Symptom
When TTL-Security is enabled, BGP External-Fallover does not bring down the eBGP session as soon as the physical interface (Eth1/47) is down. Instead, BGP is waiting for the hold timer to expire (which in below example was configured to be 20 secs)
2023 Feb 20 09:50:47 N9K-2 %ETHPORT-5-IF_DOWN_PARENT_DOWN: Interface Ethernet1/47.3182 is down (Parent interface is down)
2023 Feb 20 09:50:47 N9K-2 %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet1/47 is down (Administratively down)
2023 Feb 20 09:51:03 N9K-2 %BGP-5-ADJCHANGE: bgp- [22583] (VPN_IC) neighbor 10.83.1.25 Down - sent: holdtimer expired error
Conditions
Enabling TTL-Security on eBGP session between directly connected neighbors by using the 'ttl-security hops ' under neighbor configuration.
Workaround
TTL-Security on eBGP sessions which are non eBGP mulithop sessions should be disabled.
Further Problem Description
TTL-security feature is designed to be used only for eBGP multihop sessions. When it is configured on a BGP neighbor, assumption is that those neighbors are not a directly connected neighbors.
Additional note:
Fast failover feature only applies to directly connected eBGP neighbors. Thus, the two features are in conflict with each other.
