Cisco Catalyst SDWAN BFD Session Down Troubleshooting

Cisco Catalyst SDWAN BFD Session Down Troubleshooting 

You may heard about BFD protocol in past as well and we would like to discuss this in Cisco Catalyst SDWAN environment. We would go through in brief about BFD first

 What is BFD (Bidirectional Forwarding Detection) ?

BFD (Bidirectional Forwarding Detection) is a protocol that is able to detect link failures quickly. BFD tunnel statistics can display information about the data plane tunnels, you can easily see if you are sending or receiving packets for a particular IPSEC tunnel between the vEdges. 

Cisco Catalyst SDWAN BFD Session
Fig 1.1- Cisco Catalyst SDWAN BFD Session

This can help you understand if packets are making it on each end, and isolate connectivity issues between the nodes.

 BFD in Cisco vEdge/cEdge devices

With the IPSEC tunnels between the sites/vEdges/cEdges, BFD detects the failures inside the tunnel and is a part of high availability solution. BFD is enabled by default on all Cisco Viptela vEdge routers. There is no way you can disable it.

Note⭐ : Path liveliness and quality measurement detection protocol. It will detects Up/Down, loss/latency/jitter, IPSec tunnel.

Note ⭐ : Runs between all vEdges and with the cEdges or mix devices if they are in one fabric. Operates in echo mode and automatically invoked at IPSec tunnel establishment.

Note ⭐ : BFD Uses hello (up/down) interval and for poll (app-aware) interval and multiplier for detection

BFD session status indicates "Down" is an indicator rather than the main cause of the problem. The first thing we always do to ensure that the system is in good working order is to check whether the BFD is UP. 

Step 1: Check the BFD session status Down in "show BFD sessions | i down"

Step 2: Check if the data plane has the BFD session downloaded


Step 3: Check if the session is in pending - Issue state use 


Step 4: If the session is in Pending issue state in the above show command, check if IOS has all the dependent information


Step 5: If the SA ID is 0, check if the IPsec session exists in fman-fp


Step 6: If there is no IPSec session then, check if a message was received from ftm and whether there were any errors 


Step 7: If L2 Adj is zero, check the tunnel config, control connections etc. 

Step 8: If the session was present in the data path, check the BFD statistics as to whether the tx/rx counters are incrementing or not. if YES then see if there BFD is dropping any packet


Step 9: For vEdge If BFD counters are not incrementing, then check drops on remote peer


Step 10:IF the remote device is a cEdge device, to see the drop statistics use the following equivalent show commands for cEdge


To capture packets on a tunnel interface run the following commands 

  • NDNA_R1# debug platform condition interface gigabitethernet 1 both
  • NDNA_R1#debug platform packet-trace packet 1024 fi cir
  • NDNA_R1#debug platform packet-trace copy packet both l2 s 256
  • NDNA_R1#debug platform condition start
  • NDNA_R1#debug platform condition ipv4 <ip/32> both
  • NDNA_R1#show platform packet-trace summary
  • NDNA_R1#show platform packet-trace packet <no>