https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227412#M124102 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1147680823">@azizislam</a>&nbsp;,</P> <P>&nbsp;</P> <P>Since BGP between your PA and the peer established after removing auth, that strongly suggests a secret mismatch. You can quickly check BGP logs in the GUI by searching the system logs (Monitor -&gt; Logs -&gt; System). Run a ( subtype eq 'routing' ) or a ( subtype eq 'routing' ) and (eventid eq 'bgp'). You can find status messages as your PA attempts to establish adjacency. Id use the GUI to catch low-hanging fruit errors like misconfigurations/tcp connectivity.&nbsp;</P> <P>&nbsp;</P> <P>If you need to dig further, you can run:<BR /><BR /></P> <P>show routing protocol bgp peer input.peer.ip.here (you can check out the session state and errors)&nbsp;</P> <P>&nbsp;</P> <P>If nothing is apparent from system logs, show routing protocol, then you can run a:</P> <P>&nbsp;</P> <P>tail follow yes mp-log routed.log (all kinds of notification messages, peer state info, errors, resets, etc.) Similar to running a debug ip bgp command on IOS. You can correlate these logs with peer debug logs and packet captures between your PA and the peer.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 25 Apr 2025 03:53:37 GMT JayGolf 2025-04-25T03:53:37Z https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227374#M124099 <P>Hi Folks....requesting anyone's Palo Alto FW troubleshooting expertise:</P> <P>In one of our implementations, we ran into some BGP session establishment issues and that delayed the change a lot as we couldn't figure out the issue.</P> <P>The issue was the BGP authentication failed. Once we disabled BGP authentication, BGP session got established.</P> <P>Is there a way to troubleshoot such an issue when BGP session fails to come up on Palo Alto FWs?&nbsp;</P> <P>&nbsp;</P> <P>Can we do sort of a tcpdump (or any other debugging utility) to find out the reasons why BGP session fails to establish?&nbsp;</P> <P>&nbsp;</P> <P>In Cisco IOS this can be easily done and the debug outputs clearly identify the problem.</P> <P>&nbsp;</P> <P>Any and all responses will be highly appreciated!!!</P> <P>&nbsp;</P> <P>Thanks very much.</P> <P><LI-WRAPPER></LI-WRAPPER></P> Thu, 24 Apr 2025 17:51:48 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227374#M124099 azizislam 2025-04-24T17:51:48Z https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227412#M124102 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1147680823">@azizislam</a>&nbsp;,</P> <P>&nbsp;</P> <P>Since BGP between your PA and the peer established after removing auth, that strongly suggests a secret mismatch. You can quickly check BGP logs in the GUI by searching the system logs (Monitor -&gt; Logs -&gt; System). Run a ( subtype eq 'routing' ) or a ( subtype eq 'routing' ) and (eventid eq 'bgp'). You can find status messages as your PA attempts to establish adjacency. Id use the GUI to catch low-hanging fruit errors like misconfigurations/tcp connectivity.&nbsp;</P> <P>&nbsp;</P> <P>If you need to dig further, you can run:<BR /><BR /></P> <P>show routing protocol bgp peer input.peer.ip.here (you can check out the session state and errors)&nbsp;</P> <P>&nbsp;</P> <P>If nothing is apparent from system logs, show routing protocol, then you can run a:</P> <P>&nbsp;</P> <P>tail follow yes mp-log routed.log (all kinds of notification messages, peer state info, errors, resets, etc.) Similar to running a debug ip bgp command on IOS. You can correlate these logs with peer debug logs and packet captures between your PA and the peer.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 25 Apr 2025 03:53:37 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227412#M124102 JayGolf 2025-04-25T03:53:37Z https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227414#M124103 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1147680823">@azizislam</a></P> <P>&nbsp;</P> <P>on the top of what Jay mentioned, I would recommend to check logs: less mp-log routed.log (KB for reference: <A href="https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClaR&amp;refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail" target="_self">BGP Not Working after MD5 Key is Changed</A>) and for debugging with PCAP, I would refer to&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS8CAK" target="_self">Tips &amp; Tricks: Enabling Packet Captures to Troubleshoot Daemons</A>.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Fri, 25 Apr 2025 03:57:11 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-session-establishment-troubleshooting-on-palo-alto/m-p/1227414#M124103 PavelK 2025-04-25T03:57:11Z