This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BGP peers transit sessions flapping

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

BGP peers transit sessions flapping

TranceforLife
L6 Presenter

‎03-16-2017 07:50 AM - edited ‎07-14-2017 04:04 AM

Hi Guys,

 

PA-5050 is a transit device for four BGP peers. Had no flapping since 2015 on PAN-OS 6.0.12. After upgrade from 6.0.12 > 7.0.11 BGP peering no longer stable:

 

BGP flapping.png

 

Can anyone advise something? Apart of the increasing a timeout session under the application what else l could check/modify? Session end reason is "aged-out"

 

 Application version    619-3583 (10/05/16)

 

ping: @pulukas

 

With warm regards,

Myky

0 Likes Likes
6 REPLIES 6

TranceforLife
L6 Presenter

‎03-18-2017 08:18 AM

Anyone with the similar issue? 

0 Likes Likes

pulukas
L7 Applicator

‎03-19-2017 09:08 AM

Also had no problems running BGP peering sessions through a PA on version 6.  But don't have any current production access to that kind of setup for PanOS 7 to compare.

 

I assume that the version upgrade was the only change.

 

What do the BGP logs show as the reason for loss?

Are you running BFD on the sessions, if so what do those logs show?

Are there other symptoms of traffic issues on the link?

 

I would definately open an official TAC case on this type of issue too.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

TranceforLife
L6 Presenter
In response to pulukas

‎03-21-2017 01:36 AM - edited ‎03-21-2017 02:08 AM

@pulukas Thanks for coming back to me. Appreciate it. l am still doing some research on thins. Will get back here once have more information. Session end reason for Palo logs is "aged-out" 

0 Likes Likes

TranceforLife
L6 Presenter
In response to pulukas

‎04-04-2017 07:08 AM

The problem resolved itself!

0 Likes Likes

TranceforLife
L6 Presenter

‎07-14-2017 12:18 AM - edited ‎07-14-2017 01:19 AM

Hi All,

 

PA-5050 7.1.8

 

I am back here guys. This issue is getting interesting. BGP flapping only happens after the failover test (every month we do failover test) and almost exactly after 5 hours (after the test) BGP peers flapping occur. Our  topology below:

 

Cisco Nexus (BGP Peer) <---------------------> PA HA <-------------------> (BGP Peer) Cisco Nexus 
                                                                              ( BGP transit sessions, 
                                                                                            failover test) 

 

Failover test logs at 6:12

 

FT.JPG

 

5 hours after BGP flapping logs from Nexus and PA (transit session):

 

NX Logs.JPG

 

D1.JPG

 

D2.JPG

 

Don't understand why this is happening. During the month (between the failover tests) BGP peers are stable (no flaps).

Any ideas, guys?

 

Thx,

Myky

0 Likes Likes

TranceforLife
L6 Presenter
In response to TranceforLife

‎07-17-2017 11:28 AM - edited ‎07-17-2017 11:35 AM

With TAC (00705852),

 

BGP Application has 5 hours session timeout interval (in Palo database). My guess is that after the failover test BGP timeout timer is not getting refreshed by Palo own session, so the session is happily active for 5 hours between the BGP peers (hello times exchanged but ignored by Palo). 

After 5 hours Palo ends the session, BGP peers immediately re-establish the session and after the new session, Palo keeps refresh age-out timer. 

 

0 Likes Likes
  • 4566 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks