Taking BGP Down when an ISP is providing bad internet

travis_tmbtravis_tmb
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello,

We have two carrier ISP's that BGP Peer with. We are having an issue where a carrier may have a fiber cut, thus we have a lot of packet loss on a particular ISP which causes issues within our network.

The problem we have is the WatchGuard will recognize this and send a down notification via Link Monitor but it doesn't seem to take BGP Down. I have to go and physically unplug the link from the switches to stabilize the network.

Is this normal? Can the WatchGuard devices take BGP down when a particular circuit is experiencing packet loss?

Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @travis_tmb

    You'll normally want to use link-monitor and SD-WAN to accomplish swapping circuits when you lose traffic. If you're seeing link monitor failures, that should be enough to trigger a failover there.

    See:
    (Configure the Failover Multi-WAN Method)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/multiwan/failover_configure_c.html

    To do this via BGP, I believe you would need to utilize BGP timers and wait for the connection to time out between your BGP peers. If your firewall is already determining that the connection is down via link-monitor, it'll likely be more efficient to just use link-monitor and SD-WAN.

    -James Carson
    WatchGuard Customer Support

  • travis_tmbtravis_tmb

    Good Morning @james.carson, So yes the WG is able to determine that the circuit is down as I am notificated via email from the WG that the link is down. However, its not pulling the routes from the WG as BGP is still up.

    So the other day when carrier 1 was down, I got into the office an hour or so later and we couldn't go to any websites or use the internet. I had to go to the switch, and disconnect the carrier from our network physically.

    So the problem currently is that carrier 1, for example, can have a fiber cut in another state, which causes us 50% packet loss and the circuit essentially down, but since BGP is still up, the WG won't pull the routes from box. Thats the issue we are trying to solve.

    Thanks

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @travis_tmb
    I'd suggest opening a support case so we can take a look at your BGP statement and recommend any changes form there. You can open a support case via the support center button at the top right of this webpage.

    -James Carson
    WatchGuard Customer Support

  • travis_tmbtravis_tmb

    Okay thanks!

  • travis_tmbtravis_tmb

    @james.carson So from my understanding with WG Support, WG cannot detect this and take down a BGP link. This is a critical feature missing for BGP in my opinion.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @travis_tmb
    Taking a look at your case, the engineer left information related to adjusting the BGP timers so this can happen. That combined with Multi-WAN should help with the issue you described.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.