Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

BGP sessions not exporting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BGP sessions not exporting

L4 Transporter

Hi folks/

 

I'm trying to use BGP to synchronise routing across two ISPec tunnels to a Palo Alto HA cluster.

 

I have BGP connectivity established - the remote end is exporting the routes I want, and they're being seen (and managed correctly) by the Palo Alto as far as I can tell.

 

However, I can't seem to get the Palo Alto to export routes BACK to the other end. I don't want a default route - I just want selective routes from the Palo Alto end sent to the remote device for insertion into its routing table (this is to provide routing redundancy across the redundant tunnels into the PA).

 

Can anyons suggest where I could start to see WHY it's not exporting?

 

This is what I get from querying the PA

 

show routing protocol bgp loc-rib


VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Weight LocPrf Org MED flap AS-Path
*192.168.220.0/24 169.254.55.10 Singtel-link1 0 100 i/c 0 0 64513
192.168.220.0/24 169.254.55.14 Singtel-link2 0 100 i/c 0 0 64513

total routes shown: 2

 

show routing protocol bgp rib-out


VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path

total routes shown: 0

 

So I can see the routes coming IN - but nothing going out.

 

Yes, I have configured an export in the BGP profile - it's just not actually exporting.

 

Can anyone suggest where I could start looking to find out why this isn;t going?

 

Thanks

11 REPLIES 11

L4 Transporter

A couple simple suggestions from my own troubleshooting.

 

I found there are a couple spots where "enable" isn't checked by default.  Under the general BGP tab do you have "enable" checked at the top and "Install Route" checked as well?  Under the "Peer Group" tab do you have your peer groups set the "Enable" as well?  Are you using any kind or Redistribution profiles and are they set under "Redist Rules"?  Is this iBGP or eBGP?


@jeremy.larsen wrote:

A couple simple suggestions from my own troubleshooting.

 

I found there are a couple spots where "enable" isn't checked by default.  Under the general BGP tab do you have "enable" checked at the top and "Install Route" checked as well?  Under the "Peer Group" tab do you have your peer groups set the "Enable" as well?  Are you using any kind or Redistribution profiles and are they set under "Redist Rules"?  Is this iBGP or eBGP?


hi jeremy.

 

Thanks for the reply.

 

yes, the unticked boxes caught me out at first - but they're definitely both enabled, and "install route" is ticked as well - the route from the remote peer is installed, and is in the BGP local RIB

 

I now have a redistribution profile setup and installed - which I missed the first time around - and the routes I want are installed intot he BGP local RIB as well, vis-a-vis

 

show routing protocol bgp loc-rib

 

VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Weight LocPrf Org MED flap AS-Path
*192.168.220.0/24 169.254.55.10 external-link1 0 100 i/c 0 0 64513
192.168.220.0/24 169.254.55.14 external-link2 0 100 i/c 0 0 64513
*172.20.2.0/23 172.20.200.2 Local 0 100 i/c 0 0
*172.20.12.0/24 172.20.200.2 Local 0 100 i/c 0 0
*172.20.13.0/24 172.20.200.2 Local 0 100 i/c 0 0

 

but the 172.x.x. routes are still not being exported to the remote peers.

 

This is eBGP. I'm using this to provide redudnant routing to a remote node over two IPSec tunnels.

 

I've logged a case with TAC to see if they can tell me where I'm being dumb.

Are your 172.x.x.x routes "Connected" routes or are they aggregate routes you want to manually inject?  I'm spinning up something similar in my lab.  I'm trying to remember if they have to exist in the routing table (ie - via static route entry, etc) for them to actually push out via BGP.  It looks to me like they do exist based on your copy/paste.  I'll let you know what I run into.  I do remember routing protocols over VPN being a bit tricky with PAN as there is a built in mechanism for route propogation, but it's been awhile since I've played with it.


@jeremy.larsen wrote:

Are your 172.x.x.x routes "Connected" routes or are they aggregate routes you want to manually inject?  I'm spinning up something similar in my lab.  I'm trying to remember if they have to exist in the routing table (ie - via static route entry, etc) for them to actually push out via BGP.  It looks to me like they do exist based on your copy/paste.  I'll let you know what I run into.  I do remember routing protocols over VPN being a bit tricky with PAN as there is a built in mechanism for route propogation, but it's been awhile since I've played with it.


The routes I want to advertise (172.x.x.x) are static routes, in the routing table.

 

They're also in the BGP local RIB now I've got a redistribution profile configured and attached properly.

 

What's got me beat is that the imported route from the remote peer works fine - it just won't export the routes I want. BGP is running - the peer is there, and it's doing its thing - it just isn't exporting.

Are you missing the "Redist Rule" under BGP that uses the Redistribution Profile?

redistRule.png


@jeremy.larsen wrote:

Are you missing the "Redist Rule" under BGP that uses the Redistribution Profile?

redistRule.png


Nope. I've got it set to redistribute statis routes, and am using the "export" filter to limit the routes I want to export to the other end.

 

All the routes I want to export are in the static routing table exactly as specified in the filter.

 

image.png

I'm curious what's in your export filter.  Also, have you tried not using the filter as well?  You've got me scratching my head as well now.

It's pretty simple

 

image.png

 

I just tried it with the export filter disabled - no difference


@jeremy.larsen wrote:

I'm curious what's in your export filter.  Also, have you tried not using the filter as well?  You've got me scratching my head as well now.


OK, I tried again with just deleting the export filter - and stuff me, it started to work.

 

The redistribution profile is controlling what routes get advertised anyway, so I don't need the filter.

 

I don't know what was breaking it - but it's working now, and in the spirit of "If it 'aint broke, don't stuff with it", I'm leaving it the way it is.

 

Thanks for your input.

I'm not super genius with BGP.  I have learned the hard way that filters and aggregates don't always work the way you think.  Is this filter smaller or larger than what is advertised without it?

The filters were identical to the routes in the normal RIB, and exactly the same as what was in the redistribution rule.

 

Even the TAC guy doesn't know why. I don't really care - it's working, and that's all that matters.

  • 14024 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!