Another BGP-3-NOTIFICATION: received from neighbor <Peer IP> 6/6 (cease) discussion...

ad12acsadmin · ‎05-29-2018

... However, I believe this discussion is slightly different.

We had a BGP neighbor loss and subsequent circuit outage. In our logs, we see the following entries:

May 25 03:29:03.159: %BGP-3-NOTIFICATION: received from neighbor <Peer IP> 6/6 (cease) 0 bytes
May 25 03:29:03.159: %BGP-5-ADJCHANGE: neighbor <Peer IP> Down Peer closed the session
May 25 03:29:03.159: %BGP_SESSION-5-ADJCHANGE: neighbor <Peer IP> IPv4 Unicast topology base removed from session Peer closed the session
May 25 03:29:16.941: %BGP-5-ADJCHANGE: neighbor <Peer IP> Up
May 25 03:29:22.763: %LINK-3-UPDOWN: Interface TenGigabitEthernet3/1/1, changed state to down
.May 25 03:29:22.771: %BGP-5-ADJCHANGE: neighbor <Peer IP> Down Interface flap
.May 25 03:29:22.771: %BGP_SESSION-5-ADJCHANGE: neighbor <Peer IP> IPv4 Unicast topology base removed from session Interface flap
May 25 03:29:21.900: %PM-4-ERR_DISABLE: link-flap error detected on Te3/1/1, putting Te3/1/1 in err-disable state (<host>)
.May 25 03:29:23.770: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet3/1/1, changed state to down

Our SP is calling this a layer 1 issue and is brushing it aside. What I am curious about is the reception of the BGP peer close messages -- is it possible to receive these messages in our logs if the messages were not actually sent by the remote peer? In other words, could our router somehow interpret a layer 1 issue and inject these messages into the logs?

Thanx

Georg Pauwen · ‎05-29-2018

Hello,

you can be pretty sure that your ISP made a change at their end that caused this. Tell them that according to your logs, you have received BGP Cease Subcode 6.

--> BGP-3-NOTIFICATION: received from neighbor <Peer IP> 6/6 (cease)

The /6 means: Other Configuration Change

--> If a BGP speaker decides to administratively reset the peering with a neighbor due to a configuration change other than the ones described above, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Other Configuration Change“.

Check the link below:

BGP Cease Subcode definition

http://www.net-gyver.com/?p=1241

ad12acsadmin · ‎05-29-2018

Thank you Georg. That is what I derived from the RFC:

https://tools.ietf.org/html/rfc4486

3. Subcode Definition

The following subcodes are defined for the Cease NOTIFICATION
message: (bold mine)

Subcode Symbolic Name

1 Maximum Number of Prefixes Reached
2 Administrative Shutdown
3 Peer De-configured
4 Administrative Reset
5 Connection Rejected
6 Other Configuration Change
7 Connection Collision Resolution
8 Out of Resources

But is it even possible our router can log these messages without the message actually being sent?

Thanx

Dennis Mink · ‎05-29-2018

BGP is 100% layer 3 +, so fully dependent and unaware of underlying layers.

if you drop your BGP neighbourship, then it is very safe to assume its layer 1, 2 (or 3). Most network management and monitoring platforms use the same principle. I wouldnt make it more complicated than that to be honest

Please remember to rate useful posts, by clicking on the stars below.

ad12acsadmin · ‎06-06-2018

Thanx Dennis- We really want a better answer from the SP on this. If this were a circuit we had in place for years I could let it go and chalk it up to L1, but it is a brand-new circuit. The SP is now saying they did not get enough light from us, and their JunOS edge device sends the subcode 6 cease message when this happens.

Needless to say, I am skeptical about that statement, but do not have the knowledge to counter.

So, my original question is still valid, and: is it even possible our router can log these messages without the message actually being sent? As well as, will any BGP Speaker send a subcode 6 without a configuration change happening?

Thanx all