BGP Not Working after MD5 Key is Changed

BGP Not Working after MD5 Key is Changed

26810
Created On 09/25/18 19:37 PM - Last Modified 01/18/24 16:11 PM


Environment


  • Any PAN-OS.
  • BGP Routing configured.

Resolution


Issue

After MD5 key is changed on the Palo Alto Networks Firewall, BGP is not working between the Palo Alto Networks Firewall and the Juniper device.

 

Cause

There are MD5 Key mismatches.

 

Errors Seen on Palo Alto Networks Firewall

mp\routed.log 07-10 14:03:02 qbrmem1.c 1619 :at 14:03:25, 10 July 2012 (16210 ms)
DC-BGP RIB Manager graceful restart configuration is inconsistent.
RM entity index = 0X00000001
Restart Supported = 0
Currently restarting = 1
mp\routed.log 07-10 14:03:25 Error: panos_set_dc_field(src/pan_dc_api.c:987): ********** PANDCCFG_SEND bgpRmEntTable MOD error AMB_RC_INCONSISTENT_VALUE
**** EXCEPTION 0x4101 - 63 (0000) **** I:00000199 F:00000010
qbrmem1.c 1601 :at 14:03:25, 10 July 2012 (16210 ms)
DC-BGP has been configured as if the forwarding state for an AFI/SAFI has
been preserved over a restart, but this instance of DC-BGP does not
support graceful restart.
RM entity index = 0X00000001
AFI = 1
SAFI = 1

**** PROBLEM 0x0303 - 25 (0000) **** -:-------- F:00000001
sckorig2.c 1365 :at 14:03:28, 10 July 2012 (19260 ms)
A connection attempt has failed.
Sockets error code = 148
Socket ID = 19
Socket type = 0X00000001
Socket family = 0X00000002
Socket protocol = 0X00000000
Application handle = 0X01BB0000
Stub socket handle = 0X01BD0000
mp\routed.log 07-10 14:03:25 Local inet address = 10.160.0.38
Local port = 0
Remote inet address = 10.160.0.37
Remote port = 179

**** EXCEPTION 0x0303 - 5 (0000) **** I:00000244 F:00000020
sckrecv2.c 216 :at 14:03:28, 10 July 2012 (19260 ms)
Received invalid socket handle.
Socket handle = 0X01BD0000

 

Errors Seen on Juniper

Jul 9 13:43:04 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:54639 wrong MD5 digest

Jul 9 13:43:52 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:26344 wrong MD5 digest

Jul 9 13:47:23 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:64170 wrong MD5 digest

Jul 9 13:47:26 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:64170 wrong MD5 digest

Jul 9 13:47:32 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:63820 wrong MD5 digest

Jul 9 13:47:44 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:51335 wrong MD5 digest

Jul 9 13:48:08 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:2188 wrong MD5 digest

Jul 9 13:48:56 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:61710 wrong MD5 digest

Jul 9 13:52:31 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:21359 wrong MD5 digest

 

Resolution

  1. Delete the Authentication profile and BGP peer on Palo Alto Networks device.

    Authentication profile

    Auth Profile - delete.jpg

     

    BGP peer

    Peer - Delete.jpg

  2. Commit and Reboot the Palo Alto Networks device.
  3. Add the Peer and Authentication Profile on Palo Alto Networks device.

    Authentication Profile

    Auth profile -- Adding.jpg

     

    Peer

    BGP - Peer -- Adding.jpg

  4. Commit
  5. Test again

 

owner: saryan
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClaR&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language