How to troubleshoot BFD - Knowledge Base - Palo Alto Networks

How to troubleshoot BFD

4423

Created On 10/04/23 05:06 AM - Last Modified 07/23/24 20:55 PM

BFD

Strata Cloud Manager

Objective

To identify and resolve the cause of BFD session dropping.

Environment

Palo Alto Firewalls
Supported PAN-OS
BFD

Procedure

Is the peer supporting a BFD RFC component that Palo Alto isn't? Please refer to the Non-Supported RFC Components of BFD for more information. The best way to determine this is to perform a packet capture, using Getting Started: Packet Capture as a guide.
Identify possible resource depletion in the Palo Alto firewall.
1. If the firewall is monitored by Strata Cloud Manager (formerly known as AIOps), use How to identify high CPU, Packet Buffer, and Packet Descriptor in the firewall with Strata Cloud Manager
2. For non-Strata Cloud Manager monitored firewalls, use the following steps
  1. Use HowTo Troubleshoot High Packet Buffer Or Packet Descriptors Usage to check if your firewall is having high dataplane resources usage.
  2. Determine if the data plane CPU utilization is high
    1. Under the firewall's GUI, go to DASHBOARD > Widgets > System > click on System Resources
    2. To resolve this issue, use How to Troubleshoot High DataPlane CPU
  3. Determine if the management plane CPU utilization is high
    1. Under the firewall's GUI, go to DASHBOARD > Widgets > System > click on System Resources
    2. To resolve this issue, use TIPS & TRICKS: Reducing Management Plane Load
3. To minimize DP load, ideally, the BFD session should be offloaded by the Firewall. However, due to Security Policy and Security Profiles, the session does not get offloaded. To reduce the CPU-DP load, refer to Tips & Tricks: How to Create an Application Override.
Try to identify possible interface issue using the following
Is the Firewall's BFD flap intermittently with "flow_bfd_tx_err" and "flow_bfd_tx_l2" error counters?
Multi-hop BFD
1. Has the routing, upon which BFD is dependent, flapped during the time of the incident? Check the age of the route.

admin@Lab70-133-PA-3220> show routing route 
----SNIPPED----
destination                                 nexthop                                 metric flags      age   interface          next-AS    
0.0.0.0/0                                   77.77.77.100                            10     A S              ethernet1/1                  
77.75.77.0/24                               0.0.0.0                                 10       Oi       1387850 ethernet1/2                   
77.75.77.0/24                               77.75.77.133                            0      A C              ethernet1/2                   
77.75.77.133/32                             0.0.0.0                                 0      A H                                            
77.77.77.0/24                               0.0.0.0                                 10       Oi       138   ethernet1/1                   
77.77.77.0/24                               77.77.77.133                            0      A C              ethernet1/1

BFD packets dropped due to multi hop settings mismatch.

Decrease sensitivity by configuring a longer timer, go to Network > Network Profiles > BFD Profile

NOTE: Only hardware-based firewalls with Active-Passive configurations are synchronized; other firewall setups/models, such as Active-Active and cloud-based firewalls, must be configured individually. That being said, ensure that the configurations are identical for both members of the HA pair.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)