Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-23-2019 07:00 PM
Hi folks/
I'm trying to use BGP to synchronise routing across two ISPec tunnels to a Palo Alto HA cluster.
I have BGP connectivity established - the remote end is exporting the routes I want, and they're being seen (and managed correctly) by the Palo Alto as far as I can tell.
However, I can't seem to get the Palo Alto to export routes BACK to the other end. I don't want a default route - I just want selective routes from the Palo Alto end sent to the remote device for insertion into its routing table (this is to provide routing redundancy across the redundant tunnels into the PA).
Can anyons suggest where I could start to see WHY it's not exporting?
This is what I get from querying the PA
show routing protocol bgp loc-rib
VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Weight LocPrf Org MED flap AS-Path
*192.168.220.0/24 169.254.55.10 Singtel-link1 0 100 i/c 0 0 64513
192.168.220.0/24 169.254.55.14 Singtel-link2 0 100 i/c 0 0 64513
total routes shown: 2
show routing protocol bgp rib-out
VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path
total routes shown: 0
So I can see the routes coming IN - but nothing going out.
Yes, I have configured an export in the BGP profile - it's just not actually exporting.
Can anyone suggest where I could start looking to find out why this isn;t going?
Thanks
06-25-2019 10:19 AM
A couple simple suggestions from my own troubleshooting.
I found there are a couple spots where "enable" isn't checked by default. Under the general BGP tab do you have "enable" checked at the top and "Install Route" checked as well? Under the "Peer Group" tab do you have your peer groups set the "Enable" as well? Are you using any kind or Redistribution profiles and are they set under "Redist Rules"? Is this iBGP or eBGP?
06-25-2019 03:20 PM - edited 06-25-2019 03:21 PM
@jeremy.larsen wrote:A couple simple suggestions from my own troubleshooting.
I found there are a couple spots where "enable" isn't checked by default. Under the general BGP tab do you have "enable" checked at the top and "Install Route" checked as well? Under the "Peer Group" tab do you have your peer groups set the "Enable" as well? Are you using any kind or Redistribution profiles and are they set under "Redist Rules"? Is this iBGP or eBGP?
hi jeremy.
Thanks for the reply.
yes, the unticked boxes caught me out at first - but they're definitely both enabled, and "install route" is ticked as well - the route from the remote peer is installed, and is in the BGP local RIB
I now have a redistribution profile setup and installed - which I missed the first time around - and the routes I want are installed intot he BGP local RIB as well, vis-a-vis
show routing protocol bgp loc-rib
VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Weight LocPrf Org MED flap AS-Path
*192.168.220.0/24 169.254.55.10 external-link1 0 100 i/c 0 0 64513
192.168.220.0/24 169.254.55.14 external-link2 0 100 i/c 0 0 64513
*172.20.2.0/23 172.20.200.2 Local 0 100 i/c 0 0
*172.20.12.0/24 172.20.200.2 Local 0 100 i/c 0 0
*172.20.13.0/24 172.20.200.2 Local 0 100 i/c 0 0
but the 172.x.x. routes are still not being exported to the remote peers.
This is eBGP. I'm using this to provide redudnant routing to a remote node over two IPSec tunnels.
I've logged a case with TAC to see if they can tell me where I'm being dumb.
06-26-2019 05:52 AM - edited 06-26-2019 05:55 AM
Are your 172.x.x.x routes "Connected" routes or are they aggregate routes you want to manually inject? I'm spinning up something similar in my lab. I'm trying to remember if they have to exist in the routing table (ie - via static route entry, etc) for them to actually push out via BGP. It looks to me like they do exist based on your copy/paste. I'll let you know what I run into. I do remember routing protocols over VPN being a bit tricky with PAN as there is a built in mechanism for route propogation, but it's been awhile since I've played with it.
06-26-2019 02:22 PM - edited 06-26-2019 02:22 PM
@jeremy.larsen wrote:Are your 172.x.x.x routes "Connected" routes or are they aggregate routes you want to manually inject? I'm spinning up something similar in my lab. I'm trying to remember if they have to exist in the routing table (ie - via static route entry, etc) for them to actually push out via BGP. It looks to me like they do exist based on your copy/paste. I'll let you know what I run into. I do remember routing protocols over VPN being a bit tricky with PAN as there is a built in mechanism for route propogation, but it's been awhile since I've played with it.
The routes I want to advertise (172.x.x.x) are static routes, in the routing table.
They're also in the BGP local RIB now I've got a redistribution profile configured and attached properly.
What's got me beat is that the imported route from the remote peer works fine - it just won't export the routes I want. BGP is running - the peer is there, and it's doing its thing - it just isn't exporting.
06-26-2019 02:28 PM
Are you missing the "Redist Rule" under BGP that uses the Redistribution Profile?
06-26-2019 02:34 PM
@jeremy.larsen wrote:Are you missing the "Redist Rule" under BGP that uses the Redistribution Profile?
Nope. I've got it set to redistribute statis routes, and am using the "export" filter to limit the routes I want to export to the other end.
All the routes I want to export are in the static routing table exactly as specified in the filter.
06-27-2019 05:44 AM
I'm curious what's in your export filter. Also, have you tried not using the filter as well? You've got me scratching my head as well now.
06-27-2019 02:22 PM
It's pretty simple
I just tried it with the export filter disabled - no difference
06-27-2019 10:14 PM
@jeremy.larsen wrote:I'm curious what's in your export filter. Also, have you tried not using the filter as well? You've got me scratching my head as well now.
OK, I tried again with just deleting the export filter - and stuff me, it started to work.
The redistribution profile is controlling what routes get advertised anyway, so I don't need the filter.
I don't know what was breaking it - but it's working now, and in the spirit of "If it 'aint broke, don't stuff with it", I'm leaving it the way it is.
Thanks for your input.
06-28-2019 12:59 PM
I'm not super genius with BGP. I have learned the hard way that filters and aggregates don't always work the way you think. Is this filter smaller or larger than what is advertised without it?
07-01-2019 04:58 PM
The filters were identical to the routes in the normal RIB, and exactly the same as what was in the redistribution rule.
Even the TAC guy doesn't know why. I don't really care - it's working, and that's all that matters.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
