BGP HA Setup (Active/Passive) Passive Device Showing Active Peers

Reply
Highlighted
Not applicable

BGP HA Setup (Active/Passive) Passive Device Showing Active Peers

Hello,

Wondering if anyone else is having this issue. We have 2 x PA-4020s in an Active/Passive setup running BGP with several Cisco routers that connect to our MPLS network. About a week ago we had a failover occur due to ethernet1/3 bouncing. We have remained on our secondary device since then until we can figure out what is going on with the primary. Ever since the failover we have been experiencing problems with BGP routing. I noticed when looking at the BGP peers in the current active PA that all the BGP peer status' were idle. I looked at our current passive PA and it shows several of the bgp peers either connected or active. It appears everything seems to be routing correctly at the moment, but every now and then we will have a site go down and have to put in a static route.

I noticed when showing the detail of all me bgp peers on my current active PA there is the following error...

Last Error-  Cease (6) : connection rejected (5)

Any help/ideas would be great.

Active Device:

NameGroupLocal IPPeer IPPeer ASPassword SetStatusStatus Duration(secs.)Show/ Hide
Annex-VPN-Hoststores172.20.2.1172.20.2.24165360noIdle60108

Show details...

SM-VPN-Host2stores172.20.2.1172.20.2.24265360noIdle376

Show details...

SM-VPN-Host1stores172.20.2.1172.20.2.24365360noIdle21108

Show details...

Corp-3750-Astores172.20.2.1172.20.2.25065360noIdle35300

Show details...

Corp-3750-Bstores172.20.2.1172.20.2.25165360noIdle4670

Show details...

Corp-3845-Astores172.20.2.1172.20.2.25265360noIdle60113

Show details...

Passive Device:

NameGroupLocal IPPeer IPPeer ASPassword SetStatusStatus Duration(secs.)Show/ Hide
Annex-VPN-Hoststores172.20.2.1172.20.2.24165360noConnect241495

Show details...

SM-VPN-Host2stores172.20.2.1172.20.2.24265360noActive241495

Show details...

SM-VPN-Host1stores172.20.2.1172.20.2.24365360noActive241495

Show details...

Corp-3750-Astores172.20.2.1172.20.2.25065360noActive241495

Show details...

Corp-3750-Bstores172.20.2.1172.20.2.25165360noConnect241495

Show details...

Corp-3845-Astores172.20.2.1172.20.2.25265360noConnect241495

Show details...

Peer Detail from Current Active PA:

Configuration
Passiveno
Multi-Hop TTL255
Reflector Clientnot-client
Same Confederationno
Aggregate Confed. ASno
Peering TypeUnspecified
Connect Retry Interval120
Open Delay0
Idle Hold15
Prefix Limit5000
Hold Time Config90
Keep Alive Config30
Next Hop Selfno
Next Hop Peerno
Next Hop Thirdpartyno
Remove Private ASno

Runtime Status
Peer Router ID10.255.101.253
Hold Time90
Keep Alive30
Last ErrorCease (6) : connection rejected (5)
Status Flap Counts2446
Established Counts1

Stats Counters
Msg. Update In1190
Msg. Update Out0
Msg. Totals In8572
Msg. Total Out10984
Last Update Age13

IPv4-unicast Counters
Incoming Total2944
Incoming Accepted1
Incoming Rejected2943
Outgoing Total0
Outgoing Advertised0
Capabilities
Not applicable

Re: BGP HA Setup (Active/Passive) Passive Device Showing Active Peers

We ended up going to static routes. Luckily our remote MPLS network are contiguous and we were able to cover them with about 14 /16 static routes. The route process was locking up very often and causing issues with our iBGP full mesh. PAN support wasn't able to provide much of an answer so I am writing this off as a bug or some sort of limitation with BGP on the firewall itself. It could possibly be related to having two virtual routers and running BGP on one and statics on the other, who knows. If anyone comes across similar issues please post here, we are curious to see if this may be a bug of some sort.

L4 Transporter

Re: BGP HA Setup (Active/Passive) Passive Device Showing Active Peers

You should open a case wit support so we can open a bug with engineering if necessary. In an active/passive scenario, the passive box is not the owner of the IP adresses on the LAN or WAN side so it should not be doing anything to your BGP network. Only when it becomes master will it claim ownership of the IP addresses assigned to theintefaces and proceed to establish the appropriate connections.

Steve Krall

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!