I'm experiencing slow failover times with my on-prem FortiGate firewall and Azure VPN Gateway setup. I have two IPsec tunnels established between the FortiGate and Azure, and both tunnels have BGP sessions running. I've set up one tunnel as the primary and the other as secondary, using local preference to prioritize routes over the primary tunnel, while applying AS path prepending for outbound routes to make the secondary tunnel less preferred. However, when the primary tunnel goes down, it can take up to 3 minutes for the failover to fully complete. During this wait, BGP routes for the primary tunnel remain active, which disrupts traffic until Azure finally drops the session and switches to the secondary tunnel. I've read that Azure doesn't support BFD and that BGP timers are fixed. Are there best practices or strategies to reduce the failover time for this kind of setup with Azure?
3 Answers
Have you tried setting up Azure to handle initiation? That can really help with failover times. Also, make sure both your Azure and FortiGate can initiate BGP sessions. Mixing those can sometimes lead to shorter failover periods.
I found an alternative failover solution that's both cheaper and faster! It has worked wonders for my setup. If you're interested, I'm happy to share more details here instead of DMs.
Could you share those details here? It might help others facing the same issue!
I noticed the same issue, and one thing I found useful was enabling graceful restart for BGP. Also, with an active/active setup, are you utilizing ECMP (Equal-Cost Multi-Path)? Managing your timers can also help, especially if you’re using the default 60/180 settings on your routers.
I have a default setup where Azure initiates and accepts both BGP and the VPN, and it seems to work fine!