04-28-2011 11:04 AM
Hello,
Wondering if anyone else is having this issue. We have 2 x PA-4020s in an Active/Passive setup running BGP with several Cisco routers that connect to our MPLS network. About a week ago we had a failover occur due to ethernet1/3 bouncing. We have remained on our secondary device since then until we can figure out what is going on with the primary. Ever since the failover we have been experiencing problems with BGP routing. I noticed when looking at the BGP peers in the current active PA that all the BGP peer status' were idle. I looked at our current passive PA and it shows several of the bgp peers either connected or active. It appears everything seems to be routing correctly at the moment, but every now and then we will have a site go down and have to put in a static route.
I noticed when showing the detail of all me bgp peers on my current active PA there is the following error...
Last Error- Cease (6) : connection rejected (5)
Any help/ideas would be great.
Active Device:
| Name | Group | Local IP | Peer IP | Peer AS | Password Set | Status | Status Duration(secs.) | Show/ Hide |
|---|---|---|---|---|---|---|---|---|
| Annex-VPN-Host | stores | 172.20.2.1 | 172.20.2.241 | 65360 | no | Idle | 60108 | |
| SM-VPN-Host2 | stores | 172.20.2.1 | 172.20.2.242 | 65360 | no | Idle | 376 | |
| SM-VPN-Host1 | stores | 172.20.2.1 | 172.20.2.243 | 65360 | no | Idle | 21108 | |
| Corp-3750-A | stores | 172.20.2.1 | 172.20.2.250 | 65360 | no | Idle | 35300 | |
| Corp-3750-B | stores | 172.20.2.1 | 172.20.2.251 | 65360 | no | Idle | 4670 | |
| Corp-3845-A | stores | 172.20.2.1 | 172.20.2.252 | 65360 | no | Idle | 60113 | |
Passive Device:
| Name | Group | Local IP | Peer IP | Peer AS | Password Set | Status | Status Duration(secs.) | Show/ Hide |
|---|---|---|---|---|---|---|---|---|
| Annex-VPN-Host | stores | 172.20.2.1 | 172.20.2.241 | 65360 | no | Connect | 241495 | |
| SM-VPN-Host2 | stores | 172.20.2.1 | 172.20.2.242 | 65360 | no | Active | 241495 | |
| SM-VPN-Host1 | stores | 172.20.2.1 | 172.20.2.243 | 65360 | no | Active | 241495 | |
| Corp-3750-A | stores | 172.20.2.1 | 172.20.2.250 | 65360 | no | Active | 241495 | |
| Corp-3750-B | stores | 172.20.2.1 | 172.20.2.251 | 65360 | no | Connect | 241495 | |
| Corp-3845-A | stores | 172.20.2.1 | 172.20.2.252 | 65360 | no | Connect | 241495 | |
Peer Detail from Current Active PA:
|
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
05-04-2011 02:21 PM
We ended up going to static routes. Luckily our remote MPLS network are contiguous and we were able to cover them with about 14 /16 static routes. The route process was locking up very often and causing issues with our iBGP full mesh. PAN support wasn't able to provide much of an answer so I am writing this off as a bug or some sort of limitation with BGP on the firewall itself. It could possibly be related to having two virtual routers and running BGP on one and statics on the other, who knows. If anyone comes across similar issues please post here, we are curious to see if this may be a bug of some sort.
05-06-2011 10:08 AM
You should open a case wit support so we can open a bug with engineering if necessary. In an active/passive scenario, the passive box is not the owner of the IP adresses on the LAN or WAN side so it should not be doing anything to your BGP network. Only when it becomes master will it claim ownership of the IP addresses assigned to theintefaces and proceed to establish the appropriate connections.
Steve Krall
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
