Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-09-2019 08:17 AM
Hi All,
I have an issue with maintening a BGP Establish connection. Essentially the setup is the Palo Alto to two peers to allow for resilience if one BGP peer fails. If one peer is established it stays stable. If I enable the path to the second peer and disable the path to the first peer it remains established and stable. When I enable both BGP paths to establish at both peers at the same time they establish without any problems but then eventually randonmly recycle with a routed-bgp-peer-left established error, re-establishing seconds later.
I have adjusted the Multihop, prepend AS and seperated the peers into seperate peer groups but the issue persists.
Any ideas?
Regards
Adrian
I have it set up and when I peer with
05-09-2019 12:13 PM
1. Do the MTU settings on both ends match?
2. Is this iBGP or eBGP (all have same AS or different)?
3. Are these 2 connections on the same or different subnets?
4. Are these direct/p2p connections or routed through another network?
5. Are you using another IGP like OSPF and pointing to Loopback interfaces?
05-10-2019 12:25 AM
Hi Jeremy,
Yes, MTU matches both ends. Individually the sessions stay up, it's only when I have BGP established to the two peers from the Palo Alto. It mainly affects one path with more hops but occassionally the other path drops.
It is an eBGP configuration.
The connections are on a /29 subnet and not different subnets.
They are connected to the router via VRFs, one router is local, the other in another datacentre.
Our routing is entirely eBGP internal and external (2 BGP sessions).
As I said, this works and routes well. It is only when I enable the 2nd peer so we have that BGP resilience that I see this peering drop. Both peering sessions individually are stable if the other is down.
Regards
Adrian
05-16-2019 01:46 PM
I know this is just a shot in the dark, but is ECMP enabled? I don't think this would cause this kind of issue.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/bgp/configure-bgp#
08-01-2024 06:32 AM
Did you ever find the solution to this? I'm hitting the same problem. One VPN works fine with BGP. Second VPN is also up. But as soon as BGP is enabled on the second VPN, both tunnels start flapping.
08-06-2024 09:13 AM
@MartinE wrote:
Did you ever find the solution to this? I'm hitting the same problem. One VPN works fine with BGP. Second VPN is also up. But as soon as BGP is enabled on the second VPN, both tunnels start flapping.
This thread is 5 years old, I hope it wouldn't be the same issue. What code are you running? Is anything else negative happing to the firewall?
I've got 5250s which multiple BGP peers (2 of which are over an IPsec tunnel) established to different destinations but they're receiving redundant IP space from the distinct peers. There's nothing fancy with the BGP peers, one of them does have auth enabled though.
09-10-2024 01:43 AM
Thank you so much for the link.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
