BGP: The maximum number of prefixes stored for a neighbor would be exceeded.

BGP: The maximum number of prefixes stored for a neighbor would be exceeded.

7287
Created On 09/14/22 07:07 AM - Last Modified 01/22/25 03:35 AM


Symptom


  • Unexpected BGP route reconvergence or flapping BGP routes.
> show routing route type bgp
  •  BGP Routes announced by the neighbor aren't seen in BGP's Local RIB, although you did not configure an import filter to restrict the routes.
Network > Virtual Routers > More Runtime Stats > BGP > Local RIB
  •  BGP's RIB Out is blank, although you didn't configure an export filter to restrict the routes.
Network > Virtual Routers > More Runtime Stats > BGP > RIB Out

Environment


  • Palo Alto firewalls
  • Supported PAN-OS
  • BGP

Cause


  • The allowed number of prefixes for each peer is configured under "Max Prefixes" parameter.
  • The BGP Peer sends higher prefixes than configured Max Prefixes.
  • When this happens, the error message "The maximum number of prefixes stored for a neighbor would be exceeded" is seen in  /var/log/pan/routed.log.
**** AUDIT 0x4107 - 16 (0000) **** I:00059b36 F:00000002
qbdcphs1.c 1437 :at 19:31:11, 15 April 2021 (2160030 ms)
The maximum number of prefixes stored for a neighbor would be exceeded. 
RIB Manager entity index: 0X00000003
Neighbor IP address: 177.15.195.117
AFI: 1
SAFI: 1
Defined max prefixes: 5000
Dropping connection: False
Idle hold time: 90

 

  • The number of prefixes from a peer has reached the warning threshold
**** AUDIT 0x4107 - 36 (0000) **** I:0008c3fe F:00000002
qbdcphs1.c 1532 :at 21:55:45, 14 December 2021 (21772465 ms)
The number of prefixes from a peer has reached the warning threshold.
RIB Manager entity index: 0X00000001
Neighbor IP address: 10.101.0.21
AFI: 1
SAFI: 1
Number of prefixes: 1125
Configured max prefixes: 1500
Threshold level 1125


 

Resolution


The first two solutions will be implemented on the FW's BGP peer, while the third and fourth solutions will be implemented at the firewall.

You may choose to implement at least one of the presented solutions to resolve the issue.

  1. Configure an export filter in the remote BGP peer to only announce necessary NLRI (routes).
  2. Summarize the routes sent to the firewall.
  3. Increase the max prefixes that the firewall can receive from the neighbor, navigate to Network > Virtual Routers > Click on the appropriate VR > BGP > Peer Group > click on the appropriate peer group > click on the appropriate peer > Advanced > Max Prefixes

BGP-max-prefixes.png

  1. Configure BGP import filter.

Additional Information


How to troubleshoot flapping BGP neighbor
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ5xCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language