BGP Peering Issues
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering BGP Peering: A Comprehensive Guide to Troubleshooting
Introduction: The Backbone of the Internet
Border Gateway Protocol (BGP) is often described as the "glue" that holds the internet together. As a path-vector routing protocol, it is responsible for making routing decisions based on paths, network policies, or rule-sets configured by network administrators. Unlike interior gateway protocols (IGPs) such as OSPF or EIGRP, which are designed to find the fastest path within an autonomous system, BGP is designed to exchange reachability information between autonomous systems (AS).
When BGP peering fails, the impact is immediate and often catastrophic. Because BGP defines how traffic flows between different networks, a peering issue can lead to traffic blackholing, routing loops, or complete isolation of a network from the public internet. Understanding why these sessions fail is not just a technical requirement for network engineers; it is a critical skill for maintaining the availability and integrity of global communications.
In this lesson, we will dissect the anatomy of a BGP peering session, explore the common failure points, and provide a systematic methodology for identifying and resolving these issues. Whether you are dealing with an Internal BGP (iBGP) session between routers in your data center or an External BGP (eBGP) session with a transit provider, the principles of troubleshooting remain remarkably consistent.
Understanding the BGP State Machine
To troubleshoot BGP effectively, you must first understand the BGP Finite State Machine (FSM). A BGP connection transitions through several stages before it reaches the "Established" state, where data exchange begins. If a session is stuck in any state other than "Established," the state itself tells you exactly where the failure is occurring.
The BGP States
- Idle: The initial state where the router waits for a start event. If there is an error, the router remains here or returns here.
- Connect: The router is waiting for the TCP three-way handshake to complete.
- Active: The router is trying to initiate the TCP connection. If it fails, it cycles back to "Connect."
- OpenSent: The TCP connection is established, and the BGP process has sent an OPEN message to the peer.
- OpenConfirm: The router has received an OPEN message and is waiting for a confirmation.
- Established: The session is fully operational, and UPDATE messages can be exchanged.
Callout: The "Active" vs. "Connect" Trap Many engineers assume that "Active" is a good sign. In reality, "Active" is often a symptom of a problem. If your BGP session is stuck in "Active," it means the router is actively trying to initiate a TCP connection but is failing to complete the handshake. This usually points to a connectivity or firewall issue, rather than a BGP configuration error.
Common Causes of Peering Failures
BGP peering issues generally fall into three categories: Layer 3 connectivity problems, BGP configuration mismatches, and security/policy blocks.
1. Layer 3 Connectivity and TCP Handshake Issues
BGP runs over TCP port 179. If the underlying network cannot route packets between the two peering IP addresses, the BGP session will never move past the "Active" state. This is the most common cause of peering failure.
- Missing Routes: The router does not have a route to the peer's IP address.
- Firewalls: ACLs or stateful firewalls are dropping TCP port 179 traffic.
- MTU Mismatches: Large BGP updates may be dropped if the path MTU is lower than the configured MTU, causing the session to flap or drop.
2. BGP Configuration Mismatches
Even if the TCP session is established, the BGP process might reject the peering if the parameters defined in the OPEN message do not match.
- AS Number Mismatch: You configured the peer with the wrong Autonomous System number.
- Authentication Failure: The MD5 or Keychain password does not match between peers.
- Router ID Conflicts: Both routers are trying to use the same BGP Router ID, which causes the session to reset repeatedly.
- Hold Time Mismatches: While BGP can negotiate hold times, extreme mismatches or aggressive timers can lead to session instability.
3. Policy and Resource Limitations
Sometimes the peering is configured correctly, but the router refuses to process the session due to administrative policy or hardware limitations.
- Maximum Prefix Limits: If you configured a limit on the number of prefixes received, and the peer sends more, the router will tear down the session.
- BGP Process CPU/Memory: If the router is overloaded, it may fail to respond to Keepalive messages, leading to a hold-timer expiration.
Step-by-Step Troubleshooting Methodology
When you face a BGP peering issue, do not jump to changing configurations. Follow this systematic approach to isolate the root cause.
Step 1: Check the Current State
Start by identifying the current state of the BGP session. Use the following command (syntax varies by platform, but the logic is the same):
show ip bgp summary
Look at the column indicating the state. If it shows a number (like 10000), it means the session is "Established" and has been up for that many seconds. If it shows "Active" or "Idle," you have a problem.
Step 2: Verify TCP Connectivity
If the state is "Active," verify you can reach the peer.
