BGP AS_PATH Loop Prevention Workaround

BGP AS_PATH Loop Prevention Workaround

50159
Created On 07/16/20 21:09 PM - Last Modified 09/09/20 02:53 AM


Symptom


Based on RFC 4271, BGP AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path.

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • BGP is configured with default peering settings.
  • Firewall is peering with two or more eBGP peers.

Cause


Unlike some other platforms, PAN-OS (by default) will not advertise a prefix from one peer to another peer if the peer AS is present in the AS_PATH attribute of that prefix. One reason for this is because PAN-OS assumes that the prefix advertisement will be dropped by the peer (because of the loop prevention mechanism) hence the firewall preserves processor cycles by not advertising the prefixe/s on.

Network --> Virtual Routers --> More Runtime Stats --> BGP --> Local RIB:

User-added image

Network --> Virtual Routers --> More Runtime Stats --> BGP --> RIB Out:

empty rib out

Resolution


  1. Uncheck 'Enable Sender Side Loop Detection' for the receiving upstream peer:
Network --> Virtual Routers --> BGP --> Peer Group --> Peer --> Advanced:
 
User-added image
  1. Verify that the routes are now being advertised. As illustrated below, the firewall is sending the routes and appending its own AS to the route advertisement:
rib out
 
  1. On the receiving peer, an exception can be made to allow the device/system accept prefix advertisements from the firewall -- even if those routes contain the local AS in the AS_PATH attribute. For example on Cisco IOS/IOS-XE, the configuration is as follows:
 

Router#show run | i bgp|allowas-in
router bgp 100
bgp log-neighbor-changes
neighbor 192.168.122.175 allowas-in

 
  1. Verify that the system is installing the routes/prefixes from the firewall and is able to route to the prefixes:
  
Router#show ip bgp
BGP table version is 7, local router ID is 192.168.122.83
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.20.30.1/32    192.168.122.175                        0 200 100 ?
 r>  192.168.122.0    192.168.122.175                        0 200 100 ?

Router#ping 10.20.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/11 ms

 

Additional Information


  • On platforms where it may not be possible to allow the local AS inbound, an export rule can be configured on the firewall with a match criteria for the prefix and an action for AS path type set to 'Remove and Prepend.' This means the firewall will overwrite the original AS_PATH with it's own AS and then advertise the route. The peer device will install this route since the advertisement does not contain it's own local AS. In the example below, the firewall is matching any instance of AS 100 from the first peer and the action for this is set to 'Remove and Prepend.'
Network --> Virtual Routers --> BGP --> Add:

match criteria

remove and prepend
  • This is just an example and assumes that the reader is familiar with regular expressions (RegEx.) This also assumes the reader is familiar with export rules -- since this can break BGP advertisements to BGP peers if not well thought out or designed.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UtVCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language