Azure と VPN でつないで、BGP で動的に経路交換するときの KeepaliveTimer / HoldTimer の話です。
結論から言うと、Azure の VPN Gateway 側は 60 / 180 sec になっていて、オンプレ側の機器で短く設定すれば調整可能という話。
どこのご家庭にもある FortiGate で確認してみます。
まずはタイマーの値が未設定の場合から。
config router bgp
set as 65521
set network-import-check disable
config neighbor
edit "10.0.255.4"
set ebgp-enforce-multihop enable
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 65516
set update-source "BGPloopback"
next
end
config network
edit 1
set prefix 172.16.0.0 255.255.0.0
next
end
end
Neighbor の状態を見てみると、KeepaliveTimer が 60 秒、HoldTimer が 180 秒になっていることがわかります。
FG100E # get router info bgp neighbors BGP neighbor is 10.0.255.4, remote AS 65516, local AS 65521, external link BGP version 4, remote router ID 10.0.255.4 BGP state = Established, up for 00:00:10 Last read 00:00:08, hold time is 180, keepalive interval is 60 seconds //実際に採用された値 Configured hold time is 180, keepalive interval is 60 seconds //設定値 (未設定なので FortiGate の規定値) Neighbor capabilities: Route refresh: advertised and received (new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received Received 41770 messages, 0 notifications, 0 in queue Sent 41829 messages, 16 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is BGPloopback
これに対して、FortiGate 側のコンフィグで明示的に 10 / 30 sec などの短い値を設定してみます。
config router bgp
set as 65521
set network-import-check disable
config neighbor
edit "10.0.255.4"
set ebgp-enforce-multihop enable
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 65516
set keep-alive-timer 10
set holdtime-timer 30
set update-source "BGPloopback"
next
end
config network
edit 1
set prefix 172.16.0.0 255.255.0.0
next
end
end
で、Neighborを一度クリアして張りなおさせると、ちゃんと 10 / 30 sec になってますね。
FG100E # execute router clear bgp all FG100E # get router info bgp neighbors BGP neighbor is 10.0.255.4, remote AS 65516, local AS 65521, external link BGP version 4, remote router ID 10.0.255.4 BGP state = Established, up for 00:00:16 Last read 00:00:07, hold time is 30, keepalive interval is 10 seconds //実際に採用された値 Configured hold time is 30, keepalive interval is 10 seconds //設定値 Neighbor capabilities: Route refresh: advertised and received (new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received Received 41786 messages, 0 notifications, 0 in queue Sent 41845 messages, 17 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is BGPloopback
逆に、長めの時間を入れてみます。
config router bgp
set as 65521
set network-import-check disable
config neighbor
edit "10.0.255.4"
set ebgp-enforce-multihop enable
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 65516
set keep-alive-timer 120
set holdtime-timer 360
set update-source "BGPloopback"
next
end
config network
edit 1
set prefix 172.16.0.0 255.255.0.0
next
end
end
この場合は 60 / 180 sec になったことが確認できます。
FG100E # execute router clear bgp all FG100E # get router info bgp neighbors BGP neighbor is 10.0.255.4, remote AS 65516, local AS 65521, external link BGP version 4, remote router ID 10.0.255.4 BGP state = Established, up for 00:00:00 Last read 00:00:00, hold time is 180, keepalive interval is 60 seconds //実際に採用された値 Configured hold time is 360, keepalive interval is 120 seconds //設定値 Neighbor capabilities: Route refresh: advertised and received (new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received Received 41809 messages, 0 notifications, 0 in queue Sent 41866 messages, 18 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is BGPloopback
ということで、Azure VPN Gateway とオンプレ側の VPN デバイスの短い方になるみたいですね。
(機種によっては相性というか、Interoperability の闇に飲まれることもあると思うので、ちゃんと検証しましょう)
1 comment for “Azure と VPN 接続して BGP で経路交換する際のタイマーの話”