BGP Routes are Not Injected into the Routing Table

Symptom

BGP routes are not injected into the global routing table.
BGP peer relationship is established with Peers.
Routes from neighbors are present in the BGP local-rib.

Environment

PAN-OS 7.1, 8.0, 8.1 and 9.0.
Palo Alto Networks Firewall.
BGP configured.

Cause

This issue is typically noticed when the Palo Alto Networks firewall has established EBGP and IBGP connectivity between 2 routers and is advertising the routes learned from the EBGP peer to its IBGP peer. By default, when a route is advertised to an EBGP peer outside of an AS, the router will make sure that the next-hop attribute reflects its own IP address. Since BGP is an AS by AS routing protocol, the next-hop value of the BGP network advertisement that leaves an AS, is the IP address of the router at the exit point from AS.

When this route is advertised to an IBGP peer, the next-hop attribute remains the same (because it is not crossing another AS). Usually, the router inside the AS does not have a route to the external IP address from the next-hop attribute. Since these routers do not know where this next hop is (as they are not directly connected), and BGP selects a path with a reachable next hop, these routes advertised by the Palo Alto Networks firewalls EBGP peer never get installed in the routing table.

Resolution

Configure the Palo Alto Networks firewall to advertise the next-hop value as its IP address to the IBGP peers using

GUI: Network > Virtual Routers > (VR-name) >BGP > Peer Group >

A screenshot of a computer AI-generated content may be incorrect.

Click on the Peer configured for IBGP to open the window.
Select the radio button Use Self for configuration Export Next Hop as seen above.

The above configuration ensures the routes advertised to IBGP neighbor will have the next-hop address as the IP address of Palo Alto Networks firewall, and not the IP address of the EBGP neighbor which originally advertised this route. This prevents potential routing black-holes as the next hop is now reachable.

Note

If route filtering is needed, Use Import and Export filters to configure the same.

Additional Information

There are few other reasons for the route not being in the routing table such as routing table being full and Install Route option under Network > Virtual Routers > (VR-name) >BGP > General > Options is unchecked.