I encountered a weird BGP session problem. The eBGP neighbor status always stay idle, regardless clear ip bgp or re-configure eBGP. The network connectivity to EBGP neighbor is no problem, it is pingable and no packet loss. I enabled TCP and BGP debug, can not see router change the neighbor status from idle to active to initiate BGP session. Only see some TCP reset send to neighbor to refuse neighbor initiate BGP TCP connection.
The router platform is C7206, IOS:Version 12.3(7)T1
router bgp yyy
neighbor x.x.x.10 remote-as xxx
neighbor x.x.x.10 version 4
neighbor x.x.x.10 soft-reconfiguration inbound
neighbor x.x.x.10 route-map import in
neighbor x.x.x.10 route-map export out
x.x.x.10 4 xxx 0 0 0 0 0 never Idle
Mar 10 15:17:18: TCP: sending RST, seq 0, ack 3575773935
Mar 10 15:17:18: TCP: sent RST to x.x.x.10:60738 from x.x.x.38:179
Mar 10 15:23:37: TCP: sending RST, seq 0, ack 2383734249
Mar 10 15:23:37: TCP: sent RST to x.x.x.10:56981 from x.x.x.38:179
Mar 10 15:26:05: TCP: sending RST, seq 0, ack 989447100
Mar 10 15:26:05: TCP: sent RST to x.x.x.10:63386 from x.x.x.38:179
Can someone tell me how to change the BGP status from idle to active to accept/initiate TCP connection? How to troubleshooting next?
Any comment is very appreciate.
Solved! Go to Solution.
you should verify the basic parameters like AS number used by the remote router, ip address the remote is trying to reach.
some debug ip bgp should show the BGP open message fields coming from neighbor
Also it is this a direct eBGP session using ip addresses on the phyisical interfaces ?
Actually there is no command that can turn the session from idle to some other state.
Note: state established or number of prefixes in sh ip bgp sum is the correct state state Active is not good also.
Hope to help
Both side the configuration is okay, the BGP is up before. Due to refuse BGP TCP for port 179 connection, so can not show the BGP open message. Yes, it is direct eBGP connection on the physical interface. This status is very similar when set prefix limitation. If exceed the threshold value, the bgp will keep Idle (PfxCt) status, refuse neighbor TCP connecting. Send out TCP RST to neighbor like below:
TCP: sending RST, seq 0, ack 2350507170
TCP: sent RST to x.x.x.x:45564 from y.y.y.y:179. But reset bgp, will change the status from idle to active and then idle due to excced prefix.
Actualy we don't set prefix limit to neighbor, I very confused me why status keep idle.
have you introduces recently any security feature like receive ACL or Control plane policing ?
I wonder if there can be a reason to filter the inbound messages but I don't think it is your case you shouldn't see the RST message sent out in that scenario
In a BGP session there should be a rule on who should use the well-known port TCP 179 and who should use the dynamic high number TCP port but I couldn't find a reference to this: not sure if it is highest BGP router-id address only and/or highest AS number
Hope to help
There is an ACL in interface inbound, but not limit for neighbor IP, in this subnet the other eBGP neighbors are running well except this one.
From the ACL log, can see remote neighbor connect our router.
%SEC-6-IPACCESSLOGP: list 160 permitted tcp x.x.x.10(57396) -> x.x.x.38(179), 1 packet
%SEC-6-IPACCESSLOGP: list 160 permitted tcp x.x.x.10(59215) -> x.x.x.38(179), 1 packet
But due to the status is idle, so refuse the connection send out TCP reset.
does the ACL permit also when the TCP port 179 is on the other side (to the remote neighbor) ?
Hope to help
I believe Giuseppe has covered the troubleshooting tips.
typical reasons why failed bgp sessions
-acl blocking tcp 179
"debug ip tcp transactions"
"debug ip bgp events"
there's also the likelihood that your eBGP neighbor is not directly connected. If that's the case, you will need to allow for a TTL that's greater than 1
"neighbor x.x.x.x ebgp-multihop x"
I permited remote neighbor ip any, no limit. The eBGP neighbor is direct Ethernet connection, in same subnet. The ASN have not changed both side, before is up.
The problem is the eBGP session keep idle status, so will refuse remote neighbor connect and don't initiate BGP TCP connection to remote. Normally, If reset BGP session or re-configure BGP, the status should change from idle to Connect/Active.
Remove ACLs and re-establish the peering to rule out possible issues regarding your ACL.
Also is your interface stats showing any errors?
Finally, is your neighbor only accepting a certain no of prefixes? My guess is you might be advertising more that what your neighbor allows and hence it is resetting your neighbor connection.
Thanks very much for help.
After I upgraded IOS, and the eBGP session was coming up. We didn't change any configration both side.
It is very perhaps a IOS bug.