BGP: Firewall sending Network Layer Reachability Information beyond the capacity of its peer

• Unexpected BGP route reconvergence or frequent BGP route flapping.

> show routing route type bgp

• BGP routes announced by the NGFW are not appearing in the peer's BGP Local RIB, despite no export filter restricting the routes.
• In the routed.log, the NGFW generates the following log entry:

qbnmmsg.c 1466 :at 18:04:41, 17 February 2022 (1392686 ms)
A NOTIFICATION message has been received from a neighbor.
NM entity index = 1
Local address = 10.249.246.50
Local port = 0
Remote address = 10.249.246.49
Remote port = 0
Scope ID = 0
Remote AS number = 6461
Remote BGP ID = 0X407D019C
Error code = Cease (6)
Error subcode = Maximum Number of Prefixes Reached (1) 

• Palo Alto Networks Firewalls.
• Supported PAN-OS.
• BGP Routing configured.

• By default, each peer shares its entire routing table with the other.
• The issue occurs when the NGFW sends Network Layer Reachability Information (NLRI) exceeding the peer's capacity.
• Note that the maximum number of BGP routes a remote peer can receive is not communicated to its BGP neighbor in any messages.

1. Aggregate and Advertise Routes via BGP: Use the "How to Aggregate Routes and Advertise via BGP " guide to summarize the routes from the NGFW.
2. Configure BGP Export Filter on the NGFW: Follow the "How to Configure BGP Route Filtering " guide to set up an export filter on the NGFW.
3. Configure BGP Import Filter on the Remote Peer: Set up a BGP import filter on the remote peer to control inbound routes.