Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Syslog Message: 'BGP_CONNECT_FAILED: bgp_connect_start: Operation not permitted'

0

0

Article ID: KB36835 KB Last Updated: 16 Jun 2021Version: 1.0
Summary:

When a firewall filter is configured on a router and applied on the interface, the filter blocks TCP port 179, which is used by BGP to communicate. The router gets stuck in active state where the filter was applied. This results in the following syslog message:

<syslog date/Time> <hostname>: BGP_CONNECT_FAILED: bgp_connect_start: connect 192.168.0.2 (External AS 200) (instance master): Operation not permitted
Symptoms:
Example Topology
  -----           -----
| R1  | ------- | R2  |
 -----           -----
 
 The firewall filter is configured on R1 and applied on the interface. This filter is blocking TCP port 179, which is used by BGP to communicate.
      set firewall filter <filter-name> term T1 from port ftp
      set firewall filter <filter-name> term T1 from port http
      set firewall filter <filter-name> term T1 from port bgp
      set firewall filter <filter-name> term T1 then reject
      set firewall filter <filter-name> term T2 then accept
 
      set interfaces <interface-name> unit <unit-number> family inet filter output <filter-name>
 
R1 is stuck in active state where the filter was applied:
      root@R1>show bgp summary
      Threading mode: BGP I/O
      Groups: 1 Peers: 1 Down peers: 1
      Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
      inet.0              
                                    0          0          0          0          0          0
      Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
      192.168.0.2             200          0          0       0      12        1:11 Active

The syslog messages observed on R1:

<syslog date/Time> <hostname>: BGP_CONNECT_FAILED: bgp_connect_start: connect 192.168.0.2 (External AS 200) (instance master): Operation not permitted
 

  R2 is stuck in connect state.

      root@R2>show bgp summary
      Threading mode: BGP I/O
      Groups: 1 Peers: 1 Down peers: 1
      Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
      inet.0              
                                    0          0          0          0          0          0
      Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
      192.168.0.1             100          0          0       0      12          17 Connect

The syslog messages observed on R2, where there is no filter applied:

<syslog date/Time> <hostname>: bgp_io_mgmt_cb:1987: NOTIFICATION sent to 192.168.0.1 (External AS 100): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 192.168.0.1 (External AS 100), socket buffer sndacc: 57 rcvacc: 0 , socket buffer sndccc: 57 rcvccc: 0 TCP state: 4, snd_una: 3393857620 snd_nxt: 3393857658 snd_wnd: 16384 rcv_nxt: 256547279 rcv_adv: 256563663, hold timer 90s, hold timer remain 0s, last sent 7s, TCP port (local 52957, remote 179)

The peer can be reached since ICMP is not blocked by the filter:

      > ping 192.168.0.2
      PING 192.168.0.2 (192.168.0.2): 56 data bytes
      64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=2.781 ms
      64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=3.027 ms
      64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=2.261 ms
      ^C
      --- 192.168.0.2 ping statistics ---
      3 packets transmitted, 3 packets received, 0% packet loss
      round-trip min/avg/max/stddev = 2.261/2.690/3.027/0.319 ms
Solution:

Allow BGP port or remove the filter applied on the interface:

      set firewall filter <filter-name> term T1 from port ftp
      set firewall filter <filter-name> term T1 from port http
      set firewall filter <filter-name> term T1 then reject
      set firewall filter <filter-name> term T2 from port bgp
      set firewall filter <filter-name> term T2 then accept
     
      set interfaces <interface-name> unit <unit-number> family inet filter output <filter-name>

 OR

delete interfaces <interface-name> unit <unit-number> family inet filter
 

Check BGP session again:

     root@R1> show bgp summary                          
      Threading mode: BGP I/O
      Groups: 1 Peers: 1 Down peers: 0
      Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
      inet.0              
                                    0          0          0          0          0          0
      Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
      192.168.0.2             200          4          2       0      13          32 Establ
 
      root@R1> show bgp neighbor 192.168.0.2
      Peer: 192.168.0.2+52957 AS 200 Local: 192.168.0.1+179 AS 100 
        Group: EXTERNAL              Routing-Instance: master
        Forwarding routing-instance: master 
        Type: External    State: Established    Flags: <Sync>
        Last State: OpenConfirm   Last Event: RecvKeepAlive
 
 
      root@R2> show bgp summary   
      Threading mode: BGP I/O
      Groups: 1 Peers: 1 Down peers: 0
      Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
      inet.0              
                                    0          0          0          0          0          0
      Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
      192.168.0.1             100          3          3       0      13          39 Establ
 
 
      root@R2> show bgp neighbor 192.168.0.1   
      Peer: 192.168.0.1+179 AS 100   Local: 192.168.0.2+52957 AS 200 
        Group: EXTERNAL              Routing-Instance: master
        Forwarding routing-instance: master 
        Type: External    State: Established    Flags: <Sync>
        Last State: OpenConfirm   Last Event: RecvKeepAlive
 
Now the session is established.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search