVPN/SD-WAN deployment, the main 2 components that govern the setup are BGP and IPSEC.

IPSEC corresponds to the overlay network and connectivity to its branches (spoke) and BGP is responsible for routing traffic from one location to another. BGP and IPSEC have their timers which can be adjusted to make failover and recovery of links quicker.
Solution

Below are the timers and their function which can be adjusted.

 

On BGP:

 

Spoke1 (bgp) # sh full
config router bgp
   set keepalive-timer 60    <----- Default values.
   set holdtime-timer 180    <----- Default values.

 

config neighbor
   edit "172.17.201.1"

      set advertisement-interval 30  <-----  Default values.

     set connect-timer 4294967295    <-----  Default values

     set link-down-failover disable  <-----  Default values.

 

 

Keepalive and hold timers K77441326: Overview of BGP timers
Advertisement interval K77441326: Overview of BGP timers 
Connect timer How long in seconds the FortiGate will try to reach this neighbor before declaring it offline.
link-down-failover enable By default, if an overlay link goes down, it will wait until BGP timers to show the neighbor ship is down. with this enabled it can make the BGP peer down immediately by enabling this under the neighbor.

 

On IPSEC:

 

Spoke1 (phase1-interface) # sh full
config vpn ipsec phase1-interface
    edit "Spoke1-MPLS"

       set dpd-retrycount 3 <----- Default values.
       set dpd-retryinterval 20 <----- Default values.

 

dpd-retrycount How often will the DPD be attempted.
dpd-retryinterval How long is the interval in seconds after which a DPD will be attempted again.

 

By reducing these timers it is possible to put down a tunnel and use a redundant tunnel.

 

Note:

When reducing these timers, be mindful not to make them too low, which might cause frequent flapping.

Hence, make sure the reduced timers are not affecting the normal operation of IPsec tunnels and BGP peers.
898
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.