cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11575
Views
4
Helpful
10
Replies

eBGP neighbor status always idle

jefferyshi
Level 1
Level 1

Hello everyone,

I encountered a weird BGP session problem. The eBGP neighbor status always stay idle, regardless clear ip bgp or re-configure eBGP. The network connectivity to EBGP neighbor is no problem, it is pingable and no packet loss. I enabled TCP and BGP debug, can not see router change the neighbor status from idle to active to initiate BGP session. Only see some TCP reset send to neighbor to refuse neighbor initiate BGP TCP connection.

The router platform is C7206, IOS:Version 12.3(7)T1

Configuration:

router bgp yyy

neighbor x.x.x.10 remote-as xxx

neighbor x.x.x.10 version 4

neighbor x.x.x.10 soft-reconfiguration inbound

neighbor x.x.x.10 route-map import in

neighbor x.x.x.10 route-map export out

x.x.x.10 4 xxx 0 0 0 0 0 never Idle

Mar 10 15:17:18: TCP: sending RST, seq 0, ack 3575773935

Mar 10 15:17:18: TCP: sent RST to x.x.x.10:60738 from x.x.x.38:179

Mar 10 15:23:37: TCP: sending RST, seq 0, ack 2383734249

Mar 10 15:23:37: TCP: sent RST to x.x.x.10:56981 from x.x.x.38:179

Mar 10 15:26:05: TCP: sending RST, seq 0, ack 989447100

Mar 10 15:26:05: TCP: sent RST to x.x.x.10:63386 from x.x.x.38:179

... ...

Can someone tell me how to change the BGP status from idle to active to accept/initiate TCP connection? How to troubleshooting next?

Any comment is very appreciate.

Thanks

Jeffrey

1 Accepted Solution

Accepted Solutions

Hello Jeffrey,

first of all it has been kind of you to have provided feedaback.

To be noted that to upgrade IOS you need to perform a full reload that could have fixed the problem.

Hope to help

Giuseppe

View solution in original post

10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jeffrey,

you should verify the basic parameters like AS number used by the remote router, ip address the remote is trying to reach.

some debug ip bgp should show the BGP open message fields coming from neighbor

Also it is this a direct eBGP session using ip addresses on the phyisical interfaces ?

Actually there is no command that can turn the session from idle to some other state.

Note: state established or number of prefixes in sh ip bgp sum is the correct state state Active is not good also.

Hope to help

Giuseppe

Hello Giuseppe,

Both side the configuration is okay, the BGP is up before. Due to refuse BGP TCP for port 179 connection, so can not show the BGP open message. Yes, it is direct eBGP connection on the physical interface. This status is very similar when set prefix limitation. If exceed the threshold value, the bgp will keep Idle (PfxCt) status, refuse neighbor TCP connecting. Send out TCP RST to neighbor like below:

TCP: sending RST, seq 0, ack 2350507170

TCP: sent RST to x.x.x.x:45564 from y.y.y.y:179. But reset bgp, will change the status from idle to active and then idle due to excced prefix.

Actualy we don't set prefix limit to neighbor, I very confused me why status keep idle.

Thanks

Jeffrey

Hello Jeffrey,

have you introduces recently any security feature like receive ACL or Control plane policing ?

I wonder if there can be a reason to filter the inbound messages but I don't think it is your case you shouldn't see the RST message sent out in that scenario

In a BGP session there should be a rule on who should use the well-known port TCP 179 and who should use the dynamic high number TCP port but I couldn't find a reference to this: not sure if it is highest BGP router-id address only and/or highest AS number

Hope to help

Giuseppe

Hi Giuseppe,

There is an ACL in interface inbound, but not limit for neighbor IP, in this subnet the other eBGP neighbors are running well except this one.

From the ACL log, can see remote neighbor connect our router.

%SEC-6-IPACCESSLOGP: list 160 permitted tcp x.x.x.10(57396) -> x.x.x.38(179), 1 packet

%SEC-6-IPACCESSLOGP: list 160 permitted tcp x.x.x.10(59215) -> x.x.x.38(179), 1 packet

But due to the status is idle, so refuse the connection send out TCP reset.

Thanks

Jeffrey

Hello Jeffrey,

does the ACL permit also when the TCP port 179 is on the other side (to the remote neighbor) ?

Hope to help

Giuseppe

I believe Giuseppe has covered the troubleshooting tips.

typical reasons why failed bgp sessions

-acl blocking tcp 179

"debug ip tcp transactions"

-wrong ASN

"debug ip bgp events"

there's also the likelihood that your eBGP neighbor is not directly connected. If that's the case, you will need to allow for a TTL that's greater than 1

"neighbor x.x.x.x ebgp-multihop x"

Hi all,

I permited remote neighbor ip any, no limit. The eBGP neighbor is direct Ethernet connection, in same subnet. The ASN have not changed both side, before is up.

The problem is the eBGP session keep idle status, so will refuse remote neighbor connect and don't initiate BGP TCP connection to remote. Normally, If reset BGP session or re-configure BGP, the status should change from idle to Connect/Active.

Thanks

Jeffrey

Remove ACLs and re-establish the peering to rule out possible issues regarding your ACL.

Also is your interface stats showing any errors?

Finally, is your neighbor only accepting a certain no of prefixes? My guess is you might be advertising more that what your neighbor allows and hence it is resetting your neighbor connection.

Hi all,

Thanks very much for help.

After I upgraded IOS, and the eBGP session was coming up. We didn't change any configration both side.

It is very perhaps a IOS bug.

Thanks

Jeffrey

Hello Jeffrey,

first of all it has been kind of you to have provided feedaback.

To be noted that to upgrade IOS you need to perform a full reload that could have fixed the problem.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: