I have a virtual wire configuration, on an active-passive firewall cluster, where I am running a routing protocol through the virtual wire, with BFD (Bi-Directional Forwarding detection) attached to that routing protocol. In the virtual wire mode, the firewall is NOT participating with the routing protocol, and also, the firewall does not participate in BFD itself. It only allows BFD to pass through the firewall.
In the event that the routing protocol fails to have good connectivity through the firewall, I want to use BFD such that I can play routing tricks on the upstream and downstream routers, to force a failover condition.
It works well, except that sometimes the firewall is dropping BFD traffic, when it gets loaded down, and a failover condtion is prematurely triggered. Is there a mechanism by which the firewall can be configured to allow BFD traffic to pass through unmolested? Is there some way to whitelist BFD, or put in some type of exception, for the IP addresses that actually do participate in BFD?
Solved! Go to Solution.
If the firewalls VW link is being overloaded to the point where it can't keep up with traffic and causing traffic to be dropped, there isn't any point in asking the firewall to process a subset of traffic differently. You will still run into drops as the firewall interfaces can't keep up with the flow of traffic.
Now if I'm understanding that wrong and the interface itself can keep up with the flow of traffic, but the firewall isn't processing things fast enough, you might want to make sure that your BFD packets aren't attempting to be inspected by the firewall.
If we assume the defaults of destination port udp/6784, you can build a special policy that allows this traffic between BFD participants without any sort of profile setting. Bonus points for configuring an application-override policy to stop layer-7 inspection of the traffic. This will essentially allow the traffic through "unmolested" and the firewall won't attempt to do any sort of inspection on the packet.
I was able to configure a BFD application-override policy, but I am still seeing my BFD sessions passing through the box geting clobbered. These are fairly brief hits, whereby traffic is not passing through the box.
I search through the traffic logs, and I am seeing holes where the firewall is not recording any traffic for up to 20 seconds, before returning back to normal.
If you have any other suggestions as to what might help me to better manage resource overruns, that will give my BFD traffic better treatment, please let me know. It looks like some type of buffering issue, of some sort.
So, the BFD application-override policy was not enough to keep BFD from getting prematurely disrupted.
I had to configure Packet Buffer Protection, on all of the interfaces, in order to conserve resources, to keep BFD up and running through the box.
set zone <zone-name> network enable-packet-buffer-protection yes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!