Dear Team,
we have established BGP between vMX and Palo Alto in Azure using EBGP, we were successful to establish the connectivity but the BGP keeps on flapping upon the Maximum Hold Timer expires.
ex: the BGP flaps every 240 seconds as the EBGP hold timer is set at 240 seconds.
Please share your valuable feedback on how could we resolve this.
Thanks,
Srikanth
What fw version?
On the mx
We had similar problems in the past but that was on older fw and not in azure.
Could it be a mtu problem?
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning
It suggests the "Hellos" are not being sent or received. Try doing a packet capture and see if they are being sent and then received.
Anything in the log on either device to suggest the issue?
@PhilipDAth we have done a packet capture and which states that the Keep alive packet are being sent by Palo Alto to the vMX, but vMX doesn't respond back with a keep alive packet
Do the Azure security groups allow the traffic?
@PhilipDAth we have checked the security groups and they aren't blocking any traffic , the packet was being received by vMX and then there were update messages which was sent by Palo Alto to the vMX. after multiple update messages which were received on the vMX end there was a reset message sent from vMX
Does a packet capture on the VMX show that the packet was recieved?
Hi Sri,
PA mgmt subnet and advertised subnets not overlap each other and it will create routing issue. It could be the reason. Check other parameter as well MTU, MSS etc.