BGP Failing with' error code 6 subcode 5 (Connection rejected)'

BGP Failing with' error code 6 subcode 5 (Connection rejected)'

95389
Created On 09/25/18 20:34 PM - Last Modified 06/09/24 01:33 AM


Symptom


This article focuses on explaining the meaning of 'error subcode 5 (Connection rejected)' while establishing BGP between two firewalls.

Excerpt from RFC:

   If a BGP speaker decides to disallow a BGP connection (e.g., the peer
   is not configured locally) after the speaker accepts a transport
   protocol connection, then the BGP speaker SHOULD send a NOTIFICATION
   message with the Error Code Cease and the Error Subcode "Connection
   Rejected".

 

This means that after the initial TCP handshake between the BGP peers, when peer A receives an OPEN message from peer B, and peer A does not recognize peer B, it would send a Notification message with Subcode "Connection Rejected"

Environment


  • Any Firewall

Cause


Assume the following topology:

PA-1 (192.168.30.1)  -----  (192.168.30.2) PA-2

 

PA-2 has a misconfigured peer IP address: (instead of 192.168.30.1 it is configured as 192.168.30.3)

 

BGP1.PNG

 

As soon as PA-2 (192.168.30.2) receives a OPEN message from PA-1, it sends a Notification message:

 

bgp2.PNG

bgp.PNG

 

PA-1 shows this notification message being received and error code in routed.log:

 

Capture.PNG

 

Resolution


Edit the configuration to include the correct peer IP address on the firewall.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhtCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language