Route Leak Between VRFs Is Temporarily Removed During Any Commit, Causing Traffic Interruption

Hello,

I would like to report an issue related to VRF route leaking and the commit process.

Version Information

Version:          VyOS 2026.06.10-0053-rolling
Release train:    rolling
Release flavor:   generic

Environment

I have two VRFs:

• default

• test

Routes are exported from vrf test and imported into the default VRF using VPNv4 route leaking.

Configuration:

set vrf name test protocols bgp address-family ipv4-unicast export vpn
set vrf name test protocols bgp address-family ipv4-unicast rd vpn export '12345:200'
set vrf name test protocols bgp address-family ipv4-unicast route-target vpn export '12345:200'

set protocols bgp address-family ipv4-unicast import vpn
set protocols bgp address-family ipv4-unicast route-target vpn import '12345:200'

Problem Description

Whenever I perform any commit, even for configuration changes completely unrelated to BGP or VRFs, all routes leaked from vrf test into the default VRF are temporarily removed.

For example:

set policy route-map test rule 10 action 'permit'
commit

The route-map above is not attached to any BGP neighbor or routing policy, yet during the commit process all imported routes from vrf test disappear from the default VRF. Once the commit completes, the routes are installed again.

Impact

This behavior causes a traffic interruption of approximately 20-30 seconds. During that time, customers relying on routes imported from vrf test lose connectivity (including Internet access).

In production environments, this makes even minor configuration changes disruptive because every commit briefly withdraws and then reinstalls the leaked routes.

Expected Behavior

Configuration changes that are unrelated to BGP VPN route leaking should not cause imported routes to be withdrawn and reinstalled.

Ideally, leaked routes should remain present in the routing table throughout the commit process, or the relevant FRR components should be reconfigured in a way that avoids traffic interruption.

Additional Information

I have tested a similar setup using a clean FRRouting installation on Debian and do not observe the same behavior there. The route leak remains intact during unrelated configuration changes.

Is this a known limitation of the current VyOS implementation, or is there a recommended way to avoid route withdrawal during commits?

Thank you.

Additional Findings

I verified that the issue is not limited to BGP convergence or traffic forwarding behavior.

During the commit process, the leaked routes are actually removed from the kernel routing table. This can be observed with:

ip route show vrf default

or

route -n

The routes imported from vrf test disappear at the beginning of the commit and are reinstalled only after the commit completes.

This behavior is reproducible on every commit, including configuration changes that are completely unrelated to BGP, VRFs, or route leaking.

Thank you for reporting this. Do you have a Phabricator account? It would be really good if you could write up a bug report there.
If no, I am happy to take the words you’ve put here and log it in your behalf.