FRR BGP Config example request.

Heimire

Hey,

I am trying to make FRR BGP work for us.
It works but I think we are seeing a long fail over time.

If I reboot the primary it can take 2 minutes before we get connectivity again.

Or if I disable CARP on primary the connection goes down for 8 seconds then comes backup for some seconds, goes back down for 9 seconds then comes up again.
The seconds vary.

We are in a data center with 2 connections to the cabinet.
A /29 for each firewall.
FRR is running on both.

I am not sure if I can do anything about speeding up the fail over.

I feel like I am missing the obvious but not sure where to look.
Any suggestions?

BGP configuration primary.
##################### DO NOT EDIT THIS FILE! ######################
###################################################################

This file was created by an automatic configuration generator.

The contents of this file will be overwritten without warning!

###################################################################
password Super.1346
log syslog

BGP Config

router bgp 18599
bgp log-neighbor-changes
bgp router-id 64.9.133.18
timers bgp 6 20
address-family ipv4 unicast
network 168.245.135.0/24
exit-address-family

# BGP Neighbors
neighbor 64.9.133.17 remote-as 3900
neighbor 64.9.133.17 description Primary Datafoundry
address-family ipv4 unicast
neighbor 64.9.133.17 activate
no neighbor 64.9.133.17 send-community
neighbor 64.9.133.17 next-hop-self
neighbor 64.9.133.17 soft-reconfiguration inbound
exit-address-family
neighbor 64.9.133.25 remote-as 3900
neighbor 64.9.133.25 description Backup Datafoundry
address-family ipv4 unicast
neighbor 64.9.133.25 activate
no neighbor 64.9.133.25 send-community
neighbor 64.9.133.25 next-hop-self
neighbor 64.9.133.25 soft-reconfiguration inbound
exit-address-family

![carp bgp with 29 subnet version 1.jpg](/public/imported_attachments/1/carp bgp with 29 subnet version 1.jpg)
![carp bgp with 29 subnet version 1.jpg_thumb](/public/imported_attachments/1/carp bgp with 29 subnet version 1.jpg_thumb)

Derelict

You have WAN1 active on the primary and WAN2 active on the secondary with CARP VIPs on them?

If so that is an unsupported HA configuration. pfSense does not support ACTIVE/ACTIVE failover.

WAN1 and WAN2 should be active on both nodes with the CARP VIPs active on both WANs on the current MASTER node only.

Heimire

No.

WAN1 and WAN2 is active on both firewalls with CARP VIPs.

We run 2.26 in this setup (designed by pfsense by the way) and it works fine.

In the new data center we are running 2.4.2_P1 but using FRR instead of OpenBGP.
In this data center we are seeing a long fail over so I think its due to my lack of understanding of the FRR package.
So thats why I am asking for some assistance.

I think I need to prepend the backup WAN connection WAN2 with prepend-self 2 but not exactly sure what the best way to do that in FRR.
I just did a manual config in 2.26 with openBGP.

I also probably need a deny from all and allow from the 2 gateways.

Right now this works, the fail over CARP works.
Only problem is it takes a long time to fail over the BGP.
Its like the primary shuts down the BGP session so all connectivity is lost until the BGP session has been established on the secondary.
Takes up to a few minutes to see connectivity.

I am sure its lack of understand on my part when it comes to things like hold time, neighbor config,etc.

Thank you for taking the time to respond.

H.

Derelict

OK - your diagram looks like it says otherwise…

FRR > Global Settings > Route Maps

Create a route map - most examples name this prepend

AS Path Action: Set Prepend

Set AS List: What you want to prepend

Set the outbound route map filter on that neighbor to that route map.

See what that does for you.

Heimire

I see what you mean about the diagram.
I guess thats another thing I am not good at :)

Will take a stab at what you wrote.

Thank you so much for taking the time.

H.