OSPF graceful restart is not working as expected during the high availability failover
Symptom
Diagnosis
In an active/passive environment, when customers use OSPF protocol, with the graceful restart feature enabled, during the high availability failover the OSPF graceful restart directs OSPF neighbors to continue using routes through a device during a short transition when it is out of service. This increases network stability by reducing the frequency of routing table reconfiguration and the related route flapping that can occur during short periodic down times.
How graceful restart works
When the firewall is down for a short period of time or is unavailable for short intervals, it sends grace LSAs (LSA type 9) to its OSPF neighbors. Upon receiving the grace LSAs, the neighbor continues to forward routes through the firewall and to send LSAs that announce routes through the firewall. If the firewall resumes operation or the passive device changes the state to active before expiration of the grace period or the neighbor's max restart time, traffic forwarding will continue as before without network disruption. If the firewall does not resume operation or there is an issue in HA failover, after the grace period has expired or the neighbour's max restart time expired, the neighbors will exit helper mode and resume normal operation, which will involve reconfiguring the routing table to bypass the firewall.
Here is a sample packet capture:
Sometimes even though OSPF graceful restart is configured on the Palo Alto Networks devices, during the HA failover, users notice traffic disruption due to the route not available to forward the traffic.
Resolution
OSPF neighbors must be configured with grace restart helper. If the graceful helper is not configured on the neighboring devices, it will reject the grace LSA and it will not be processed.
In order to have OSPF graceful restart work correctly, enable graceful restart and graceful helper mode on both local and neighboring devices.
Please follow the below steps to configure a graceful restart.
From the GUI:
- Go to network.
- Select the appropriate virtual router.
- Enable OSPF.
- Choose advanced and enable "Graceful Restart" and commit the changes.
From the CLI:
Run this command:
admin@PA-Firewall> configure
Entering configuration mode
[edit]
admin@PA-Firewall# set network virtual-router default protocol ospf graceful-restart enable yes
admin@PA-Firewall# commit
When graceful helper mode is configured, if the OSPF neighbor is down for a short period of time or is unavailable for short intervals, the OSPF neighbour will send a graceful LSA to the firewall. Upon receiving the graceful LSA Firewall enters helper mode and maintains OSPF full state with the neighbor until the grace period or neighbor's max restart time expires.
Please follow the below steps to configure graceful helper mode.
From the GUI:
- Go to Network.
- Select the appropriate Virtual Router.
- Enable OSPF.
- Choose Advanced and "Enable Helper Mode."
From the CLI:
admin@PA-Firewall> configure
Entering configuration mode
[edit]
admin@PA-Firewall# set network virtual-router default protocol ospf graceful-restart helper-enable yes
admin@PA-Firewall# commit