Firewall Is Not Installing Route Learned via BGP

• A BGP neighborship exist between a Palo Alto Firewall and another network device such as router. The neighbor device advertises a route 1.1.1.0/28 using BGP.

• The route can be seen in the Local RIB table but it will not have an asterisk and the route is not getting installed in the routing table.

PA-3050> show routing protocol bgp loc-rib
VIRTUAL ROUTER: default (id 1)
==========
  Prefix             Nexthop          Peer       Weight   LocPrf Org      MED flap AS-Path
  1.1.1.0/28         1.1.1.10         SiteA           0      100 i/c        0    0 ----->> Route which is not getting installed
 *172.27.128.0/18    1.1.1.10         SiteA           0      100 i/c        0    0
 *172.27.192.0/18    1.1.1.10         SiteA           0      100 i/c        0    0
 *172.30.96.0/25     1.1.1.10         SiteA           0      100 i/c        0    0
 *172.30.96.128/25   1.1.1.10         SiteA           0      100 i/c        0    0

• As per the routed.log file the prefixes are not getting installed due to "Routing Oscillation" 

qbdcphs1.c 1251 :at 04:31:48, 4 May 2021 (894050458 ms)
A route is not eligible as it will cause a circular routing dependency,
or a routing oscillation.
RIB Manager entity index: 0X00000001
Route prefix:             1.1.1.0
BGP next hop address:     1.1.1.10
Match address:            1.1.1
Reason:                   Routing Oscillation 

• Palo Alto Firewalls
• Supported PAN-OS
• BGP

• When installing the routes learned via BGP, the firewall will do a route lookup to next hop IP address of the learned BGP route. In this case, the firewall selects the connected route. 

PA-3050> test routing fib-lookup ip 1.1.1.10 virtual-router default

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router:   default
destination:      1.1.1.10
result:
  interface ethernet1/3, source 1.1.1.1

Routing Table:

1.1.1.0/24                                  1.1.1.1                                 0      A C              ethernet1/3
1.1.1.1/32                                  0.0.0.0                                 0      A H
2.2.2.0/24                                  2.2.2.2                                 0      A C              ethernet1/4
2.2.2.2/32                                  0.0.0.0                                 0      A H
10.0.51.0/24                                10.0.51.0                               10     A S              tunnel.1
172.27.128.0/17                             2.2.2.10                                10     A S              ethernet1/4
172.27.128.0/18                             1.1.1.10                                       A?B        117685                    0
172.27.192.0/18                             1.1.1.10                                       A?B        117685                    0
172.30.96.0/25                              1.1.1.10                                       A?B        117685                    0
172.30.96.128/25                            1.1.1.10                                       A?B        117685                    0

•  If the firewall installs the route 1.1.1.0/28 then the BGP next-hop IP (1.1.1.10) would be resolved by more specific route which is 1.1.1.0/28 (BGP learned Route) instead of the connected route 1.1.1.0/24.
• This means that the BGP route will depend on the learned BGP route or itself to resolve the next hop IP address. This is considered as a self-resolved route and it will be removed from the routing table.

1. Create a more specific static route for the next hop IP so that it will be preferred over the route learned from the BGP.
2.  With this configuration the firewall will resolve the next hop IP using a static route instead of self-resolved route.
3. Refer Static Routes and BGP sections of the documentation.