[167010] in North American Network Operators' Group
Re: BGP neighbor/configuration testing
daemon@ATHENA.MIT.EDU (Eric A Louie)
Tue Nov 26 08:06:04 2013
Date: Tue, 26 Nov 2013 05:05:05 -0800 (PST)
From: Eric A Louie <elouie@yahoo.com>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <1385428886.54024.YahooMailNeo@web181603.mail.ne1.yahoo.com>
Reply-To: Eric A Louie <elouie@yahoo.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Update.=A0 Turned up session with provider.=A0 They had to increase max-pre=
fixes when I "no shutdown" my BGP session in order to Establish it, then de=
creased it to their standard customer value.=A0 Why it didn't come right up=
out of "no shutdown" and required the increase in max-prefix is still unkn=
own.=A0 Subsequent resets of the BGP session brought the session down and b=
ack up.=0A=0AShutdown/no shutdown will be tested tomorrow.=0A=0A=0AIt has b=
een an excellent lesson in establishing a 2nd upstream provider on the same=
router.=A0 Something I'll be doing 2 more times next month.=0A=0A=0A=0A=0A=
>________________________________=0A> From: Eric A Louie <elouie@yahoo.com>=
=0A>To: "nanog@nanog.org" <nanog@nanog.org> =0A>Sent: Monday, November 25, =
2013 5:21 PM=0A>Subject: Re: BGP neighbor/configuration testing=0A> =0A>=0A=
>No logged error with mismatched neighbor IP address - neither router had a=
n entry.=A0 Session did not establish nor go active, I could wait forever a=
nd neither would happen.=A0 Point is, an error message is not generated on =
the downstream router so it's probably not the cause for the error message.=
=0A>=0A>I asked my upstream to check if the "local interface" command was b=
eing used (that would cause the multihop, but I did put in 2 or 3 as the eb=
gp-multihop value and still didn't get the session up.=0A>=0A>Your last com=
ment about max-prefix is probably the problem and the solution.=A0 Right no=
w, the entire configuration is in the router with a "neighbor shutdown".=A0=
When we bring it up tomorrow, the filters will all be there so that only 1=
3 of my prefixes are advertised, hopefully keeping the BGP session up and c=
losing this saga.=A0 (the router already has another upstream connected, so=
when I turned up the neighbor without a filter, I flooded the upstream's r=
outer with routes, but it took us this long to figure that out.) =0A>=0A>=
=0A>=0A>=0A>On a Cisco to Cisco when the max-prefixes is exceeded and there=
's a restart specified, the error (on the offender) is not quite the same a=
s the error I'm seeing:=0A>*Apr=A0 9 02:41:39.827: %BGP-3-NOTIFICATION: rec=
eived from neighbor 10.250.254.253 3/1 (update malformed) 0 bytes=0A>*Apr=
=A0 9 02:41:39.827: %BGP-5-ADJCHANGE: neighbor 10.250.254.253 Down BGP Noti=
fication received=0A>=0A>On the upstream (where the max-prefix was configur=
ed), =0A>=0A>*Nov 26 04:10:02.108: %BGP-4-MAXPFX: No. of prefix received fr=
om 10.250.254.254 (afi 0) reaches 2, max 2=0A>*Nov 26 04:10:02.108: %BGP-3-=
MAXPFXEXCEED: No. of prefix received from 10.250.254.254 (afi 0): 3 exceed =
limit 2=0A>*Nov 26 04:10:02.108: %BGP-5-ADJCHANGE: neighbor 10.250.254.254 =
Down BGP Notification sent=0A>*Nov 26 04:10:02.108: %BGP-3-NOTIFICATION: se=
nt to neighbor 10.250.254.254 3/1 (update malformed) 0 bytes=A0 FFFF FFFF F=
FFF FFFF FFFF FFFF FFFF FFFF 0032 0200 0000 1940 0101 0040 0204 0201 6A39 4=
003 040A FAFE FE80 0404 0000 0000 0802=0A>=0A>=0A>=0A>=0A>=0A>>____________=
____________________=0A>> From: Chuck Anderson <cra@WPI.EDU>=0A>>To: nanog@=
nanog.org =0A>>Sent: Monday, November 25, 2013 3:37 PM=0A>>Subject: Re: BGP=
neighbor/configuration testing=0A>> =0A>>=0A>>When you say "no logged erro=
r" with mismatched neighbor IP address,=0A>>what do you mean?=A0 Did the se=
ssion just not establish at all?=A0 How=0A>>long did you wait for it to att=
empt to establish?=0A>>=0A>>On Juniper, if it sees a BGP connection come fr=
om an IP address that=0A>>doesn't match a local "neighbor" statement, it wi=
ll send a BGP=0A>>Notification, code 2 (Open Message Error), subcode 5 (aut=
hentication=0A>>failure), which is exactly what you are seeing.=0A>>=0A>>If=
one side is using a loopback IP instead of a physical IP for the=0A>>local=
-address, that would cause both a multihop/TTL issue and a=0A>>neighbor IP =
mismatch.=0A>>=0A>>Another possibility is if you have exceeded the max pref=
ix limit for=0A>>the session.=A0 One side will get stuck in Idle state whic=
h may cause=0A>>the other side to send the same "authentication failure" no=
tification.=0A>>=0A>>On Mon, Nov 25, 2013 at 03:07:28PM -0800, Eric A Louie=
wrote:=0A>>> All Cisco/Cisco, I don't have a Juniper here to test with=0A>=
>> =0A>>> mismatch AS=0A>>> *Apr=A0 9 00:31:47.691: %BGP-3-NOTIFICATION: re=
ceived from neighbor 10.250.254.253 2/2 (peer in wrong AS) 2 bytes 6A39=0A>=
>> =0A>>> mismatch neighbor IP address=0A>>> no logged error=0A>>> =0A>>> M=
TU mismatch=0A>>> no logged error, session remained up=0A>>> =0A>>> Subnet =
mask mismatch=0A>>> session remained up, no logged error=0A>>> =0A>>> I hav=
en't created the multihop scenario to see the error messages.=0A>>> =0A>>> =
=0A>>> None of these issues caused the (authentication failure).=0A>>> =0A>=
>> =0A>>> =0A>>> =0A>>> =0A>>> >________________________________=0A>>> > Fr=
om: Chuck Anderson <cra@WPI.EDU>=0A>>> >To: nanog@nanog.org =0A>>> >Sent: M=
onday, November 25, 2013 11:10 AM=0A>>> >Subject: Re: BGP neighbor/configur=
ation testing=0A>>> > =0A>>> >=0A>>> >Authentication failure might mean (wi=
thout knowing for sure which on=0A>>> >Cisco):=0A>>> >=0A>>> >- mismatch AS=
numbers=0A>>> >- mismatch neighbor IP addresses=0A>>> >- multihop/TTL issu=
es=0A>>> >- MTU issues=0A>>=0A>>=0A>>=0A>>=0A>=0A>=0A>
