BGP Failing with' error code 6 subcode 5 (Connection rejected)'

Symptom

This article focuses on explaining the meaning of 'error subcode 5 (Connection rejected)' while establishing BGP between two firewalls.

Excerpt from RFC:

If a BGP speaker decides to disallow a BGP connection ( e.g., the peer

is not configured locally ) after the speaker accepts a transport

protocol connection, then the BGP speaker SHOULD send a NOTIFICATION

message with the Error Code Cease and the Error Subcode " Connection

Rejected ".

 

This means that after the initial TCP handshake between the BGP peers, when peer A receives an OPEN message from peer B, and peer A does not recognize peer B, it would send a Notification message with Subcode " Connection Rejected "

Environment

Cause

Assume the following topology :

PA-1 (192.168.30.1)  -----  (192.168.30.2) PA-2

 

PA-2 has a misconfigured peer IP address : (instead of 192.168.30.1 it is configured as 192.168.30.3)

 

A screenshot of a computer AI-generated content may be incorrect.

 

As soon as PA-2 (192.168.30.2) receives a OPEN message from PA-1, it sends a Notification message :

 

A screenshot of a computer AI-generated content may be incorrect.

A computer screen shot of a black screen AI-generated content may be incorrect.

 

PA-1 shows this notification message being received and error code in routed.log:

 

A computer screen with numbers and digits AI-generated content may be incorrect.