CEF forwarding table not updating

Hassaan · ‎06-03-2022

Hello everyone,

Am hoping someone has any idea or know of a situation where the routing table updates as expected, i.e. shows the correct route, but the forwarding table does not point to the correct next hop/outgoing interface in the cef table?

I know it's not correct because it never reaches the next hop IP in the routing table, e.g. when i do a traceroute, but instead redirects to a longer failover backup route. The prefixes and failover in the network are created with iBGP peering (not sure how relevant that is).

If i force it to go the next hop i want it to with a static route it of course redirects and updates the CEF with that. This next hop is configured as a L2 uplink as below

interface Port-channel3
 switchport trunk allowed vlan 82,572,662,1402
 switchport mode trunk
end

the next hop device is a Palo Alto firewall where each of the above vlans are L3 subinterfaces. There is an established iBGP peering using vlan interface 1402 and the subinterface on the Palo device. The next hop IP on the Palo device is 172.16.140.6 and it's supposed to use this next hop to reach the GW of last resort, which is distributed via BGP.

Router1#sh ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 413
Paths: (2 available, best #2, table default)
  Not advertised to any peer
  Refresh Epoch 1
  64999 786
    194.82.98.1 from 172.16.2.158 (172.16.2.149)
      Origin IGP, localpref 100, valid, internal
      Community: 51512296
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  64999 786
    194.82.96.1 from 172.16.140.6 (172.16.0.1)
      Origin IGP, localpref 100, valid, internal, best
      Community: 51512296
      rx pathid: 0, tx pathid: 0x0

So although it's saying 140.6 is the best path, the CEF table doesn't agree and instead attempts to reach 0.0.0.0 using the alternative path, which I don't want it to:

Router1#sh ip cef 0.0.0.0/0
0.0.0.0/0
  nexthop 172.16.25.1 TenGigabitEthernet1/0/12

Any ideas why the CEF table wouldn't update?

Harold Ritter · ‎06-03-2022

Hi @Hassaan ,

The next-hop for your BGP best path is 194.82.96.1.

Can you do a "show ip route 194.82.96.1"?

Can you also provide the output for "show ip route 0.0.0.0/0"?

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎06-03-2022

Show ip route 172.16.140.6
""This point to 172.16.25.1""

So next hop is using 172.16.25.x

you need igp to make router know this next hop of defualt route or use next hop self to make ibgp change next hop to it interface ip.

Hassaan · ‎06-04-2022

@Harold Ritter Thanks, i ran those commands and that gave me the clue as to what the issue was. It turns out the 194.82.96.0 route was being exported over OSPF from a router along the backup path. All i needed to do was create an export policy for that route from the Palo firewall and then set a higher local preference on the Cisco router so it can take precedence in the routing table.

MHM Cisco World · ‎06-04-2022

not LP what you need, weight recommend from cisco if I am right that this is your case.
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/213285-understand-the-importance-of-bgp-weight.html

Harold Ritter · ‎06-04-2022

Hi @Hassaan ,

I am glad I pointed you in the direction and that you fixed the issue.

Have a great day.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México