cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2251
Views
0
Helpful
5
Replies

Routing Issue - BGP

Arshad Safrulla
VIP Alumni
VIP Alumni

Hi Guys,

I am trying to establish iBGP peering neighbourship from my Nexus 9504 with my Next hop which is a Palo Alto Firewall.

But from palo Alto side state showing active, but from my side it is idle. Below are the debug messages from Nexus. Can you spport.

 

2019 Jul 10 12:59:09.844934 bgp: [4112] (default) EVT: 10.255.255.17 remote iod 124 resolving l3 addr
2019 Jul 10 12:59:09.845033 bgp: libnve [4112] API callled even before HMM is enabled, do init
2019 Jul 10 12:59:09.845096 bgp: libnve [4112] ksink_sdb_open() failed for uri volatile:/dev/shm/hmm_sdb_info
2019 Jul 10 12:59:09.845109 bgp: libnve [4112] hmm_check_forwarding_mode(): Not initialized with HMM Api
2019 Jul 10 12:59:09.845137 bgp: [4112] (default) EVT: 10.255.255.17 peer connection retry timer expired
2019 Jul 10 12:59:09.845542 bgp: [4112] (default) EVT: 10.255.255.17 Triggered active open for peer
2019 Jul 10 12:59:09.845743 bgp: [4112] (default) EVT: 10.255.255.17 went from Idle to Active (Active setup)
2019 Jul 10 12:59:09.845778 bgp: [4112] (default) ADJ: bgp_tcp_connect: Peer 10.255.255.17 remote i/f Vlan570
2019 Jul 10 12:59:09.846046 bgp: im_get_extension_index(242): Reading iod 0x7c, from ext <267,0> (volatile:/dev/shm/im_sdb_extension_267_0)
2019 Jul 10 12:59:09.846076 bgp: im_get_extension_index(258): sdb_read successful - returned pss_datum 0xd0b00a34
2019 Jul 10 12:59:09.846093 bgp: im_get_extension_index(265): sdb_read succesful - returned pss_datum, size4, ptr 0xd0b00a6c (val 0xecd1956d)
2019 Jul 10 12:59:09.846125 bgp: [4112] (default) ADJ: Local addr for peer 10.255.255.17 is 10.255.255.19
2019 Jul 10 12:59:09.846169 bgp: [4112] (default) ADJ: set_local_port: Peer 10.255.255.17, remote iod Vlan570
2019 Jul 10 12:59:09.846269 bgp: [4112] (default) EVT: 10.255.255.17 Schedule wait for connect
2019 Jul 10 12:59:09.846300 bgp: [4112] (default) EVT: 10.255.255.17 Wait (30 sec) for session setup response
2019 Jul 10 12:59:12.854995 bgp: [4112] (default) EVT: 10.255.255.17 connect to peer is successful
2019 Jul 10 12:59:12.855028 bgp: [4112] (default) EVT: 10.255.255.17 sending OPEN message to peer
2019 Jul 10 12:59:12.855057 bgp: [4112] (default) ADJ: 10.255.255.17 Sending OPEN, version 4, AS 65336, hold-time 180, router-id 10.255.250.254
2019 Jul 10 12:59:12.855079 bgp: [4112] (default) ADJ: 10.255.255.17 sending (old) dynamic capability (66/0) to peer
2019 Jul 10 12:59:12.855090 bgp: [4112] (default) ADJ: 10.255.255.17 sending dynamic capability (67/3) to peer
2019 Jul 10 12:59:12.855101 bgp: [4112] (default) ADJ: 10.255.255.17 sending (old) route refresh capability (128/0) to peer
2019 Jul 10 12:59:12.855111 bgp: [4112] (default) ADJ: 10.255.255.17 sending route refresh capability (2/0) to peer
2019 Jul 10 12:59:12.855123 bgp: [4112] (default) ADJ: 10.255.255.17 sending [IPv4 Unicast] capability (1/4) to peer
2019 Jul 10 12:59:12.855134 bgp: [4112] (default) ADJ: my restart time 120 restart state 0
2019 Jul 10 12:59:12.855486 bgp: [4112] (default) ADJ: 10.255.255.17 sending graceful restart capability (64/6) to peer
2019 Jul 10 12:59:12.855502 bgp: [4112] (default) ADJ: 10.255.255.17 sending 4-byte AS capability (65/4) to peer
2019 Jul 10 12:59:12.855514 bgp: [4112] (default) ADJ: 10.255.255.17 sending extended nh encoding capability (5/6) to peer
2019 Jul 10 12:59:12.855526 bgp: [4112] Hexdump at 0xe9a01c0c, 70 bytes:
2019 Jul 10 12:59:12.855539 bgp: [4112] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2019 Jul 10 12:59:12.855553 bgp: [4112] 00460104 FF3800B4 0AF065FE 29022742
2019 Jul 10 12:59:12.855568 bgp: [4112] 00430302 01408000 02000104 00010001
2019 Jul 10 12:59:12.855585 bgp: [4112] 40060078 00010100 41040000 FF380506
2019 Jul 10 12:59:12.855597 bgp: [4112] 00010001 0002
2019 Jul 10 12:59:12.855892 bgp: [4112] (default) EVT: PARTIALWRITE: OPEN to 10.255.255.17 wanted to write 70 bytes, only -1 written: No route to host
2019 Jul 10 12:59:12.855910 bgp: [4112] (default) EVT: 10.255.255.17 cleaning up active peer setup, thread id 0x0
2019 Jul 10 12:59:12.855958 bgp: [4112] (default) EVT: Starting timer (60 sec 0 nsec) for 10.255.255.17 connection retry

