Unable to Achieve Sub-Second Failover Times with BGP for Active-Passive Configuration

• It is expected that when failing over from the active to the passive device, the failover should be seamless and not have any traffic drops.
• But upon failing over the cluster, the BGP connection on the active device goes down and the new active device establishes the BGP connectivity with the peer.
• The neighbor (peer) and the new active device advertise the BGP routes between themselves.
• During the time that the peer and the new active device have an established BGP connection, there is an outage and traffic gets dropped because the routes do not yet exist on the routing table.

• Palo Alto Firewalls
• Supported PAN-OS.
• High Availability (Active / Passive) Configured
• BGP failover

• Graceful restart has not been configured on both the firewalls of the cluster, and the peer.
• Routes have not been synchronized on the cluster members

1. Go to GUI: Network > Virtual Routers > BGP > Advanced > Graceful Restart

2. Enable the “Graceful Restart” checkbox and configure the timers to match with the peer configuration
3. Configure the peer device with Graceful restart feature with similar settings.
4. The command "show routing fib" can be used on Firewall to verify the route synchronization between the members of the cluster.

When the restarting router opens the new BGP session, it will again send BGP capability 64 to its peers. But this time, flags will be set in the graceful restart capabilities exchange to let the peer router know that the BGP process has restarted.