About Marcus_Ley

Hi,   I do not know, if the problem is still relevant for you, but I encountered the same issue and found a fix recently.   If a device switches into the state Tentative, we encounter almost no outage. But when failing back, we have about 5 seconds of connectivity loss. This happens right after the OSPF Link State Databases have been fully exchanged between the firewall and the connected router.   I found out that we don't simply encounter traffic loss, but a TTL exceeded error for packets routed towards the firewall.   Here is what happens: When the firewall becomes active, it establishes OSPF connectivity with the router. After the LS Databases are fully exchanged, the router instantly recalculates the new best paths and installs them in its routing table. It will learn, that the Palo Alto is the new best next hop for certain networks and will start to send packets to the firewall. The Palo Alto on the other does not instantly recalculate the best paths! By default, it will wait 5 seconds before starting the SPF process. Within this time frame, the router will route packets towards the firewall while the firewall will route packets to whereever it deems best based on the old routing table. In our case, this meant sending it back to the router.   You can change this SPF calculation delay in the OSPF settings:     With this setting, the failback only causes about 1 second of outage. ... View more