BGP Graceful Restart in HA cluster in Azure

jennyado · ‎2025-07-07

Hi everyone,

I currently have an Azure-deployed Check Point ClusterXL HA environment (Active/Standby) and I’m considering enabling BGP Graceful Restart.

The current topology looks like this:

Two Check Point gateways in a ClusterXL HA setup.
Each gateway establishes a VPN tunnel (VTI) to an Azure Virtual Network Gateway.
Both firewalls are peering via BGP to a private Azure IP (<BGP Peer IP>), which belongs to the Azure Virtual Network Gateway.
The Virtual Network Gateway in turn peers with on-prem Cisco routers through another connection.

Everything is working fine as-is.

My question is:

➡️ If I enable BGP Graceful Restart on member A (which is currently active), is there any risk that this could trigger a failover in the cluster before applying the same setting to member B?

I’m concerned whether this change could:

Reset the BGP session on the active member.
Potentially cause ClusterXL to detect a failover condition (due to lost routes or VTI reachability loss).

Has anyone here performed this adjustment in a similar Azure setup with Cisco routers behind the Virtual Network Gateway?
Would you recommend applying this live, or is it better done during a maintenance window?

Appreciate any advice or shared experience.

Thanks in advance!

the_rock · ‎2025-07-07

I tested this in Azure lab last year and was fine, enabling it did not cause any issues, it actually helped. I have a gut feeling that setting is always needed for BGP to fully function without any network outage.

Andy

Best,
Andy

jennyado · ‎2025-07-07

The test you mention, was it also of a cluster?

According to the following sk https://support.checkpoint.com/results/sk/sk100499
I would just need to check the Graceful Restart box.

the_rock · ‎2025-07-07

Yes and yes 🙂

Best,
Andy

jennyado

I have a follow-up question regarding this setting.

Would enabling it only on the Check Point cluster side cause any impact on BGP behavior?

I’m asking because I’m not entirely sure if this option can also be enabled on the Azure VPN Gateway side.

If it cannot be enabled on Azure, would it still be safe to activate it just on the cluster side?

And if it can be enabled on both sides, should it be configured simultaneously to avoid any route synchronization or session issues?

Appreciate any insights you can share on this — I just want to make sure we don’t introduce any BGP instability.

Thanks again!

the_rock

I dont have Azure cluster in the lab any more (was costing too much money to keep it on constantly), but to answer your question, when I did have it, I had VPN between on prem cluster and Azure one and my colleague and I also built BGP peering and that setting was enabled on both sides, no issues.

Best,
Andy

the_rock

Hey Jenn,

Just ended up building Azure cluster today to test this (was curious if its same behavior in R82) and was fine, no problems.

Best,
Andy

Duane_Toler

Be mindful of the drawbacks of GR for BGP:

https://blog.ipspace.net/2024/01/bgp-graceful-restart-harmful/

You could be doing more harm than good unless you have other ways to detect a potential outage such as ip-reachability-detection with either BFD (single-hop or multi-hop) or ICMP echo; both of which Gaia's BGP supports. If you use BFD, be sure you enable the control plane check as well (the C-bit) so that you aren't fate-sharing BFD and BGP blindly.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

BGP Graceful Restart in HA cluster in Azure