- Attempt to ping the peer's IP address.
- If the ping works, check if TCP port 179 is reachable. Use a tool like
telnetornc(netcat):telnet <peer-ip> 179
- If the connection is refused or times out, check your ACLs and firewall rules. Ensure that the source IP address of your BGP process (often the loopback interface) is allowed through the firewall.
Step 3: Analyze BGP Logs
Most modern network operating systems provide specific error messages when a BGP session drops. Use the command show log or check the BGP debugging output.
Tip: Use Conditional Debugging Avoid running
debug ip bgpon a production router with many peers, as it can overwhelm the CPU. Instead, use conditional debugging to capture events related only to the problematic peer's IP address.
debug ip bgp neighbors <peer-ip>
Step 4: Validate Configuration Parameters
If the TCP connection is fine but the session flaps, check for configuration mismatches. Ensure the following match on both ends:
- BGP AS numbers.
- MD5 authentication passwords.
- The "Update-source" configuration (e.g., ensuring both sides agree to use Loopback interfaces).
Deep Dive: The "Update-Source" Problem
A frequent point of confusion for engineers is the update-source command. By default, BGP uses the IP address of the egress interface as the source address for its packets. When peering with a loopback interface, this default behavior fails because the peer expects the packet to originate from the loopback IP, not the physical interface IP.
Example Scenario: Router A (Loopback 1.1.1.1) wants to peer with Router B (Loopback 2.2.2.2).
- Router A Configuration:
router bgp 65001 neighbor 2.2.2.2 remote-as 65002 neighbor 2.2.2.2 update-source loopback0 - Router B Configuration:
router bgp 65002 neighbor 1.1.1.1 remote-as 65001 neighbor 1.1.1.1 update-source loopback0
If you omit the update-source command on either side, the router will send packets with the physical interface IP. Router B will see a packet from an IP it does not recognize as a peer and will reject the BGP OPEN message. This often leads to the session oscillating between "Active" and "Idle."
Handling Authentication Issues
BGP authentication is a common source of "silent" failures. Because BGP uses MD5 hashing, a single character mismatch in the password will prevent the TCP session from completing.
Warning: MD5 Limitations MD5 is outdated and vulnerable to collision attacks. While still widely used for BGP, industry best practice is to move toward TCP-AO (TCP Authentication Option) where supported. Always use complex, non-dictionary passwords if you are forced to use MD5.
If you suspect an authentication issue:
- Check the system logs for "Authentication failed" messages.
- On many platforms, you can use
show run | section neighborto verify the password string. - Re-type the password on both sides. Copy-pasting can sometimes introduce hidden characters or spaces that cause the hash to fail.
Comparison Table: BGP Failure Symptoms
| Symptom | Probable Cause | Recommended Action |
|---|---|---|
| State: Active | TCP handshake failing | Check ACLs, firewalls, and route reachability. |
| State: Idle | Admin shut or invalid peer IP | Verify configuration and no shutdown status. |
| State: OpenSent | Configuration mismatch | Check AS numbers and Router IDs. |
| Flapping Session | MTU or Hold-timer issues | Check path MTU and CPU utilization. |
| Prefixes not received | Policy/Filter blocks | Review route-maps and prefix-lists. |
Best Practices for BGP Peering
To minimize the risk of peering failures, follow these industry-standard practices:
- Use Loopback Interfaces for Peering: Always peer using loopback interfaces. Physical interfaces can flap, causing the BGP session to reset every time the link goes down. Loopbacks remain up as long as the router is running.
- Implement BGP TTL Security: Use the
ttl-security(orebgp-multihop) feature to prevent remote attackers from spoofing your BGP peers. - Strict Prefix Filtering: Always apply prefix lists to your neighbors. Accepting "full tables" from an untrusted source without filters is a recipe for a routing disaster.
- Logging and Monitoring: Configure SNMP or streaming telemetry to alert you when a BGP session transitions out of the "Established" state.
- Documentation: Keep a clear record of your AS numbers, peer IP addresses, and authentication keys.
Common Pitfalls and How to Avoid Them
1. The "Default Route" Fallacy
Engineers often assume that if a default route exists, BGP should work. However, BGP peering requires a specific route to the neighbor's IP address. If your peering is over a GRE tunnel or a complex overlay, ensure the underlay routing is stable. Never rely on a default route to reach a BGP neighbor, as this can lead to recursive routing loops.
