https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/447212#M100662 <P>Hi Team,</P><P>&nbsp;</P><P>We have a BGP running over IPSec VPN. The VPN is terminated between PA 5250 and SDN Gateway. The VPN is running fine but the BGP session is flapping for every 3 minutes. Normally this behavior observed due to MTU size detection in during PMTUD in Cisco devices.&nbsp; Please help me to troubleshoot this further in the Palo Alto Firewall side.</P><P>&nbsp;</P><P>(active)&gt; show routing protocol bgp peer peer-name ClientName-Int</P><P>==========<BR />Peer: ClientName-Int (id 4)<BR />virtual router: ClientName<BR />Peer router id: 10.33.0.2<BR />Remote AS: 64512<BR />Peer group: PG_ClientName_Int (id 18)<BR />Peer status: Established, for 179 seconds<BR />Password set: no<BR />Passive: no<BR />Multi-hop TTL: 4<BR />Remote Address: 10.33.0.2:179<BR />Local Address: 10.204.22.230:53976<BR />(R) reflector client: not-client<BR />same confederation: no<BR />send aggr confed as-path: yes<BR />peering type: Unspecified<BR />Connect-Retry interval: 1<BR />Open Delay: 0<BR />Idle Hold: 15<BR />Prefix limit: 5000<BR />Holdtime: 180 (config 3600)<BR />Keep-Alive interval: 1 (config 30)<BR />Update messages: in 780, out 18513<BR />Total messages: in 3103, out 19697<BR />Last update age: 23<BR />Last error: HoldTimer expired (4)<BR />Flap counts: 4655, established 390 times<BR />(R) ORF entries: 0<BR />Nexthop set to self: no<BR />use 3rd party as next-hop: yes<BR />override nexthop to peer: no<BR />----------<BR />remove private AS number: yes<BR />----------<BR />Capability: Multiprotocol Extensions(1) value: IPv4 Unicast<BR />Capability: Route Refresh(yes)<BR />----------<BR />Prefix counter for: bgpAfiIpv4 / unicast<BR />Incoming Prefix: Accepted 48, Rejected 2, Policy Rej 0, Total 50<BR />Outgoing Prefix: 1513<BR />Advertised Prefix: 264</P><P>(active)&gt; show routing protocol bgp peer peer-name ClientName-Int</P><P>==========<BR />Peer: ClientName-Int (id 4)<BR />virtual router: ClientName<BR />Peer router id: 10.33.0.2<BR />Remote AS: 64512<BR />Peer group: PG_ClientName_Int (id 18)<BR />Peer status: Idle, for 0 seconds<BR />Password set: no<BR />Passive: no<BR />Multi-hop TTL: 4<BR />Remote Address: 10.33.0.2<BR />Local Address: 10.204.22.230<BR />(R) reflector client: not-client<BR />same confederation: no<BR />send aggr confed as-path: yes<BR />peering type: Unspecified<BR />Connect-Retry interval: 1<BR />Open Delay: 0<BR />Idle Hold: 15<BR />Prefix limit: 5000<BR />Holdtime: 180 (config 3600)<BR />Keep-Alive interval: 1 (config 30)<BR />Update messages: in 780, out 18513<BR />Total messages: in 3104, out 19697<BR />Last update age: 0<BR />Last error: HoldTimer expired (4)<BR />Flap counts: 4656, established 390 times<BR />(R) ORF entries: 0<BR />Nexthop set to self: no<BR />use 3rd party as next-hop: yes<BR />override nexthop to peer: no<BR />----------<BR />remove private AS number: yes<BR />----------</P> Fri, 12 Nov 2021 14:23:13 GMT ArunkumarDurais 2021-11-12T14:23:13Z https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/447212#M100662 <P>Hi Team,</P><P>&nbsp;</P><P>We have a BGP running over IPSec VPN. The VPN is terminated between PA 5250 and SDN Gateway. The VPN is running fine but the BGP session is flapping for every 3 minutes. Normally this behavior observed due to MTU size detection in during PMTUD in Cisco devices.&nbsp; Please help me to troubleshoot this further in the Palo Alto Firewall side.