topic BGP in General Topics

BGP

CirrostratusNetworks — Tue, 05 Dec 2017 07:19:09 GMT

hello i am new to palo alto

i recently configured bgp on my palo alto pa 500 device and my bgp peer is getting connected and then after a minute it gets disconnected and the bgp state becomes active. also i am using md5 key for authentication. could you please help me with a possible solution or reason. thank you

Re: BGP

kiwi — Tue, 05 Dec 2017 10:33:18 GMT

Hi @CirrostratusNetworks,

It would help to know how you set it up.

The forwarding table size for the PA-500 supports upto 1250 entries.

You will need more debugging.

Start with enabling debug on BGP:

admin@PA-VM> debug routing pcap bgp on

You can view with:

admin@PA-VM> debug routing pcap bgp view

or even follow live with:

admin@PA-VM> view-pcap follow yes debug-pcap <bgp_capture_file>

Cheers,

-Kiwi.

Re: BGP

CirrostratusNetworks — Tue, 05 Dec 2017 11:27:21 GMT

Hello Sir,

Thank you for your reply

I am getting the following messages BGP peer MP extension negotiation. MP-EXTENSION negotiation to peer successful, AFI/SAFI 1/1

BGP peer session enters established state. peer IP:

BGP peer session left established state. peer IP:

Also the peer side has more than 2000 bgp routes and the number of forwarding routes on pa 500 device from our end is only 24. so does those routes count too from the peer side ?

Also on the peer side they are getting the following log

Error wait: 63/300

Last error: Received: Malformed AS_PATH

Thank You for your support.

regards

Param

Re: BGP

rmfalconer — Tue, 05 Dec 2017 17:00:39 GMT

If the peer is advertising all 2000+ prefixes to you, then it will be a problem.

Do you need all 2000 prefixes? You can configure inbound rules to permit specific prefixes or maybe the peer could send a summary.

Re: BGP

CirrostratusNetworks — Tue, 05 Dec 2017 17:22:09 GMT

@rmfalconer thank you

Actually we are connected to the internet exchange with palo alto pa 500 so we need all the routes.

since it is not an isp we cannot configure default route or receive a summary

currently the only option available is to configure inbound rules to permit specific prefixes as per your suggestion.

is there any other alternative or do i have to upgrade to another device due to hardware ?

thank you

regards

param

Re: BGP

rmfalconer — Tue, 05 Dec 2017 17:51:58 GMT

You can create filters but that would be used to allow only certain prefixes. Some would be blocked so you wouldn't have routes to these networks.

If you need to support over 2000 prefixes, you'll need a larger device. You should check with your reseller or PA to size correctly.

Also, for the malformed AS message, are you using a 2 byte or 4 byte AS number? Did you select the correct option in the BGP config on the PA?

Re: BGP

CirrostratusNetworks — Wed, 06 Dec 2017 14:39:24 GMT

@rmfalconer sir i am using 4byte AS number.

Also i have created route filter but still BGP is getting connected and then disconnected.

so that is also not working. what could be the possbile issue?

thank you