5 Replies 5

Hi @Arshad Safrulla,

1. What NX-OS version are you running on your Nexus 9504?

2. Do you have only this one or two Nexus 9504 in vPC?

3. Is the Palo Alto physically connected via a vPC or an orphan port (to only one of the Nexus 9504 in vPC)?

4. Could you please share the relevant BGP configuration (sh run bgp) and the vPC configuration if applicable (sh run vpc)?

Cheers.

Hi,

1. version 9.2(2)

2. 2 Nexus Switches

3. We are running VPC between 2 switches, but this is connected a orphan port. Palo Alto is connected via L2 switch. We are peering with a SVI.

4. 

VPC config

vpc domain 70
peer-keepalive destination 10.99.99.1 source 10.99.99.2 vrf Keepalive

dual-active exclude interface-vlan 570 
peer-gateway

 

BGP

router bgp 65000
router-id 10.255.250.254
address-family ipv4 unicast
network 10.248.96.0/26
neighbor 10.255.250.251
remote-as 65000
description Leaf2-Loopback-to-Spine1-Loopback
update-source loopback1
address-family ipv4 unicast
neighbor 10.255.250.252
remote-as 65000
description Leaf2-Loopback-to-Spine2-Loopback
update-source loopback1
address-family ipv4 unicast
neighbor 10.255.250.17
remote-as 65000
description Leaf2-Loopback-to-Spine2-Loopback
update-source vlan 570
address-family ipv4 unicast
auto-recovery
ip arp synchronize

Let's call them N9K-A and N9K-B to the Nexus 9504 switches you have in vPC.

1. To which of the Nexus is the Palo Alto connected to? In other words, it is connected to the orphan port of N9K-A or N9K-B?

2. Is the iBGP session UP with the N9K which the Palo Alto connects to its orphan port?

3. Are the debugs you shared from N9K-A or N9K-B?

You may be hitting "L3-A and Nexus-B" scenario described in the below document?

Supported Topologies for Routing over Virtual Port Channel on Nexus Platforms

118997-technote-nexus-00-00

4. Is the Palo Alto's BGP configuration pointing to the physical IP address of the Nexus, is this correct? I'd like to make sure that the Palo Alto BGP configuration is not pointing to the HSRP VIP if any.

Cheers.

dtran
Level 6
Level 6

I have a similar design as yours and BGP is working perfectly fine between N7706's and PA5250's.

I have a pair of N7706's running VPC and my PA5250 is connected to the N7706 via VPC. I am also using SVI for BGP peering, the important thing is make sure your PA is pointing the physical address on the Nexus (NOT the VIP address)

 

Hope that helps !!

Danny

When doing Routing Protocols adjacency over vPC, do not forget to add under the vpc domain X configuration the layer-3 peer-router and peer-gateway commands on both Nexus chassis.

Cheers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: