Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Some of my BGP routes are not being added to the routing table. How can I resolve this?

0

0

Article ID: KB13935 KB Last Updated: 27 Dec 2012Version: 2.0
Summary:

Some of my BGP routes are not being added to the routing table. How can I troubleshoot this?

Symptoms:

Some BGP routes which a Cisco Router is advertising to the Juniper firewall are not being accepted. The other Cisco Routers seem to accept the routes fine.

Topoogy:

(Cisco)(10.10.64.3)-----IBGP(both in AS 65001)-------- (10.10.64.17)Firewall

BGP routes which have been advertised from Cisco are not being added to route table:

List of BGP routes from Cisco:
CISCO->sh ip bgp nei 10.10.64.17 adv
BGP table version is 13308, local router ID is X.X.X.X
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network                    Next Hop         Metric     LocPrf          Weight            Path
*> 10.16.192.0/21          1.1.2.18           0                            0             65001 65001 65001 65104 i
*> 10.18.10.0/29            0.0.0.0           0                                          32768            i
*> 10.18.20.0/30            0.0.0.0           0                                          32768            i
*> 1.1.2.16/30              0.0.0.0           0                                          32768            i
*> 1.1.2.20/30              0.0.0.0           0                                          32768            i
*> 1.1.2.24/30              0.0.0.0           0                                          32768            i
*> 1.1.2.28/30              0.0.0.0           0                                          32768            i
*> 1.1.2.36/30              0.0.0.0           0                                          32768            i
*> 1.1.2.40/30              0.0.0.0           0                                          32768            i
*> 1.1.2.48/30              0.0.0.0           0                                          32768            i
*> 10.32.192.0/21          1.1.2.18           0                            0             65001 65001 65001 65104 i
*> 10.1.128.0/21           1.1.2.18           0                            0             65001 65001 65001 65104 i
*> 10.1.136.0/22           1.1.2.18           0                            0             65001 65001 65001 65104 i
*> 10.1.192.0/22           1.1.2.18           0                            0             65001 65001 65001 65104 i
*> 172.20.0.0              1.1.2.18           0                            0             65001 65001 65001 65104 i
Note: ALL routes which have been prepended with the AS 65001 are not accepted by Juniper firewall.



Cause:

Solution:

In order to troubleshoot the problem, the following debugs should be collected to help identify and correct the problem:

  1. Configure Debugs and Snoop commands:
  2. snoop detail len 1514
    snoop detail
    snoop filter ip src-ip <source bgp interface ip(10.10.64.3)> dst-ip <neighbor ip(10.10.64.17)>
    snoop filter ip src-ip <neighbor ip (10.10.64.17)> dst-ip <source bgp interface ip (10.10.64.3)>
    set db size 4096

    debug bgp all
    snoop (Please answer yes)
    cl db
  3. Tear down the BGP connection:
  4. exec vr trust proto bgp neighb <neighbor IP> disconnect

    ***wait 2s***
  5. Reconnect the BGP connection:
  6. exec vr trust proto bgp neighb <neighbor IP> connect
  7. Check that the neighbour is in an established state:
  8. get vr trust proto bgp nei

    EG:
    Peer AS   Remote IP    Local IP          Wt     Status            State        ConnID Up/Down
    --------------------------------------------------------------------------------
    65001    10.10.64.2     10.10.64.17  100    Enabled     ESTABLISH  22 8d;00:23:23
  9. Press Esc to stop all debugs and collect the output from "get db str".

  10. Collect the output of the following command:
  11. get vr trust proto bgp rib-in
    get vr trust proto bgp nei
    get tech
  12. Review the debugs:

  13. In this case, the customer's issue was that, due to the AS being prepended in the routes advertised from the Cisco, the Juniper firewall detected an "AS path loop".
    This can also be clearly seen in the debugs:
    ## 2009-04-02 00:22:56 : [bgp/socket]: bgp socket (5) check length callbackpak-len 97, pending-len 97
    ## 2009-04-02 00:22:56 : [bgp/socket]: try to receive 97 bytes from socket 5
    ## 2009-04-02 00:22:56 : [bgp/flow]: received 97 bytes from socket 5
    0350d700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........
    0350d710: 00 61 02 00 00 00 26 40 01 01 00 40 02 0a 02 04 .a....&@ ...@....
    0350d720: fe 28 fe 28 fe 28 fe 50 40 03 04 ac 15 40 03 80 .(.(.(.P @....@..
    0350d730: 04 04 00 00 00 00 40 05 04 00 00 00 64 10 ac 1f ......@. ....d...
    0350d740: 10 ac 1c 10 ac 1b 18 ac 15 68 10 ac 14 16 ac 10 ........ .h......
    0350d750: c0 16 ac 10 88 15 ac 10 80 15 0a 20 c0 15 0a 10 ........ ........
    0350d760: c0 .
    ## 2009-04-02 00:22:56 : [bgp/stack]: Rx X.X.X.X: UPDATE msg, conn-id 5
    ## 2009-04-02 00:22:56 : [bgp/update]: created new PA, peer 172.21.64.3
    ## 2009-04-02 00:22:56 : [bgp/update]: validate/canonical UPDATE pass
    ## 2009-04-02 00:22:56 : [bgp/update]: start: proc updt msg, peer:172.21.64.3
    ## 2009-04-02 00:22:56 : [bgp/rtmap]: start: apply policy route 0.0.0.0/0, peer X.X.X.X, rtmap NULL
    ## 2009-04-02 00:22:56 : [bgp/rtmap]: done : apply policy route 0.0.0.0/0, peer X.X.X.X, rtmap NULL
    ## 2009-04-02 00:22:56 : [bgp/update]: start: proc nlri A.B.C.D/16
    ## 2009-04-02 00:22:56 : [bgp/update]: drop rcvd prefix A.B.C.D/16 for detected AS-num loop in as-path, my ASnum is 65001

    As seen from the above, the routes being advertised, contain the AS number which is the same as the AS the firewall belongs to:

    *> 11.1.0.0 1.1.2.18 0 0 65001 65001 65001 65104 i ***see AS 65001

    The firewall AS number can easily be seen in the configuration:
    ssg5-isdn-wlan-> set vr trust
    ssg5-isdn-wlan(trust-vr)-> get conf | i "bgp"
    set protocol bgp 65001
  14. The solution:

  15. The BGP implementation of the firewall checks the AS-PATH attribute of an IBGP route to see if there is an AS loop. If it detects a loop, then the firewall does not accept the route.
    The workaround would be to ensure that the routes being advertised to the firewall via IBGP do not have the AS_PATH attribute containing the same AS that the firewall resides in. Screen Os does not have any command or feature to remove AS-path attribute.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search