Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
0
Helpful
3
Replies

BGP peering not working for some reason

Steven Williams
Level 4
Level 4

‎06-17-2019 08:18 AM

I am not sure where the issue or the debugs to show me what the issue is. I have a single stack of Cat9300s that have two Layer 3 port channels. One layer 3 port channel to a palo alto firewall #1 and the second layer 3 port-channel to another palo alto #2 firewall. The palo altos are not in HA pair they are standalone. 

 

One of the port-channels is peering just fine with palo alto #1 firewall via iBGP. I am redistributing connected into OSPF to get all the loopbacks into the route table for all devices to see them. So 9300s see loopbacks for palo alto #1 and #2, and peers just fine with one of them. Both palo altos are RR and also peer with Cat9500s southbound just fine so it has to be something to do with the 9300s since palos are configured the same way. 

 

So I should be able to peer the same loopback on 9300s to each of the loopbacks on palo altos correct? I mean the only thing that isnt normal for me is the palos.

Labels:
0 Helpful
3 Replies 3

Sergey Lisitsin
VIP Alumni
VIP Alumni

‎06-17-2019 08:49 AM

I would double check that all the necessary loopbacks are pingable from both 9300s and Palos. Sounds like missing route. Also, if not then it would be a good idea to debug BGP on 9300 and see if anything odd pops up in the log. BGP debug on Cisco is great and provides plenty of info.

 

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-17-2019 09:20 AM

Hello Steven,

>> So I should be able to peer the same loopback on 9300s to each of the loopbacks on palo altos correct?

Yes this is correct.

You can use network commands to advertise the loopbacks in in OSPF to avoid to use OSPF external routes.

I would suggest this change.

However, if the two Palo Alto boxes are stand alone from the point of view of the C9300 stack they can be two different iBGP peers.

What is the state of the iBGP sessions on the C9300 stack ?

show ip bgp summary

 

Hope to help

Giuseppe

 

0 Helpful

Steven Williams
Level 4
Level 4
In response to Giuseppe Larosa

‎06-17-2019 09:59 AM

9300-IDF1-CORE-01#show run | sec router
router ospf 10
router-id 172.16.63.5
redistribute connected subnets route-map FILTER-CONNECTED
passive-interface default
no passive-interface Port-channel10
no passive-interface Port-channel20
router bgp 65001
bgp router-id 172.16.63.5
bgp log-neighbor-changes
neighbor 172.16.63.3 remote-as 65001
neighbor 172.16.63.3 update-source Loopback0
neighbor 172.16.63.4 remote-as 65001
neighbor 172.16.63.4 update-source Loopback0
!
address-family ipv4
neighbor 172.16.63.3 activate
neighbor 172.16.63.3 soft-reconfiguration inbound
neighbor 172.16.63.4 activate
neighbor 172.16.63.4 soft-reconfiguration inbound
maximum-paths ibgp 2
exit-address-family
9300-IDF1-CORE-01#show ip bgp sum
9300-IDF1-CORE-01#show ip bgp summary
BGP router identifier 172.16.63.5, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.63.3 4 65001 117 112 1 0 0 00:50:08 0
172.16.63.4 4 65001 0 0 1 0 0 never Idle
BNA-IDF1-CORE-01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O 10.53.100.0/30 [110/11] via 10.53.100.17, 00:50:17, Port-channel10
O 10.53.100.4/30 [110/11] via 10.53.100.21, 00:50:17, Port-channel20
O 10.53.100.8/30 [110/11] via 10.53.100.17, 00:50:17, Port-channel10
O 10.53.100.12/30 [110/11] via 10.53.100.21, 00:50:17, Port-channel20
C 10.53.100.16/30 is directly connected, Port-channel10
L 10.53.100.18/32 is directly connected, Port-channel10
C 10.53.100.20/30 is directly connected, Port-channel20
L 10.53.100.22/32 is directly connected, Port-channel20
172.16.0.0/32 is subnetted, 5 subnets
O E2 172.16.63.1 [110/20] via 10.53.100.21, 00:50:17, Port-channel20
[110/20] via 10.53.100.17, 00:50:17, Port-channel10
O E2 172.16.63.2 [110/20] via 10.53.100.21, 00:50:17, Port-channel20
[110/20] via 10.53.100.17, 00:50:17, Port-channel10
O E2 172.16.63.3 [110/1] via 10.53.100.17, 00:50:17, Port-channel10
O E2 172.16.63.4 [110/1] via 10.53.100.21, 00:50:17, Port-channel20
C 172.16.63.5 is directly connected, Loopback0
9300-IDF1-CORE-01#

!

!

!

Palo alto route table:

Screen Shot 2019-06-17 at 11.53.27 AM.png

 

 

So they can see each other but no pings are working. Palo logs show source of 172.16.63.5 to 172.16.63.4 (Palo Alto Loopback) and session end is tcp-rst-from-server. 

 

I see the 9300 trying to peer but I assume something is blocking it. Palo alto has any any for policy sets so anything will get through and be let out. 

 

9300-IDF1-CORE-01#
*Jun 17 16:30:47.488: %BGP-3-NOTIFICATION: received from neighbor 172.16.63.4 active 6/5 (Connection Rejected) 0 bytes
*Jun 17 16:30:47.488: %BGP-5-NBR_RESET: Neighbor 172.16.63.4 active reset (BGP Notification received)
*Jun 17 16:30:47.488: %BGP-5-ADJCHANGE: neighbor 172.16.63.4 active Down BGP Notification received
*Jun 17 16:30:47.488: %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.63.4 IPv4 Unicast topology base removed from session BGP Notification received
*Jun 17 16:30:57.729: %BGP-3-NOTIFICATION: received from neighbor 172.16.63.4 active 6/5 (Connection Rejected) 0 bytes
*Jun 17 16:30:57.729: %BGP-5-NBR_RESET: Neighbor 172.16.63.4 active reset (BGP Notification received)
*Jun 17 16:30:57.729: %BGP-5-ADJCHANGE: neighbor 172.16.63.4 active Down BGP Notification received
*Jun 17 16:30:57.729: %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.63.4 IPv4 Unicast topology base removed from session BGP Notification received
*Jun 17 16:31:06.945: %BGP-3-NOTIFICATION: received from neighbor 172.16.63.4 active 6/5 (Connection Rejected) 0 bytes
*Jun 17 16:31:06.945: %BGP-5-NBR_RESET: Neighbor 172.16.63.4 active reset (BGP Notification received)
*Jun 17 16:31:06.945: %BGP-5-ADJCHANGE: neighbor 172.16.63.4 active Down BGP Notification received
*Jun 17 16:31:06.945: %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.63.4 IPv4 Unicast topology base removed from session BGP Notification received

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card