Meraki

Community

Need Assistance | BGP flapping between vMX and Palo Alto in Azure

Srikanth
Here to help
‎Sep 6 2021 7:48 AM
‎Sep 6 2021 7:48 AM

Need Assistance | BGP flapping between vMX and Palo Alto in Azure

Dear Team,

 

we have established BGP between vMX and Palo Alto in Azure using EBGP, we were successful to establish the connectivity but the BGP keeps on flapping upon the Maximum Hold Timer expires.

 

ex: the BGP flaps every 240 seconds as the EBGP hold timer is set at 240 seconds.

 

Please share your valuable feedback on how could we resolve this.

 

Thanks,

Srikanth

0 Kudos
12 Replies 12
ww
Kind of a big deal
Kind of a big deal
‎Sep 6 2021 8:20 AM
‎Sep 6 2021 8:20 AM

What fw version?

0 Kudos
In response to ww
Srikanth
Here to help
‎Sep 6 2021 8:26 AM
‎Sep 6 2021 8:26 AM

@ww the version which we are using is  Palo Alto version 9.1

0 Kudos
In response to Srikanth
ww
Kind of a big deal
Kind of a big deal
‎Sep 6 2021 8:29 AM
‎Sep 6 2021 8:29 AM

On the mx

0 Kudos
In response to ww
Srikanth
Here to help
‎Sep 6 2021 8:46 AM
‎Sep 6 2021 8:46 AM

@ww on the vMX our version is : MX 15.42.2

 

 

0 Kudos
In response to Srikanth
Srikanth
Here to help
‎Sep 6 2021 9:34 AM
‎Sep 6 2021 9:34 AM

@ww   @PhilipDAth @Bruce  Could you please provide a solution on the above issue 

0 Kudos
In response to Srikanth
ww
Kind of a big deal
Kind of a big deal
‎Sep 6 2021 10:55 AM
‎Sep 6 2021 10:55 AM

We had similar problems in the past but that was on older fw and not in azure.  

 

Could it be a mtu problem? 

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 6 2021 3:51 PM
‎Sep 6 2021 3:51 PM

It suggests the "Hellos" are not being sent or received.  Try doing a packet capture and see if they are being sent and then received.

 

Anything in the log on either device to suggest the issue?

0 Kudos
In response to PhilipDAth
Srikanth
Here to help
‎Sep 6 2021 11:43 PM
‎Sep 6 2021 11:43 PM

@PhilipDAth we have done a packet capture and which states that the Keep alive packet are being sent by Palo Alto to the vMX, but vMX doesn't respond back with a keep alive packet 

0 Kudos
In response to Srikanth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 6 2021 11:46 PM
‎Sep 6 2021 11:46 PM

Do the Azure security groups allow the traffic?

0 Kudos
In response to PhilipDAth
Srikanth
Here to help
‎Sep 6 2021 11:47 PM
‎Sep 6 2021 11:47 PM

@PhilipDAth we have checked the security groups and they aren't blocking any traffic , the packet was being received by vMX and then there were update messages which was sent by Palo Alto to the vMX. after multiple update messages which were received on the vMX end  there was a reset message sent from vMX

0 Kudos
In response to Srikanth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 6 2021 11:46 PM
‎Sep 6 2021 11:46 PM

Does a packet capture on the VMX show that the packet was recieved?

0 Kudos
Sam_Gawande
New here
‎Sep 6 2021 11:45 PM
‎Sep 6 2021 11:45 PM

Hi Sri,

 

PA mgmt subnet and advertised subnets not overlap each other and it will create routing issue. It could be the reason. Check other parameter as well MTU, MSS etc. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.