topic BFP with OSPF graceful restart causing outages during failover in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/bfp-with-ospf-graceful-restart-causing-outages-during-failover/m-p/1235206#M6151 <P>Dear community!</P> <P>&nbsp;</P> <P>In a active/passive configuration with OSPF graceful restart and BFD enabled, when we do failover we experience a<SPAN>&nbsp;downtime 1 minute after the failover and it takes about 10 seconds to be fixed.</SPAN></P> <P><SPAN>Checking the logs it looks like the firewall builds the new BFD sessions with the core switch, but after 1 minute after the failover the FW rejects the BFD sessions and rebuild them.</SPAN></P> <P><SPAN>-&gt; Is this a normal behavior??</SPAN></P> <P>&nbsp;</P> <P><SPAN>Fortinet recommends not to use graceful restart with BFD for both OSPF and BGP.<BR /><A href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-BFD-with-Graceful-Restart-on-FortiGate/ta-p/247154" target="_blank">https://community.fortinet.com/t5/FortiGate/Technical-Tip-BFD-with-Graceful-Restart-on-FortiGate/ta-p/247154</A></SPAN></P> <P><SPAN><BR />Palo Alto only recommends not to use it with BGP but I couldnĀ“t find any reference to OSPF:</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols#id9d612915-3bfe-42ef-927f-b0ec260b9a5f" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols#id9d612915-3bfe-42ef-927f-b0ec260b9a5f</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards!</SPAN></P> Fri, 01 Aug 2025 11:58:25 GMT Carracido 2025-08-01T11:58:25Z BFP with OSPF graceful restart causing outages during failover https://live.paloaltonetworks.com/t5/next-generation-firewall/bfp-with-ospf-graceful-restart-causing-outages-during-failover/m-p/1235206#M6151 <P>Dear community!</P> <P>&nbsp;</P> <P>In a active/passive configuration with OSPF graceful restart and BFD enabled, when we do failover we experience a<SPAN>&nbsp;downtime 1 minute after the failover and it takes about 10 seconds to be fixed.</SPAN></P> <P><SPAN>Checking the logs it looks like the firewall builds the new BFD sessions with the core switch, but after 1 minute after the failover the FW rejects the BFD sessions and rebuild them.</SPAN></P> <P><SPAN>-&gt; Is this a normal behavior??</SPAN></P> <P>&nbsp;</P> <P><SPAN>Fortinet recommends not to use graceful restart with BFD for both OSPF and BGP.<BR /><A href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-BFD-with-Graceful-Restart-on-FortiGate/ta-p/247154" target="_blank">https://community.fortinet.com/t5/FortiGate/Technical-Tip-BFD-with-Graceful-Restart-on-FortiGate/ta-p/247154</A></SPAN></P> <P><SPAN><BR />Palo Alto only recommends not to use it with BGP but I couldnĀ“t find any reference to OSPF:</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols#id9d612915-3bfe-42ef-927f-b0ec260b9a5f" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols#id9d612915-3bfe-42ef-927f-b0ec260b9a5f</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards!</SPAN></P> Fri, 01 Aug 2025 11:58:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/bfp-with-ospf-graceful-restart-causing-outages-during-failover/m-p/1235206#M6151 Carracido 2025-08-01T11:58:25Z Re: BFP with OSPF graceful restart causing outages during failover https://live.paloaltonetworks.com/t5/next-generation-firewall/bfp-with-ospf-graceful-restart-causing-outages-during-failover/m-p/1235345#M6155 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/24977">@Carracido</a>&nbsp;,</P> <P>&nbsp;</P> <P>The conflict between Graceful Restart (GR) and Bidirectional Forwarding Detection (BFD) is an architectural issue that applies to any dynamic routing protocol. It is not specific to OSPF or BGP.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The problem arises during an HA failover or any event that causes a brief disruption. BFD, being extremely fast, will detect the disruption and tear down the session with the peer device.&nbsp;<SPAN class="citation-30 citation-end-30">This rapid action from BFD overrides the slower process of Graceful Restart.</SPAN>&nbsp;This can lead to the routing tables being flushed and an extended outage, exactly as you described</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>In summary, the problem is not tied to the specific routing protocol (OSPF, BGP, etc.) but rather to the conflicting nature of BFD and GR. They are designed for different types of failures, and when both are active, BFD's speed typically overrides GR's grace period, leading to the kind of extended downtime you are seeing.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Mon, 04 Aug 2025 11:49:01 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/bfp-with-ospf-graceful-restart-causing-outages-during-failover/m-p/1235345#M6155 kiwi 2025-08-04T11:49:01Z