Not quite. At site A we have router A1 connected to MPLS. At site B we have router B1 connected MPLS. We will run multihop BGP b/w the two routers. We also have internet routers at both sites that will have gre/ipsec tunnels to other site. We want to use private ASN so each site can be in its own ASN, and be able to advertise/speak our public ASN to ISP. We need to do this to overcome BGP convergence time of MPLS SP in case of failure as we intend to run live to air audio over network.

A picture is worth 1000 words...

Does this look better? (see attachment)

Hmmm...interesting. I would have though your upstream ISP would be filtering routes with a private ASN in the path. Do you see the private ASN on any looking glass servers?

If you can't then it shouldn't really matter but it's best to filter on your end all the same. I suspect that the core problem is that A2 is advertising routes learned via iBGP from B2 to the upstream provider to ISPA. (see drawing2.jpg)

You can verify this with the following command

show ip bgp nei x.x.x.x advertised-routes

Assuming I am right, a similar thing is happening at site B. I think this calls for an outbound route filter!!

neighbor remote-as

neighbor filter-list 1 out

!

ip as-path access-list 1 permit ^$

Obviously take this with a grain of salt. It will hide routes learned with the private ASN and stop your VPN from becoming a transit network. But it could also break other things that you want to accomplish (like being a transit network). Even if this particular filter doesn't fit the bill, you can definitely tailor an outbound filter that will.

http://www.cisco.com/en/US/docs/ios/11_0/router/command/reference/rregexp.html

Try using the following command where you are using the "xxx.xxx.xxx.xxx local-as yyyyy command"

neighbor x.x.x.x remove-private-as

more description here:

http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a0080093f27.shtml