Bidirectional Forwarding Detection (BFD) fails to establish a session when the transmit/receive hello intervals are set at very low values on traffic that is evaluated by a service-set. This article explains how to configure the firewall filter to skip the BFD packets from being evaluated by the service-set.
If the BFD traffic does not have to be NAT’d, we can create a service-filter so that the BFD traffic is not evaluated by the service-set, and avoids any potential latency. In cases where BFD must be NAT’d, then the minimum-interval may need to be increased if the firewall is found to be the source of latency .
By default, when you apply a service-set on an interface which is known as interface-style service sets, all the traffic that hits that interface will be sent to the service-set to be reviewed by the NAT rule.
Sending BFD packets to be evaluated by the service-set causes a delay if the stateful firewall is busy, which can cause the BFD session from being established, since the hello timers of BFD are very sensitive.
BFD can fail to establish the session when the transmit/receive hello intervals are set at very low interval values on traffic that is evaluated by a service-set.
set protocols bgp group EBGP_TO_MAIN bfd-liveness-detection minimum-interval 50 set protocols bgp group EBGP_TO_MAIN bfd-liveness-detection multiplier 3
Configure the following firewall filter to prevent the BFD packets from being evaluated by the service-set:
USER@ROUTER# show firewall | display set set firewall family inet service-filter BFD_SKIP term 1 from protocol udp set firewall family inet service-filter BFD_SKIP term 1 from port 3784 set firewall family inet service-filter BFD_SKIP term 1 from port 4784 set firewall family inet service-filter BFD_SKIP term 1 then skip set firewall family inet service-filter BFD_SKIP term 2 then service USER@ROUTER# show interfaces lt-0/0/0 | display set | grep "service-set" set interfaces lt-0/0/0 unit 2 family inet service input service-set PRIVATE_NAT service-filter BFD_SKIP set interfaces lt-0/0/0 unit 2 family inet service output service-set PRIVATE_NAT service-filter BFD_SKIP