Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] JUNOSe tears down BGP session when receiving an UPDATE message with AS4_PATH attribute containing illegal AS_CONFED_SEQUENCE or AS_CONFED_SET

0

0

Article ID: KB13623 KB Last Updated: 27 Feb 2020Version: 2.0
Summary:

An E-series router running an unpatched release of JUNOSe (see Fixed Release below) may see BGP sessions flapping constantly after a certain update has been received. The E-series router is the one terminating the session and is sending a NOTIFICATION with Code 3 (Update Message Error) and Subcode 9 (error with optional attribute).

Here is an example of a message logged on a peer router running JUNOS when receiving this notification:

Jan 01 15:58:25.388607 bgp_read_v4_message: NOTIFICATION received from
10.0.0.1 (Internal AS 100): code 3 (Update Message Error) subcode 9 (error with optional attribute), Data: e0 11 10 03 02

This can be confirmed on the E-series router itself by changing the log severity for category bgpMessages to warning:

ERX(config)# log severity warning bgpMessages

Which would then uncover the following two warning messages after a flap:

WARNING 01/01/2008 19:34:52 bgpMessages (default,10.0.0.2): UPDATE message from peer 10.0.0.2 in core: new-as-path contains segment type confed-sequence (not allowed)

WARNING 01/01/2008 19:34:52 bgpMessages (default,10.0.0.2): Send NOTIFICATION message to peer 172.26.26.104 in core error-code = 3 (update message), error-subcode = 9 (optional attribute error), data = e0 11 10 03 02 00 00 fe 00 00 00 fe 01 02 01 00 00 00 0a

As detailed in the message above, this is due to an incoming UPDATE including a new AS4_PATH attribute (introduced to support 4-byte ASNs, per RFC 4893) containing an AS_CONFED_SEQUENCE or an AS_CONFED_SET, which is considered illegal, as per RFC 4893.

This defect is being tracked via CQ 88706.

Solution:

Resolved in the release(s) indicated in the Fixed Release field below.

Workaround:

In order to stop the BGP session flaps, a per-neighbor configuration option exists that will cause JUNOSe to ignore any illegal or incorrectly formatted attributes:

ERX(config)# router bgp <AS#>
ERX(config-router)# neighbor <x.x.x.x> lenient

Provided log category bgpMessages has been set to log severity warning by configuring:

ERX(config)# log severity warning bgpMessages

A message will still be logged when an illegal attribute is received:

WARNING 01/01/2008 19:34:52 bgpMessages (default,10.0.0.2): UPDATE message from peer 10.0.0.2 in core: new-as-path contains segment type confed-sequence (not allowed)

Fixed Releases:

JUNOSe 8-1-4p0-4, 8-2-4p0-7, 9-0-2p0-1, 9-1-2p0-1, 9-2-1p0-1, 9-3-0p0-1, 10-0-0
Modification History:

2020-02-27: Archived.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search