2. Ignoring MTU
In data center environments with VXLAN or other encapsulation, the MTU is often lower than the standard 1500 bytes. BGP OPEN messages and large UPDATE messages might be fragmented and dropped. If your session stays up during idle times but drops when you start exchanging prefixes, check your MTU settings.
3. Misconfigured TTL
When peering with an eBGP neighbor that is not directly connected (e.g., across a service provider network), you must increase the TTL. By default, eBGP expects a TTL of 1. If you forget to configure ebgp-multihop, the packets will be dropped by the first router they encounter.
Advanced Troubleshooting: Using Packet Captures
When all else fails, look at the wire. Capturing traffic on the interface connected to the BGP peer provides the definitive truth about what is happening.
Use a tool like tcpdump or the router's built-in packet capture feature:
# Capture traffic on port 179
tcpdump -i eth0 port 179
When analyzing the capture:
- SYN/ACK packets: If you see a SYN but no SYN-ACK, the peer is not responding (Firewall/Routing issue).
- RST packets: If you see a Reset packet (RST), the peer is actively rejecting the connection (Configuration mismatch or Authentication failure).
- OPEN messages: If the TCP session is established but the BGP session drops, look for the "Notification" message. BGP sends a notification packet explaining exactly why it is closing the session (e.g., "Hold Timer Expired" or "Unsupported Capability").
Scaling BGP: Route Reflectors and Confederations
As your network grows, the requirement for a full-mesh of iBGP connections becomes unmanageable. This is where Route Reflectors (RR) and Confederations come in. These designs introduce new complexity and, consequently, new ways for BGP to fail.
Troubleshooting Route Reflectors
If a route is not being propagated, check the cluster-id and originator-id attributes. If a router receives a route with its own cluster-id, it will ignore the update to prevent loops. This is a common "silent" failure where the session is established, but routes are not appearing in the routing table.
Troubleshooting Confederations
Confederations split an AS into smaller sub-ASs. The main issue here is the AS_PATH handling. If your configuration does not correctly strip the sub-AS numbers before sending routes to the outside world, you will violate the BGP protocol standards, and your routes will be rejected by external peers.
Callout: iBGP vs. eBGP Behavior Remember the fundamental rule: iBGP does not change the
next-hopattribute by default, while eBGP does. If you are peering via iBGP and your next-hop is unreachable, the route will be marked as invalid in the BGP table. Always usenext-hop-selfwhen peering iBGP with a router that does not have a direct path to the original next-hop.
Practical Exercise: Simulating a Failure
To solidify your understanding, try this exercise in a virtualized lab environment (like GNS3 or EVE-NG):
- Step 1: Set up two routers with a standard eBGP peering. Confirm it is "Established."
- Step 2: Change the password on one side only. Observe the BGP state. It should cycle between "Idle" and "Active" as it repeatedly fails the TCP handshake or authentication.
- Step 3: Check the logs using
show logto see the authentication error message. - Step 4: Correct the password and observe the session re-establish.
- Step 5: Apply an inbound prefix-list that blocks the prefix being advertised. Observe that the BGP session remains "Established," but the route is no longer in the RIB (Routing Information Base). This helps distinguish between a peering issue and a routing issue.
Key Takeaways
- State is Everything: Always check the BGP state first. "Active" indicates a connectivity issue, while "Established" indicates the peering is working, and any missing routes are likely due to policy or filtering.
- TCP is the Foundation: BGP is just an application running on top of TCP. If the underlying TCP connection to port 179 cannot be established, nothing else matters.
- Authentication and Timers: Small mismatches in passwords or hold-times are often the cause of "flapping" sessions. Always verify these settings when the session drops intermittently.
- The "Update-Source" Rule: When using loopbacks for peering, always explicitly define the
update-source. This is the single most common configuration mistake in BGP deployments. - Filter Thoughtfully: Use prefix lists and route maps to control what you send and receive. A lack of proper filtering can lead to receiving a full internet table, which may crash your router's memory or CPU.
- Use Logs and Captures: When in doubt, let the data speak. Logs provide the "why" behind a drop, and packet captures provide the absolute truth of what is happening on the wire.
- Monitor Proactively: Do not wait for a user to report a slow website. Use monitoring tools to track BGP session status and prefix counts so you can intervene before a failure impacts your users.
By mastering these steps, you shift from a reactive "guess and check" approach to a proactive, engineering-led troubleshooting methodology. BGP is complex, but it is deterministic. If you follow the logic of the protocol and verify each layer—from physical connectivity to BGP policy—you will be able to resolve even the most challenging peering issues.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons