System log reporting "BFD neighbor signaled session down for BFD session xxx"

System log reporting "BFD neighbor signaled session down for BFD session xxx"

5598
Created On 12/07/23 01:50 AM - Last Modified 06/24/24 22:27 PM


Symptom


  • System log reports the following messages intermittently.
    • "BFD neighbor signaled session down for BFD session xxx"
    • "BFD state changed to Down"
Example:
critical bfd ethern session 0 BFD state changed to Down for BFD session 649 to neighbor X.X.X.X on interface ethernet1/1. Protocol: BGP
high bfd ethern neighbo 0 BFD neighbor signaled session down for BFD session 649 to neighbor X.X.X.X on interface ethernet1/1. Protocol: BGP


Environment


  • PaloAlto Firewalls
  • Supported PAN-OS
  • BFD associated with other protocols, like BGP, OSPF, RIP etc

Cause


  • The "BFD neighbor signaled session down" is triggered when the PA firewall received the BFD packet form the BFD peer with the Session State: Down flag in the control message.
  • The "Session State: Down" is usually caused by the event where the BFD associated dynamic routing protocol session going down. 
  • Associated system logs example with BGP and BFD:
06:17:56 BGP peer session left established state.peer name: XXXXXXX_bgppeer, peer IP: X.X.X.X.
06:17:56 BFD neighbor signaled session down for BFD session 649 to neighbor X.X.X.X on interface ethernet1/1. Protocol: BGP
  • In the above example, the BGP peer session goes down and so the BFD peer sends out the BFD session state down to PA firewall. Then the system log "BFD neighbor signaled session down" is generated.

Resolution


Here are the general troubleshooting steps one can check to see why the BFD session has gone down.
  1. Check if the dynamic routing session goes down at the same time of "BFD neighbor signaled session down" event.
  2. Take packet capture for the BFD traffic (UDP 3784) and dynamic routing session traffic, when the system log "BFD neighbor signaled session down" is generated.
  3. Check in the packet capture if the "Session State" is set to Down in the BFD packet from peer.
  4. Check in the packet capture if the dynamic routing protocol has any issues and goes down before BFD session down packet.
  5. Investigate on the BFD peer and PaloAlto firewall for the issue on dynamic routing protocol and why it goes down.
  6. If the troubleshooting points to PaloAlto Firewall as the issue, open a case with Support for investigation.

Additional Information


For multi-DP PA firewall platform, the BFD logs are located in the DP logs folder:
Example bfd.log file path for Slot 5, DP0: 
opt/var/s5/dp0/log/pan/bfd.log
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008W8bCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail