BGP Not Working after MD5 Key is Changed
Environment
- Any PAN-OS.
- BGP Routing configured.
Resolution
Issue
After MD5 key is changed on the Palo Alto Networks Firewall, BGP is not working between the Palo Alto Networks Firewall and the Juniper device.
Cause
There are MD5 Key mismatches.
Errors Seen on Palo Alto Networks Firewall
mp\routed.log 07-10 14:03:02 qbrmem1.c 1619 :at 14:03:25, 10 July 2012 (16210 ms)
DC-BGP RIB Manager graceful restart configuration is inconsistent.
RM entity index = 0X00000001
Restart Supported = 0
Currently restarting = 1
mp\routed.log 07-10 14:03:25 Error: panos_set_dc_field(src/pan_dc_api.c:987): ********** PANDCCFG_SEND bgpRmEntTable MOD error AMB_RC_INCONSISTENT_VALUE
**** EXCEPTION 0x4101 - 63 (0000) **** I:00000199 F:00000010
qbrmem1.c 1601 :at 14:03:25, 10 July 2012 (16210 ms)
DC-BGP has been configured as if the forwarding state for an AFI/SAFI has
been preserved over a restart, but this instance of DC-BGP does not
support graceful restart.
RM entity index = 0X00000001
AFI = 1
SAFI = 1
**** PROBLEM 0x0303 - 25 (0000) **** -:-------- F:00000001
sckorig2.c 1365 :at 14:03:28, 10 July 2012 (19260 ms)
A connection attempt has failed.
Sockets error code = 148
Socket ID = 19
Socket type = 0X00000001
Socket family = 0X00000002
Socket protocol = 0X00000000
Application handle = 0X01BB0000
Stub socket handle = 0X01BD0000
mp\routed.log 07-10 14:03:25 Local inet address = 10.160.0.38
Local port = 0
Remote inet address = 10.160.0.37
Remote port = 179
**** EXCEPTION 0x0303 - 5 (0000) **** I:00000244 F:00000020
sckrecv2.c 216 :at 14:03:28, 10 July 2012 (19260 ms)
Received invalid socket handle.
Socket handle = 0X01BD0000
Errors Seen on Juniper
Jul 9 13:43:04 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:54639 wrong MD5 digest
Jul 9 13:43:52 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:26344 wrong MD5 digest
Jul 9 13:47:23 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:64170 wrong MD5 digest
Jul 9 13:47:26 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:64170 wrong MD5 digest
Jul 9 13:47:32 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:63820 wrong MD5 digest
Jul 9 13:47:44 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:51335 wrong MD5 digest
Jul 9 13:48:08 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:2188 wrong MD5 digest
Jul 9 13:48:56 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:61710 wrong MD5 digest
Jul 9 13:52:31 r-ew-igw-re0 /kernel: tcp_auth_ok: Packet from 10.160.0.38:21359 wrong MD5 digest
Resolution
- Delete the Authentication profile and BGP peer on Palo Alto Networks device.
Authentication profile
BGP peer
- Commit and Reboot the Palo Alto Networks device.
- Add the Peer and Authentication Profile on Palo Alto Networks device.
Authentication Profile
Peer
- Commit
- Test again
owner: saryan