PAN-OS upgrade is causing BGP flaps due to BFD configuration
11800
Created On 10/24/19 03:28 AM - Last Modified 04/27/20 20:50 PM
Symptom
After upgrading the Firewall to PAN-OS 8.0.x from PAN-OS 7.1.x, BGP neighborship is flapping due to BFD configuration.
Environment
- Palo Alto Firewall.
- PAN-OS 8.0 and 8.1.
- BGP configured.
- BFD enabled for BGP protocol.
Cause
In PAN-OS 7.1, if a routing protocol on the firewall is configured with BFD, and BFD is NOT enabled on the remote end, then BFD does not have an impact on the behavior of the routing protocol. The routing protocol behaves as if no BFD is configured.
In PAN-OS 8.0 and 8.1, if a routing protocol on the firewall is configured with BFD, and BFD is NOT enabled on the remote end. The firewall will attempt to establish a BFD session with the remote end that does not have BFD enabled. This causes BFD not to come up and subsequently causes BGP to flap. This behavior continues, leading to indefinite routing protocol flaps.
Resolution
To resolve, Either:
- Enable or Disable BFD on both the Firewall and the remote end device.
OR
- Upgrade the code to PAN-OS version 8.0.12 or 8.1.3 which reverts back the behavior to 7.1.x version.
Additional Information
PAN-99067 -BFD behavior change in 8.0 back to 7.1 ( Fix Version/s: 8.0.12, 8.1.3)