Solved: Re: Received BGP NOTIFICATION: Code = 6 (CEASE) Subcode = 1 (Maximum prefixed reached)

mahesh18 · ‎05-13-2019

We try to replace our existing ASR with new ones.

During the change we were unableto form BGP neighbourship with ISP.

NEighbourship will get established and then withing 30 secs disconnect again

logs shows

Received BGP NOTIFICATION: Code = 6 (CEASE) Subcode =

1 (Maximum prefixed reached)

What we are missing here

Giuseppe Larosa · ‎05-13-2019

Hello Mahesh,

>>

On NEw router we were missing this config

ip as-path access-list 10 permit ^$ ????????????

was this part of the problem?

This was the problem ! if the as-path list is not defined and you apply

a command like

neighbor 72.x.x.x filter-list 10 out

IOS looks for an as path list 10, it doesn't find it and the IOS behaviour is to permit all prefixes out and your router becomes a transit sending to ISPx what you have received from another ISP.

At this point the ISP has configured a maximum number of prefixes that can be received with reaction to tear down the session if you go beyond the limit.

You need the statement defining the as-path list 10 configured.

As I have explained in previous post the regular expression matches only the empty AS-path so it is handy to match only locally generated routes (as the check is performed before prepending your own AS number in updates, the only routes with an empty AS path are the ones generated within your AS)

when you will try with new router again put all the configuration including the definition of AS path list.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-13-2019

Hello Mahesh,

if you are multihomed you need to avoid to advertise ISP1's prefixes to ISP2.

The message means that the maximum prefix limit set by neighbor has been reached.

So your device is adverting too many prefixes to the neighbor.

You can use an as-path access-list with reg exp permit ^$ to allow only locally originated routes to be sent out to the neighbor.

About your locally originated routes verify if you had any aggregate command before configured with the summary-only as-set option.

Hope to help

Giuseppe

mahesh18 · ‎05-13-2019

What I see now is with ISP we have this config

neighbor 72.29.x.x prefix-list ISP-Prefix out
neighbor 72.29..x.x filter-list 10 out

I can see we have our Internal NEtwork under prefix list ISP-Prefix

ip bgp-community new-format
ip as-path access-list 10 permit ^$ ???????????????????????????????????

what does the above commad do?

Seems we do not have access-list 10 in our new router?

Interface which connects to ISP has

int gi1/0/1

ip access-group 110 in

access-list 110 deny ip host 0.0.0.0 any log
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
access-list 110 permit ip 208.98.x.x 0.0.0.3 208.98.x.x 0.0.0.3
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log
access-list 110 permit ip 72.29.230.x 0.0.0.3 72.29.230.x 0.0.0.3
access-list 110 permit ip any any

So does this ACL 110 refers to any traffic coming from ISP 72.29.230.x to us?

Giuseppe Larosa · ‎05-13-2019

Hello Mahesh,

your router has already the right configuration to avoid your device to become transit

neighbor 72.29..x.x filter-list 10 out

This comand refers to a as path access-list 10 that is defined correctly:

ip as-path access-list 10 permit ^$

the regular expression ^S matches only an empty AS path so it does match only locally originated routes.

Your own AS number is added to updates after this check is perfomed for this reason the previous expression is correct.

How many prefixes are you sending matching the prefix-list?

try to see with

show ip bgp injected

Access-list 110 refers to traffic over the link to the provider so it does not filter routes but filter packets.

Access-list 110 traffic coming from private networks, network 0.0.0.0 and loopback 127.0.0.0 and allows everything else.

Access-list 110 is not part of the problem you are facing.

Hope to help

Giuseppe

mahesh18 · ‎05-13-2019

Now we have backout our change

With current Router

show ip bgp injected-paths

No output is generated with this command

When i try this command

show ip bgp filter-list 10
BGP table version is 35779808, local router ID is 72.29.230.x
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
* i 192.41.x.0 192.41.x.x 0 100 0 i
*> 192.41.x.x 0 32768 i
* i 198.160.x.0 192.41.148.x.x 0 100 0 i
*> 0.0.0.0 0 32768 i

On NEw router we were missing this config

ip as-path access-list 10 permit ^$ ????????????

was this part of the problem?

ISP told us during our change we were advertising many more prefixes.

Giuseppe Larosa · ‎05-13-2019

Hello Mahesh,

>>

On NEw router we were missing this config

ip as-path access-list 10 permit ^$ ????????????

was this part of the problem?

This was the problem ! if the as-path list is not defined and you apply

a command like

neighbor 72.x.x.x filter-list 10 out

IOS looks for an as path list 10, it doesn't find it and the IOS behaviour is to permit all prefixes out and your router becomes a transit sending to ISPx what you have received from another ISP.

At this point the ISP has configured a maximum number of prefixes that can be received with reaction to tear down the session if you go beyond the limit.

You need the statement defining the as-path list 10 configured.

As I have explained in previous post the regular expression matches only the empty AS-path so it is handy to match only locally generated routes (as the check is performed before prepending your own AS number in updates, the only routes with an empty AS path are the ones generated within your AS)

when you will try with new router again put all the configuration including the definition of AS path list.

Hope to help

Giuseppe

mahesh18 · ‎05-14-2019

Will do that now.

Many thanks for the confirmation.

paul driver · ‎05-13-2019

Hello

Can you post the output of the following:
show run | in Prefix|prefix
show route-map

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mahesh18 · ‎05-13-2019

This is config of working Router which has no issues

show route-map
route-map set-as-prepend, permit, sequence 10
Match clauses:
Set clauses:
as-path prepend 16569 16569 16569
Policy routing matches: 0 packets, 0 bytes
route-map set-local-pre, permit, sequence 10
Match clauses:
Set clauses:

#show run | in Prefix|prefix
neighbor 72.29.230.x prefix-list Corp-Prefix out
ip prefix-list Corp-Prefix description Prefixes advertised by Corp
ip prefix-list Corp-Prefix seq 10 permit 192.41.x.x.0/24
ip prefix-list Corp-Prefix seq 20 permit 198.160.x.x.0/24

ip prefix-list Incoming-Prefix-Filter description Filter Illegal BGP advertisments
ip prefix-list Incoming-Prefix-Filter seq 10 deny 10.0.0.0/8 le 32
ip prefix-list Incoming-Prefix-Filter seq 15 deny 172.16.0.0/12 le 32
ip prefix-list Incoming-Prefix-Filter seq 20 deny 192.168.0.0/16 le 32
ip prefix-list Incoming-Prefix-Filter seq 25 deny 224.0.0.0/4 le 32
ip prefix-list Incoming-Prefix-Filter seq 30 deny 240.0.0.0/4 le 32
ip prefix-list Incoming-Prefix-Filter seq 35 deny 127.0.0.0/8 le 32
ip prefix-list Incoming-Prefix-Filter seq 40 deny 169.254.0.0/16 le 32
ip prefix-list Incoming-Prefix-Filter seq 45 deny 208.98.0.0/16 le 32
ip prefix-list Incoming-Prefix-Filter seq 1025 permit 0.0.0.0/0 le 24

local-preference 150
Policy routing matches: 0 packets, 0 bytes
route-map AllowList, permit, sequence 10
Match clauses:
ip address (access-lists): 80
Set clauses:
Policy routing matches: 0 packets, 0 bytes