BFD Not Coming Up Over CGNAT Configured Interfaces

Bidirectional Forwarding Detection (BFD) fails to establish a session when the transmit/receive hello intervals are set at very low values on traffic that is evaluated by a service-set. This article explains how to configure the firewall filter to skip the BFD packets from being evaluated by the service-set.

If the BFD traffic does not have to be NAT’d, we can create a service-filter so that the BFD traffic is not evaluated by the service-set, and avoids any potential latency. In cases where BFD must be NAT’d, then the minimum-interval may need to be increased if the firewall is found to be the source of latency .

By default, when you apply a service-set on an interface which is known as interface-style service sets, all the traffic that hits that interface will be sent to the service-set to be reviewed by the NAT rule.
Sending BFD packets to be evaluated by the service-set causes a delay if the stateful firewall is busy, which can cause the BFD session from being established, since the hello timers of BFD are very sensitive.

BFD can fail to establish the session when the transmit/receive hello intervals are set at very low interval values on traffic that is evaluated by a service-set.

Configure the following firewall filter to prevent the BFD packets from being evaluated by the service-set:

 

About the author

Prasanna

Leave a Comment