BGP Session Troubleshooting Guide
A systematic approach to diagnosing and fixing BGP session problems, from neighbor establishment failures to route propagation issues.
BGP Session States
A BGP session transitions through these states. Understanding where it is stuck tells you what is wrong:
Idle -> Connect -> Active -> OpenSent -> OpenConfirm -> Established
| State | Meaning | Common Cause of Stuck |
|---|---|---|
| Idle | Not attempting connection | Admin shutdown, no route to peer |
| Connect | TCP SYN sent, waiting for response | Firewall blocking TCP 179 |
| Active | TCP connection failed, retrying | Wrong peer IP, firewall, ACL |
| OpenSent | TCP connected, OPEN message sent | Parameter mismatch |
| OpenConfirm | OPEN received, waiting for KEEPALIVE | Authentication failure |
| Established | Session up, routes exchanging | (Working normally) |
Step 1: Check Basic Connectivity
Before debugging BGP, verify Layer 3 reachability:
# Can you reach the peer's BGP address?
ping 10.0.0.2
# Is TCP port 179 open?
nc -zv 10.0.0.2 179
# Is there a firewall blocking?
sudo iptables -L -n | grep 179
If ping works but TCP 179 fails, a firewall is blocking BGP. Check both sides -- the firewall rules must allow TCP 179 in both directions (BGP uses bidirectional TCP).
Step 2: Verify Configuration
The most common configuration errors:
# Check neighbor configuration
show bgp neighbors 10.0.0.2
# Verify these match on BOTH sides:
- Peer IP address
- Local and remote AS numbers
- Authentication password (MD5)
- Source interface / update-source
- TTL (eBGP multihop if not directly connected)
eBGP Multihop
If the peer is not directly connected (e.g., peering via loopback addresses), you need multihop:
# Cisco
neighbor 10.0.0.2 ebgp-multihop 2
# Junos
protocols bgp group PEER neighbor 10.0.0.2 multihop ttl 2
Step 3: Check Authentication
If the session reaches OpenSent but fails, authentication is likely wrong:
# Verify MD5 authentication matches
show bgp neighbors 10.0.0.2 | include authentication
# Common issues:
- Trailing whitespace in password
- Copy-paste encoding issues
- One side has auth, the other does not
MD5 authentication failures produce no useful error -- the TCP connection simply resets.
Step 4: Route Not Being Advertised
Session is Established but routes are missing:
# What are you sending to the peer?
show bgp neighbor 10.0.0.2 advertised-routes
# What is the peer sending you?
show bgp neighbor 10.0.0.2 received-routes
# Is the route in your local BGP table?
show bgp ipv4 unicast 203.0.113.0/24
Common causes:
- Route not in BGP table -- Need to redistribute or use
networkstatement. - Outbound filter -- A prefix-list or route-map is blocking the announcement.
- Inbound filter on peer -- The peer's policy is rejecting your route.
- Next-hop unreachable -- The BGP next-hop cannot be resolved in the routing table.
Step 5: Flapping Sessions
If the session keeps going up and down:
- MTU mismatch -- Large BGP UPDATE messages get fragmented and dropped. Test with
ping -s 1472 -M do. - Hold timer expiry -- KEEPALIVEs not arriving. Check CPU utilization on both routers.
- Interface flapping -- Physical or logical interface going up/down.
- Route oscillation -- A route is being repeatedly added and withdrawn, triggering session resets.
# Check for interface flaps
show interface GigabitEthernet0/0 | include changes
show log | include BGP