BGP Behavior During ClusterXL Failover

Overview

When Border Gateway Protocol (BGP) is configured on a Check Point cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., the Cluster Members establish the BGP session using the Cluster Virtual IP (VIP) addresses on the cluster interfaces. The Cluster Members learn, import, and synchronize BGP routes.

During a cluster failover in the ClusterXL High Availability mode, the BGP session drops when a Standby Cluster Member Security Gateway that is part of a cluster. takes over the Cluster VIP addresses. As described in RFC 4271, this triggers the deletion of all BGP routes learned from a BGP peer, from both the Active and Standby Cluster Members. The new Active Cluster Member re-learns the BGP routes after it re-establishes the BGP sessions.

A service interruption occurs because BGP negotiations usually take 10-60 seconds to complete.

Required Configuration

To prevent BGP interruption during a cluster failover, you must:

1. Enable the BGP Graceful Restart in the BGP configuration on each Cluster Member.

2. Enable the BGP Graceful Restart in the BGP configuration on the BGP peers.

Graceful Restart is a mechanism which keeps deleted BGP routes in the routing table as kernel routes until a timer expires (default is 360 seconds).

For more information about Graceful Restart, see:

• Configuring BGP Miscellaneous Settings in Gaia Portal

• Configuring BGP Remote Peers in Gaia Clish

To enable BGP Graceful Restart, enter these Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). commands on each Check Point Cluster Member:

1. set bgp external remote-as <AS Number> peer <IP Address> graceful-restart on

2. save config

Important: You must create a matching configuration on the BGP peers of the Check Point cluster. Test this configuration properly to make sure it works properly. The Graceful Restart process is initiated for all BGP peers during a cluster failover and concludes upon receiving an End-of-Routing Information Base (RIB) from each BGP peer. To ensure proper configuration of Graceful Restart, it is essential to enable it for all BGP peers and to confirm that the Graceful Restart Helper is configured on all remote BGP peers. Incomplete configuration, where the Graceful Restart Helper is set up on some but not all BGP peers, results in the Graceful Restart process not functioning as intended, potentially leading to BGP service outages.

Additional Configuration

You can use Continuous Built-In Test (cBIT) detection with the BGP Graceful Restart. See RFC-5882 > section-3.1.

If you use Bidirectional Forwarding Detection (BFD), then you must enable the BGP control plane detection failure. See IP Reachability Detection.

For Graceful Restart to work with BFD without an outage, the Graceful Restart Helper must have the "cBit" detection and the cBit value must be set to 0 (depends on the control plane) by the cluster.

To configure the BGP peers to use Bidirectional Forwarding Detection (BFD) with cBIT detection:

In this configuration, the Standby Cluster Member keeps learned routes in its routing table.

This way, there is no traffic interruption when the BGP session is re-established.

Run these Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish commands on each Cluster Member:

1. set bgp external remote-as <AS Number> peer <IP Address> ip-reachability-detection onset bgp external remote-as <AS Number> peer <IP Address> ip-reachability-detection on

2. set bgp external remote-as <AS Number> peer <IP Address> ip-reachability-detection check-control-plane-failure on

3. save config

Important - You must create a matching configuration on the BGP peers of the Check Point cluster. Check Point strongly recommendd to fully test this configuration to make sure it works properly. Some BGP peer routers can support BFD but not include cBIT detection in BGP. Refer to the relevant vendor's documentation.