Re: BGP reset due to malformed update

Antonio_1_2 · ‎08-30-2010

Hello,

I have this topology:

R1---CentralROUTER---R2

more detailed:

Upstream ISP1 -------(eBGP)-----R1-----(iBGP)----Central ROUTER (RouteReflector)-----(iBGP)----R2-----(eBGP)-------Upstream ISP2

R1 IOS XR ver 3.5.3(00) 10.0.0.10

R2 IOS XR ver 3.5.3(00) 10.0.0.11

CentralROUTER IOS ver 12.2(18)SXF9 10.0.0.1

Internal netwrok is connected to CentralROUTER

configs:

CentralROUTER

router bgp 65001

neighbor 10.0.0.10 remote-as 65001
neighbor 10.0.0.10 update-source Loopback0
neighbor 10.0.0.11 remote-as 65001
neighbor 10.0.0.11 update-source Loopback0

neighbor 10.0.0.10 activate
neighbor 10.0.0.10 route-reflector-client
neighbor 10.0.0.11 activate
neighbor 10.0.0.11 route-reflector-client
--------------------------------------------------------

R1 and R2

router bgp 65001

neighbor 10.0.0.1
remote-as 65001
update-source Loopback0
address-family ipv4 unicast
soft-reconfiguration inbound always

----------------------------------------------------------

I noticed BGP connecetion flapping on CentralROUTER toward R1. It went down and up several times and then with no intervention it stabilized and stayes established.

The flapping lasted about 30 minutes

In log at that time appeared (several times) this message:

-----------------------------------------------------------------------------------------------

Aug 30 11:02:05.461: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.10 3/1 (update malformed) 188 bytes F0630BB8 00000000 00000000 00000000 00
Aug 30 11:02:05.461: BGP: 10.0.0.10.70 Bad attributes FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 012E 0200 0001 1340 0101 0040 0208 0203 22E0 0D1C 316E 4003 04D9 7670 FD80 0404 0000 000A 4005 0400 0000 64C0 0830 0D1C 0002 0D1C 0016 0D1C 0056 0D1C 01F7 0D1C 029A 0D1C 0813 22E0 283E 22E0 2A95 22E0 2B04 22E0 FE58 22E0 FEA8 FDE8 FDDE F063 0BB8 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 185D AF90

-------------------------repeats---------------------

--------------------------------------------------------------------------------------------------

also this could be seen with "show ip bgp neighbour" on both routers R1 and CentralROUTER

CentralROUTER#sh ip bgp neighbors 10.0.0.10
Connections established 7; dropped 6
Last reset 02h, due to BGP Notification sent, update malformed
Message received that caused BGP to send a Notification:
    FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    012E0200 00011340 01010040 02080203
    22E00D1C 316E4003 04D97670 FD800404
    0000000A 40050400 000064C0 08300D1C
    00020D1C 00160D1C 00560D1C 01F70D1C
    029A0D1C 081322E0 283E22E0 2A9522E0
    2B0422E0 FE5822E0 FEA8FDE8 FDDEF063
    0BB80000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 00000000 00000000
    00000000 00000000 0000185D AF90

1) what is the cause of this flapping? Ofcourse it can be seen that it is due to "bad attributes" in BGP update message, but if this came from upstream ISP1 why hasn't it affected first R1 router?

2) if R1 was constantly sending malformed BGP update messages, why did it stop after 30 minutes?

3) I've read in RFC that if BGP receive malformed BGP update message then it has to reset BGP session and send BGP notification to sending router.

Can I see the cause of this behaviour in these hex numbers?

4) first log message should be notification message: F0630BB8 00000000 00000000 00000000 00. But if I convert it to decimal it makes no sense.

First byte (error code) "F0" is in decimal "240" which makes no sense cause error code can have values form 1 to 6. (or this is data portion of the message and first octet isn't error code)

5) The second message should be update BGP message but with first 16 octets all FFs also doesn't make sense.

Has anyone had problem like this?

regards,

A.

gatlin007 · ‎08-30-2010

You may be seeing this:

http://www.cisco.com/warp/public/707/cisco-sa-20100827-bgp.shtml

Antonio_1_2 · ‎08-31-2010

Thank you very much Christopher.

regards,

A