Preventing Flapping Routes from being Advertised in BGP using D... - Knowledge Base - Palo Alto Networks

Preventing Flapping Routes from being Advertised in BGP using Dampening Profiles

59499

Created On 09/25/18 17:42 PM - Last Modified 06/02/22 21:12 PM

BGP

Deployment

PAN-OS

Symptom

In an unstable network, the routes can flap.
If these routes are advertised in BGP, the BGP routes also flap which can result in the active re-convergence of other stable networks advertised in BGP.
It is not a good practice to advertise flapping route to neighbor as it sacrifices the route convergence time for generally well behaved and stable routes.
Flapping may cause the peering to be lost and creates unwanted outage and traffic drops.
Flapping may also cause serious performance degradation as it consumes valuable CPU cycles.

Environment

Palo Alto Firewall.
Supported PAN-OS
BGP configured

Cause

Dampening Profiles have not been configured on the firewall
No optimal connection options

Resolution

Verify that the firewall has Dampening Profiles configured. Dampening Profiles on the Palo Alto Networks device is configured under:

Go to GUI: Network > Virtual Routers > BGP > Advanced > Dampening Profiles.
Click Add and enable the profile.

Type in a Name and add the desired values. Default values of the Palo Alto Networks firewall is shown below.

Click OK

Click OK again and "Commit" the configuration

By configuring a Dampening Profile, when a route flap based upon the configured threshold values occurs, the route will be completely suppressed and a route update is not sent to its BGP peers. This results in no convergence.

Details of the Parameters of Dampening Profile are listed below:

The Cutoff value is expressed as the maximum number of route flaps that can occur before a route update will be suppressed.
The Reuse value is expressed as a minimum number of route flaps which need to occur in order to re-install a suppressed route back in the routing update. The reuse value must be always be less than the cutoff value.
The Max Hold Time is the maximum amount of time the route can be suppressed no matter how many times it flapped and became unstable earlier.
The Decay Half Life Reachable value specifies the time duration in minutes after which a routes stability metric is halved if the route is considered reachable.
The Decay Half Life Unreachable value specifies the time duration in minutes after which a routes stability metric is halved if the route is considered un-reachable.

Additional Information

To check if optimal connection options are specified on the firewall, go to
GUI: Network > Virtual Routers > Peer Group.
Click Add > (name) > Add > Connection Options

The Keep Alive Interval specifies an interval after which routes from a peer are suppressed according to the hold time setting.
The Open Delay Time specifies the delay time between opening the peer TCP connection and sending the first BGP open message.
The Hold Time specifies the period of time that may elapse between successive KEEPALIVE or UPDATE messages from a peer before the peer connection is closed.
Idle Hold Time specifies the time to wait in the idle state before retrying connection to the peer.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)