EBGP Peers Do Not Establish BGP Connectivity

Symptom

• The Palo Alto Networks firewall and a third party router have been configured to establish EBGP connectivity.

• BGP connectivity does not get established.

• BGP state between the Palo Alto Networks firewall and the router flaps between Idle and Connect.

Environment

• Palo Alto Networks Firewalls

• PAN-OS 8.1 and above.

• BGP connectivity using Multi Hop.

Cause

This issue is commonly seen when the peering of the EBGP is over loopback interfaces and the route to the BGP interface of the BGP peer is a couple of hops away. Discussed below are two such scenarios:

• The third party router’s BGP interface is at least 3 hops away from the Palo Alto Networks firewall.

• The Palo Alto Networks firewall's BGP interface is at least 2 hops away from the third party router.

Resolution

1. Verify the multi hop settings under the firewall and the third party router.

2. By default, the Palo Alto Networks firewall uses a TTL value of 1 for BGP packets when eBGP is configured.  If the route to the peer’s BGP interface is more than 1 hop away, the TTL of the BGP packets becomes 0 before it reaches the peer's BGP interface and gets dropped.

3. The default setting of multihop value of “0” means that the peer is 1 hops away for EBGP. For IBGP connectivity, the default value of 0 indicates multi-hop value is 255. This is documented in Step 7-7 of  Configure BGP  

Configure the appropriate number of hops for each peer using the “multi hop” settings.  On the Web UI of Firewall, the multi-hop settings are configured under:

Network > Virtual routers > BGP > Peer Group > Peer > Multi Hop