BGP neighbor/configuration testing

John Stuppi (jstuppi) jstuppi at
Mon Nov 25 19:00:53 UTC 2013

Here are a couple of examples of syslog messages that could be seen depending on the configuration of the MD5 passwords on each side:

Troubleshooting Examples

If BGP neighbor authentication is incorrectly configured (for example, it is either configured on only one peer or the MD5 shared secret (password) does not match on both peers), the following types of syslog messages will be generated:

No Password Set on Remote Peer

    Dec 3 15:01:52: %TCP-6-BADAUTH: 
    No MD5 digest from to

Incorrect Password Set on Remote Peer

    Dec 3 15:01:57: %TCP-6-BADAUTH: 
    Invalid MD5 digest from to


"We can't help everyone, but everyone can help someone."


John Stuppi, CISSP
Technical Leader
Strategic Security Research
jstuppi at
Phone: +1 732 516 5994
Mobile: 732 319 3886

CCIE, Security - 11154
Cisco Systems
Mail Stop INJ01/2/ 
111 Wood Avenue South 
Iselin, New Jersey 08830
United States

Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:

-----Original Message-----
From: Daniel Rohan [mailto:drohan at] 
Sent: Monday, November 25, 2013 1:56 PM
To: Eric A Louie
Cc: nanog at
Subject: Re: BGP neighbor/configuration testing

Seems like:

> Nov 25 06:28:34.837 pacific: %BGP-3-NOTIFICATION: received from 
> neighbor
> xxx.118.92.149 2/5 (authentication failure) 0 bytes

should be a good starting place. I'm assuming you've already discussed auth keys with your provider and if everyone is putting that in correctly, I'd suggest turning on debugging to see what exactly that message is all about.


More information about the NANOG mailing list