Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4248
Views
8
Helpful
5
Replies

BGP peering issue between Cisco ASR1k and PaloAlto Firewall

thiyagarajankalaiselvan
Level 1
Level 1

‎06-14-2013 06:11 AM - edited ‎03-07-2019 01:53 PM

Hello All,

We have a BGP peer established between Cisco ASR 1k and Palo Alto Firewall but the BGP session is getting flapped once in 2-6 seconds.

- I'm able to ping the neighbour IP of Firewall without any drops and I'm not finding any drops over the interface connecting between firewall and router.

- I could see the below BGP log messages in Router:

*Jun 13 09:54:01.498 PDT: %BGP-5-ADJCHANGE: neighbor 198.95.226.51 Down Peer closed the session
*Jun 13 09:54:01.499 PDT: %BGP_SESSION-5-ADJCHANGE: neighbor 198.95.226.51 IPv4 Unicast topology base removed from session  Peer closed the session
*Jun 13 09:54:11.028 PDT: %BGP-5-ADJCHANGE: neighbor 198.95.226.51 Up
*Jun 13 09:54:12.824 PDT: %BGP-3-NOTIFICATION: received from neighbor 198.95.226.51 3/9 (unsupported option specified) 9 bytes C0070600 00000000 00
*Jun 13 09:54:12.827 PDT: %BGP-5-ADJCHANGE: neighbor 198.95.226.51 Down Peer closed the session
*Jun 13 09:54:12.827 PDT: %BGP_SESSION-5-ADJCHANGE: neighbor 198.95.226.51 IPv4 Unicast topology base removed from session  Peer closed the session


BGP Experts please help me analyse the logs and identify the issue.


Regards,

Thiyagu

Labels:
0 Helpful
5 Replies 5

Steve Fuller
Level 9
Level 9

‎06-14-2013 06:31 AM

Hi Thiyagu,

The Palo Alto is closing the BGP peering session for some reason. If you have access to that device you could look to see why it's doing that. Alternatively, if you run the command debug ip bgp 198.95.226.51 on the ASR and paste the output here we might get an indication of what is happening.

Regards

thiyagarajankalaiselvan
Level 1
Level 1
In response to Steve Fuller

‎06-14-2013 07:23 AM

Hi Steve,

Whether using of the command debug ip bgp x.x.x.x will cause high CPU?

Regards,

Thiyagu

0 Helpful

Steve Fuller
Level 9
Level 9
In response to thiyagarajankalaiselvan

‎06-14-2013 07:59 AM

Hi Thiyagu,

This shouldn't cause any real spike in CPU as it's only debugging one  BGP peer and the number of events associated with that peer is pretty low. I just cleared a BGP peer to an ASR in my lab and it only showed 1% change in CPU at the time the peer re-established.

Regards

0 Helpful

thiyagarajankalaiselvan
Level 1
Level 1
In response to Steve Fuller

‎06-20-2013 06:46 AM

Hi all,

I have enable debugging and got the below error:

*Jun 19 15:42:57.860 PDT: BGP: 198.95.226.51 active went from Idle to Active

*Jun 19 15:42:57.860 PDT: BGP: 198.95.226.51 open active, local address 198.95.226.3

*Jun 19 15:42:57.862 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Adding topology IPv4 Unicast:base

*Jun 19 15:42:57.862 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Send OPEN

*Jun 19 15:42:57.862 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Building Enhanced Refresh capability

*Jun 19 15:42:57.862 PDT: BGP: 198.95.226.51 active went from Active to OpenSent

*Jun 19 15:42:57.862 PDT: BGP: 198.95.226.51 active sending OPEN, version 4, my as: 17394, holdtime 45 seconds, ID D8F010F3

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active rcv message type 1, length (excl. header) 30

*Jun 19 15:42:57.864 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Receive OPEN

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active rcv OPEN, version 4, holdtime 90 seconds

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active rcv OPEN w/ OPTION parameter len: 20

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active rcvd OPEN w/ optional parameter type 2 (Capability) len 18

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has CAPABILITY code: 1, length 4

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has MP_EXT CAP for afi/safi: 1/1

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has CAPABILITY code: 2, length 0

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has ROUTE-REFRESH capability(new) for all address-families

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has CAPABILITY code: 128, length 0

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has ROUTE-REFRESH capability(old) for all address-families

*Jun 19 15:42:57.864 PDT: BGP: 198.95.226.51 active OPEN has CAPABILITY code: 64, length 6

*Jun 19 15:42:57.865 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act NSF OPEN has GR cap

*Jun 19 15:42:57.865 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act NSF Peer has not restarted. Restart Time: 120

*Jun 19 15:42:57.865 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act NSF Address family IPv4 Unicast is NOT preserved

*Jun 19 15:42:57.865 PDT: BGP: nbr global 198.95.226.51 neighbor does not have IPv4 MDT topology activated

*Jun 19 15:42:57.865 PDT: BGP: 198.95.226.51 active rcvd OPEN w/ remote AS 64896

*Jun 19 15:42:57.865 PDT: BGP: 198.95.226.51 active went from OpenSent to OpenConfirm

*Jun 19 15:42:57.868 PDT: BGP: 198.95.226.51 active went from OpenConfirm to Established

*Jun 19 15:42:57.868 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) act Assigned ID

*Jun 19 15:42:57.868 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Up

*Jun 19 15:42:57.868 PDT: %BGP-5-ADJCHANGE: neighbor 198.95.226.51 Up

US-SNN-IR02-B11RI25#

*Jun 19 15:42:57.990 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:42:58.026 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:42:58.520 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:42:59.017 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Remote close.

*Jun 19 15:42:59.017 PDT: BGP: nbr_topo global 198.95.226.51 IPv4 Unicast:base (0x595991A4:1) Not scheduling for GR processing [Peer did not advertise GR cap]

*Jun 19 15:42:59.017 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Reset (Peer closed the session).

*Jun 19 15:42:59.648 PDT: BGP: nbr_topo global 198.95.226.51 IPv4 Unicast:base (0x595991A4:1) NSF delete stale NSF not active

*Jun 19 15:42:59.648 PDT: BGP: nbr_topo global 198.95.226.51 IPv4 Unicast:base (0x595991A4:1) NSF no stale paths state is NSF not active

*Jun 19 15:42:59.648 PDT: BGP: nbr_topo global 198.95.226.51 IPv4 Unicast:base (0x595991A4:1) Resetting ALL counters.

*Jun 19 15:42:59.648 PDT: BGP: 198.95.226.51 closing

*Jun 19 15:42:59.648 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Session close and reset neighbor 198.95.226.51 topostate

*Jun 19 15:42:59.648 PDT: BGP: nbr_topo global 198.95.226.51 IPv4 Unicast:base (0x595991A4:1) Resetting ALL counters.

*Jun 19 15:42:59.649 PDT: BGP: 198.95.226.51 went from Established to Idle

*Jun 19 15:42:59.651 PDT: %BGP-5-ADJCHANGE: neighbor 198.95.226.51 Down Peer closed the session

*Jun 19 15:42:59.651 PDT: %BGP_SESSION-5-ADJCHANGE: neighbor 198.95.226.51 IPv4 Unicast topology base removed from session Peer closed the session

US-SNN-IR02-B11RI25#

*Jun 19 15:42:59.651 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Removed topology IPv4 Unicast:base

*Jun 19 15:42:59.651 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Removed last topology

*Jun 19 15:42:59.651 PDT: BGP: nbr global 198.95.226.51 Open active delayed 8192ms (35000ms max, 60% jitter)

*Jun 19 15:42:59.651 PDT: BGP: nbr global 198.95.226.51 Active open failed - open timer running

US-SNN-IR02-B11RI25#

*Jun 19 15:43:01.851 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:02.723 PDT: BGP_Router: unhandled major event code 128, minor 0

US-SNN-IR02-B11RI25#

*Jun 19 15:43:05.785 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:05.788 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:06.041 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:06.325 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:06.574 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:06.585 PDT: BGP_Router: unhandled major event code 128, minor 0

*Jun 19 15:43:07.199 PDT: BGP: 198.95.226.51 active went from Idle to Active

*Jun 19 15:43:07.199 PDT: BGP: 198.95.226.51 open active, local address 198.95.226.3

*Jun 19 15:43:07.201 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Adding topology IPv4 Unicast:base

*Jun 19 15:43:07.201 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Send OPEN

*Jun 19 15:43:07.201 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Building Enhanced Refresh capability

*Jun 19 15:43:07.201 PDT: BGP: 198.95.226.51 active went from Active to OpenSent

*Jun 19 15:43:07.201 PDT: BGP: 198.95.226.51 active sending OPEN, version 4, my as: 17394, holdtime 45 seconds, ID D8F010F3

*Jun 19 15:43:07.203 PDT: BGP: 198.95.226.51 active rcv message type 1, length (excl. header) 30

*Jun 19 15:43:07.203 PDT: BGP: ses global 198.95.226.51 (0x595991A4:0) act Receive OPEN

*Jun 19 15:43:07.203 PDT: BGP: 198.95.226.51 active rcv OPEN, version 4, holdtime 90 seconds

*Jun 19 15:43:07.203 PDT: BGP: 198.95.226.51 active rcv OPEN w/ OPTION parameter len: 20

*Jun 19 15:43:07.203 PDT: BGP: 198.95.226.51 active rcvd OPEN w/ optional parameter type 2 (Capability) len 18

*Jun 19 15:43:07.204 PDT: BGP: 198.95.226.51 active OPEN has CAPABILITY code: 1, length 4

*Jun 19 15:43:07.204 PDT: BGP: 198.95.226.51 active OPEN has MP_EXT CAP for afi/safi: 1/1

0 Helpful

Steve Fuller
Level 9
Level 9
In response to thiyagarajankalaiselvan

‎06-21-2013 03:12 AM

Hi Thiyagu,

From what you've provided we can see that the ASR is receiving a NOTIFICATION message from the Palo Alto.

*Jun 13 09:54:12.824 PDT: %BGP-3-NOTIFICATION: received from neighbor 198.95.226.51 3/9 (unsupported option specified) 9 bytes C0070600 00000000 00

As per the BGP RFC A NOTIFICATION message is sent when an error condition is detected so the PA is detecting some error.

We can see from the debug that as soon as the neighbour established the PA sends major event code 128.

*Jun 19 15:42:57.868 PDT: BGP: ses global 198.95.226.51 (0x595991A4:1) Up

*Jun 19 15:42:57.868 PDT: %BGP-5-ADJCHANGE: neighbor 198.95.226.51 Up

*Jun 19 15:42:57.990 PDT: BGP_Router: unhandled major event code 128, minor 0

The problem we have with only looking at the ASR is that the notification message it receives is not one of the supported major event codes as per section 4.5.  NOTIFICATION Message Format in the BGP RFC which shows supported code as being 1 - 6. Therefore we can't determine why the PA will not allow the peer to establish.

Do you have access to the PA and can get the configuration, the logs or run debugs on that platform? If you don't have access to it can you ask the admin for the device to check the logs and why it's sending an invalid BGP NOTIFICAITON message.

Regards

Customers Also Viewed These Support Documents