Palo Alto Networks Knowledgebase: BGP Failing with' error code 6 subcode 5 (Connection rejected)'

BGP Failing with' error code 6 subcode 5 (Connection rejected)'

9446
Created On 02/08/19 00:06 AM - Last Updated 02/08/19 00:06 AM
Mobile Network Infrastructure
Resolution

Overview:

This article focuses on explaining the meaning of 'error subcode 5 (Connection rejected)' while establishing BGP between two firewalls.

 

Details:

Excerpt from RFC:

 

   If a BGP speaker decides to disallow a BGP connection (e.g., the peer
   is not configured locally) after the speaker accepts a transport
   protocol connection, then the BGP speaker SHOULD send a NOTIFICATION
   message with the Error Code Cease and the Error Subcode "Connection
   Rejected".

 

This means that after initial TCP handshake between the BGP peers, when peer A receives a OPEN message from peer B, and peer A does not recognize peer B, it would send Notification message with Subcode "Connection Rejected"

 

Assume following topology:

PA-1 (192.168.30.1)  -----  (192.168.30.2) PA-2

 

PA-2 has a misconfigured peer IP address: (instead of 192.168.30.1 it is configured as 192.168.30.3)

 

BGP1.PNG

 

As soon as PA-2 (192.168.30.2) receives a OPEN message from PA-1, it sends a Notification message:

 

bgp2.PNG

bgp.PNG

 

PA-1 shows this notification message being received and error code in routed.log:

 

Capture.PNG

 

 

Resolution:

Edit the configuration to include correct peer IP address on the firewall.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhtCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language