IPFYI
🗺️ BGP & Internet Routing 10 min read

BGP Session Troubleshooting Guide

A systematic approach to diagnosing and fixing BGP session problems, from neighbor establishment failures to route propagation issues.

BGP Session States

A BGP session transitions through these states. Understanding where it is stuck tells you what is wrong:

Idle -> Connect -> Active -> OpenSent -> OpenConfirm -> Established
State Meaning Common Cause of Stuck
Idle Not attempting connection Admin shutdown, no route to peer
Connect TCP SYN sent, waiting for response Firewall blocking TCP 179
Active TCP connection failed, retrying Wrong peer IP, firewall, ACL
OpenSent TCP connected, OPEN message sent Parameter mismatch
OpenConfirm OPEN received, waiting for KEEPALIVE Authentication failure
Established Session up, routes exchanging (Working normally)

Step 1: Check Basic Connectivity

Before debugging BGP, verify Layer 3 reachability:

# Can you reach the peer's BGP address?
ping 10.0.0.2

# Is TCP port 179 open?
nc -zv 10.0.0.2 179

# Is there a firewall blocking?
sudo iptables -L -n | grep 179

If ping works but TCP 179 fails, a firewall is blocking BGP. Check both sides -- the firewall rules must allow TCP 179 in both directions (BGP uses bidirectional TCP).

Step 2: Verify Configuration

The most common configuration errors:

# Check neighbor configuration
show bgp neighbors 10.0.0.2

# Verify these match on BOTH sides:
- Peer IP address
- Local and remote AS numbers
- Authentication password (MD5)
- Source interface / update-source
- TTL (eBGP multihop if not directly connected)

eBGP Multihop

If the peer is not directly connected (e.g., peering via loopback addresses), you need multihop:

# Cisco
neighbor 10.0.0.2 ebgp-multihop 2

# Junos
protocols bgp group PEER neighbor 10.0.0.2 multihop ttl 2

Step 3: Check Authentication

If the session reaches OpenSent but fails, authentication is likely wrong:

# Verify MD5 authentication matches
show bgp neighbors 10.0.0.2 | include authentication

# Common issues:
- Trailing whitespace in password
- Copy-paste encoding issues
- One side has auth, the other does not

MD5 authentication failures produce no useful error -- the TCP connection simply resets.

Step 4: Route Not Being Advertised

Session is Established but routes are missing:

# What are you sending to the peer?
show bgp neighbor 10.0.0.2 advertised-routes

# What is the peer sending you?
show bgp neighbor 10.0.0.2 received-routes

# Is the route in your local BGP table?
show bgp ipv4 unicast 203.0.113.0/24

Common causes:

  • Route not in BGP table -- Need to redistribute or use network statement.
  • Outbound filter -- A prefix-list or route-map is blocking the announcement.
  • Inbound filter on peer -- The peer's policy is rejecting your route.
  • Next-hop unreachable -- The BGP next-hop cannot be resolved in the routing table.

Step 5: Flapping Sessions

If the session keeps going up and down:

  • MTU mismatch -- Large BGP UPDATE messages get fragmented and dropped. Test with ping -s 1472 -M do.
  • Hold timer expiry -- KEEPALIVEs not arriving. Check CPU utilization on both routers.
  • Interface flapping -- Physical or logical interface going up/down.
  • Route oscillation -- A route is being repeatedly added and withdrawn, triggering session resets.
# Check for interface flaps
show interface GigabitEthernet0/0 | include changes
show log | include BGP

See Also

Autonomous System (AS) Glossary BGP Glossary Default Route Glossary Gateway Glossary Hop Glossary OSPF Glossary Router Glossary Routing Table Glossary TCP vs UDP Compare HTTP vs HTTPS Compare HTTP/2 vs HTTP/3 Compare IMAP vs POP3 Compare