05-26-2024 08:11 PM
Hi All,
I have an issue with setting up a BGP Establish connection. On my side is a PA firewall connected to the a ISP with BGP session. The first time, the ISP side sent only the default route to PA, and there was no problem in the BGP session. And now we require the full routing table that involves 4000+ routes sent to us. And I do a Max-prefix=400 on my side. After that, the BGP session is flapping all the time. It will reset the peer session every 60 sec or 30 sec. And I notice that there is an error on PA, it shows error code 3 subcode 11 in PA.
And there are some configure that show you to reference.
I am not very familiar with PA firewall, if you guys have any idea or any other info want to see, please tell me! This case is very urgent! Thank you guys!
05-27-2024 02:58 AM
Hi @Henry-ITP ,
It looks like the EBGP neighbors are not transitioning to established state due to the reason that Palo Alto Firewall reject the BGP connection since it treats the AS Sequence in the AS_PATH Attribute advertised by the EBGP peer as Malformed AS_PATH or Unacceptable AS_PATH.
The Palo Alto Networks Firewall has a default behavior in which the EBGP neighbor that advertises the AS_PATH attributes in the BGP UPDATE message will be inspected, The firewall expect the EBGP neighbors to fill the neighbor's own AS number as the first AS number while advertising the AS_PATH attributes. The PAN-OS behavior is to drop the connection as PAN-OS is enabled with Enforce First AS for EBGP by default.
You will see the error AS-PATH Unacceptable in the output of >show routing protocol bgp peer <peer-name> virtual-router default.
The routed debug outputs collected using the command >debug routed on debug will show the following error snippets while tailing the debug logs:
Error code = UPDATE Message Error (3)
Error subcode = Malformed AS_PATH (11)
Examine and compare the BGP UPDATE messages > BGP Attributes in the BGP packet captures with the >show routing protocol BGP peer <peer-name> virtual-router default output to determine if the remote AS number seen as in the output is advertised in the top left or as the first AS in the AS_PATH Attribute in the BGP UPDATE message packet.
A solution here would be to configure the EBGP Peer to append the AS Path attributes in a manner that includes it's own AS as left most AS or the first of the AS_PATH attributes.
The Work-around configuration that Palo Alto Networks provides to address this situation is to disable the Enforce First AS-Option in the BGP > Advanced settings from the Network>Virtual Routers. (Step 4 - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/bgp/configure-bgp
Hope this helps,
-Kim.
05-28-2024 09:08 PM
Hi Kiwi,
Thank you for your help!
I checked the pacp and found there are some of prefixes sent by the provider do not incloud the right AS-number at the first place in AS-path attribute. I have already told them and let them diagnose.
I still have another question about max-prefix setting. If set max-prefix=400, and the provider gives more than 400+ prefixes, will the peer session shutdown immediately?
Best,
Henry.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