</P><P>&nbsp;</P><P>(active)&gt; show routing protocol bgp peer peer-name ClientName-Int</P><P>==========<BR />Peer: ClientName-Int (id 4)<BR />virtual router: ClientName<BR />Peer router id: 10.33.0.2<BR />Remote AS: 64512<BR />Peer group: PG_ClientName_Int (id 18)<BR />Peer status: Established, for 179 seconds<BR />Password set: no<BR />Passive: no<BR />Multi-hop TTL: 4<BR />Remote Address: 10.33.0.2:179<BR />Local Address: 10.204.22.230:53976<BR />(R) reflector client: not-client<BR />same confederation: no<BR />send aggr confed as-path: yes<BR />peering type: Unspecified<BR />Connect-Retry interval: 1<BR />Open Delay: 0<BR />Idle Hold: 15<BR />Prefix limit: 5000<BR />Holdtime: 180 (config 3600)<BR />Keep-Alive interval: 1 (config 30)<BR />Update messages: in 780, out 18513<BR />Total messages: in 3103, out 19697<BR />Last update age: 23<BR />Last error: HoldTimer expired (4)<BR />Flap counts: 4655, established 390 times<BR />(R) ORF entries: 0<BR />Nexthop set to self: no<BR />use 3rd party as next-hop: yes<BR />override nexthop to peer: no<BR />----------<BR />remove private AS number: yes<BR />----------<BR />Capability: Multiprotocol Extensions(1) value: IPv4 Unicast<BR />Capability: Route Refresh(yes)<BR />----------<BR />Prefix counter for: bgpAfiIpv4 / unicast<BR />Incoming Prefix: Accepted 48, Rejected 2, Policy Rej 0, Total 50<BR />Outgoing Prefix: 1513<BR />Advertised Prefix: 264</P><P>(active)&gt; show routing protocol bgp peer peer-name ClientName-Int</P><P>==========<BR />Peer: ClientName-Int (id 4)<BR />virtual router: ClientName<BR />Peer router id: 10.33.0.2<BR />Remote AS: 64512<BR />Peer group: PG_ClientName_Int (id 18)<BR />Peer status: Idle, for 0 seconds<BR />Password set: no<BR />Passive: no<BR />Multi-hop TTL: 4<BR />Remote Address: 10.33.0.2<BR />Local Address: 10.204.22.230<BR />(R) reflector client: not-client<BR />same confederation: no<BR />send aggr confed as-path: yes<BR />peering type: Unspecified<BR />Connect-Retry interval: 1<BR />Open Delay: 0<BR />Idle Hold: 15<BR />Prefix limit: 5000<BR />Holdtime: 180 (config 3600)<BR />Keep-Alive interval: 1 (config 30)<BR />Update messages: in 780, out 18513<BR />Total messages: in 3104, out 19697<BR />Last update age: 0<BR />Last error: HoldTimer expired (4)<BR />Flap counts: 4656, established 390 times<BR />(R) ORF entries: 0<BR />Nexthop set to self: no<BR />use 3rd party as next-hop: yes<BR />override nexthop to peer: no<BR />----------<BR />remove private AS number: yes<BR />----------</P> Fri, 12 Nov 2021 14:23:13 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/447212#M100662 ArunkumarDurais 2021-11-12T14:23:13Z https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/447279#M100668 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167879">@ArunkumarDurais</a> ,</P> <P>- Have you compare all timers between the PAN FW and Cisco? I believe some of the BGP timers default values are different for the two vendors</P> <P>- Have you tried to run packet capture for the BGP session on the PAN FW?</P> Fri, 12 Nov 2021 18:42:50 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/447279#M100668 aleksandar.astardzhiev 2021-11-12T18:42:50Z https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/448792#M100850 <P>Hi Astardzheiv,</P><P>&nbsp;</P><P>The peer end is actually SDN gateway. We can see there is a BGP notification message is being sent from SDN gateway to Palo alto for hold timers, then BGP is going to idle state. The flap is happening exactly after 180 seconds and it is idle for 15 seconds and established again every time. Is it might be SDN gateway have 180 seconds as in the timer and its trying to re-established every time.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Naspers_2-1637407324017.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37761iD81ED44B947F7E4B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Naspers_2-1637407324017.png" alt="Naspers_2-1637407324017.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Sat, 20 Nov 2021 11:23:32 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-session-flaps-for-every-3-minutes-pan-os/m-p/448792#M100850 ArunkumarDurais 2021-11-20T11:23:32Z