Solved: Re: iBGP full mesh

Ab26 · ‎03-20-2025

Hi, I've had 2 routers that are configured with iBGP. Each one of these routers are connected to an external provider with eBGP. I setup a new router with full mesh iBGP and when I connect it to the external provider i get logs saying that R1 and R2 are trying to establish a BGP session with R3 but source the traffic with their external IP addresses to are used toward external providers.
I've configured next-hop-self in the iBGP but it didn't help.

%KERN-3-SYSTEM_MSG: [116842.668031] TCP: Unexpected MD5 Hash found for (11.11.11.1, 25304)->(55.55.55.3, 179) S - kernel
%KERN-3-SYSTEM_MSG: [116842.668031] TCP: Unexpected MD5 Hash found for (22.22.22.1, 25304)->(55.55.55.3, 179) S - kernel

In R3 I don't have neighbors for 11.11.11.1 or 22.22.22.1
In R3 I have neighbors configured for 55.55.55.1 and 55.55.55.2

Does anyone know what could be the problem and how to solve it?

M02@rt37 · ‎03-20-2025

Hello @Ab26

Based on the diagram and your logs, the issue is likely caused by R1 and R2 sourcing iBGP traffic using their external provider-facing IPs (11.11.11.1 and 22.22.22.1) instead of their internal-facing IPs (55.55.55.1 and 55.55.55.2).

Also you have MD5 authentication mismatch (either unexpected MD5 or missing configuration on R1/R2).

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Harold Ritter · ‎03-22-2025

Hi @Ab26 ,

By default the update source that is selected is the egress interface leading to the peer. In your scenario, vlan55 should be the interface selected for the iBGP mesh between R1, R2 and R3. The configuration of the update-source should not be required for this reason.

You seem to be running NXOS, right? Can you confirm the version you use. Can you also provide the interface configuration for vlan55.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

View solution in original post

Harold Ritter · ‎03-20-2025

Hi @Ab26 ,

Could you please provide the BGP configuration section.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

M02@rt37 · ‎03-20-2025

Hello @Ab26

Based on the diagram and your logs, the issue is likely caused by R1 and R2 sourcing iBGP traffic using their external provider-facing IPs (11.11.11.1 and 22.22.22.1) instead of their internal-facing IPs (55.55.55.1 and 55.55.55.2).

Also you have MD5 authentication mismatch (either unexpected MD5 or missing configuration on R1/R2).

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Giuseppe Larosa · ‎03-21-2025

Hello @Ab26 ,

check the BGP configuration on all three routers R1, R2, R3 from what we see in the error messages it looks like you have a wrong configuration on R1, R2 using a neighbor 55.55.55.3 update-source command pointing to the external LAN interface.

Hope to help

Giuseppe

Ab26 · ‎03-22-2025

Thanks for everybody who responded !

I had actually missed update-source command

Now my question is that I don't have update-source between R1 and R2 and they still work with no problem. Does anybody know why the problem only occurs with R3?

Vlan55 is the link VLAN between the 3 routers 55.55.55.0/28

R1

router bgp 63505

router-id 1.1.1.1

log-neighbor-changes

vrf function

address-family ipv4 unicast

redistribute direct

neighbor 11.11.11.0

remote-as 64500

password 123

address-family ipv4 unicast

as-override

neighbor 55.55.55.2

remote-as 63505

password 123

address-family ipv4 unicast

next-hop-self

neighbor 55.55.55.3

remote-as 63505

password 123

update-source Vlan55

address-family ipv4 unicast

next-hop-self

-----------------------------------

R2

router bgp 63505

router-id 2.2.2.2

log-neighbor-changes

vrf function

address-family ipv4 unicast

redistribute direct

neighbor 22.22.22.0

remote-as 64500

password 123

address-family ipv4 unicast

as-override

neighbor 55.55.55.1

remote-as 63505

password 123

address-family ipv4 unicast

next-hop-self

neighbor 55.55.55.3

remote-as 63505

password 123

update-source Vlan55

address-family ipv4 unicast

next-hop-self

-----------------------------------

R3

router bgp 63505

router-id 3.3.3.3

log-neighbor-changes

vrf function

address-family ipv4 unicast

redistribute direct

neighbor 33.33.33.0

remote-as 64500

password 123

address-family ipv4 unicast

as-override

neighbor 55.55.55.1

remote-as 63505

password 123

update-source Vlan55

address-family ipv4 unicast

next-hop-self

neighbor 55.55.55.2

remote-as 63505

password 123

update-source Vlan55

address-family ipv4 unicast

next-hop-self

Harold Ritter · ‎03-22-2025

Hi @Ab26 ,

By default the update source that is selected is the egress interface leading to the peer. In your scenario, vlan55 should be the interface selected for the iBGP mesh between R1, R2 and R3. The configuration of the update-source should not be required for this reason.

You seem to be running NXOS, right? Can you confirm the version you use. Can you also provide the interface configuration for vlan55.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Ab26 · ‎03-22-2025

Thanks @Harold Ritter !

After looking deeper I found out the Vlan55 was down in R1 and R2. These 2 routers where there for awhile. I just added R3 recently. Just for the simplicity I only mentioned one VLAN and one VRF however I have many in this setup. I should've done BGP debugging from the beginning

Harold Ritter · ‎03-22-2025

You are very welcome @Ab26 and thanks for the feedback

Regards,
Harold Ritter, CCIE #4168 (EI, SP)