Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
BGP Routes are Not Injected into the Routing Table - Knowledge Base - Palo Alto Networks

BGP Routes are Not Injected into the Routing Table

127053
Created On 09/25/18 17:51 PM - Last Modified 01/13/25 19:00 PM


Symptom


  • BGP routes are not injected into the global routing table.
  • BGP peer relationship is established with Peers.
  • Routes from neighbors are present in the BGP local-rib.

Environment


  • PAN-OS 7.1, 8.0, 8.1 and 9.0.
  • Palo Alto Networks Firewall.
  • BGP configured.

Cause


This issue is typically noticed when the Palo Alto Networks firewall has established EBGP and IBGP connectivity between 2 routers and is advertising the routes learned from the EBGP peer to its IBGP peer. By default, when a route is advertised to an EBGP peer outside of an AS, the router will make sure that the next-hop attribute reflects its own IP address. Since BGP is an AS by AS routing protocol, the next-hop value of the BGP network advertisement that leaves an AS, is the IP address of the router at the exit point from AS.

When this route is advertised to an IBGP peer, the next-hop attribute remains the same (because it is not crossing another AS). Usually, the router inside the AS does not have a route to the external IP address from the next-hop attribute. Since these routers do not know where this next hop is (as they are not directly connected), and BGP selects a path with a reachable next hop, these routes advertised by the Palo Alto Networks firewalls EBGP peer never get installed in the routing table.

 

 

Resolution


  1. Configure the Palo Alto Networks firewall to advertise the next-hop value as its IP address to the IBGP peers using

GUI: Network > Virtual Routers > (VR-name) >BGP > Peer Group > 

use-self.JPG.jpg

  1. Click on the Peer configured for IBGP to open the window.
  2. Select the radio button Use Self for configuration Export Next Hop as seen above.

The above configuration ensures the routes advertised to IBGP neighbor will have the next-hop address as the IP address of Palo Alto Networks firewall, and not the IP address of the EBGP neighbor which originally advertised this route. This prevents potential routing black-holes as the next hop is now reachable.

Note: If route filtering is needed, Use Import and Export filters to configure the same.

Additional Information


There are few other reasons for the route not being in the routing table such as routing table being full and  Install Route option under Network > Virtual Routers > (VR-name) >BGP > General > Options is unchecked.

     

     
    Other users also viewed:
    How to download GlobalProtect from the Customer Support Portal
    Download and Install the GlobalProtect App for Windows
    Resource List: GlobalProtect Configuring and Troubleshooting
    PAN-OS Software Updates
    Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
    Results 1-5 of 238,492
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClL1CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language