BGP neighbor/configuration testing

Chuck Anderson cra at WPI.EDU
Mon Nov 25 23:37:49 UTC 2013

When you say "no logged error" with mismatched neighbor IP address,
what do you mean?  Did the session just not establish at all?  How
long did you wait for it to attempt to establish?

On Juniper, if it sees a BGP connection come from an IP address that
doesn't match a local "neighbor" statement, it will send a BGP
Notification, code 2 (Open Message Error), subcode 5 (authentication
failure), which is exactly what you are seeing.

If one side is using a loopback IP instead of a physical IP for the
local-address, that would cause both a multihop/TTL issue and a
neighbor IP mismatch.

Another possibility is if you have exceeded the max prefix limit for
the session.  One side will get stuck in Idle state which may cause
the other side to send the same "authentication failure" notification.

On Mon, Nov 25, 2013 at 03:07:28PM -0800, Eric A Louie wrote:
> All Cisco/Cisco, I don't have a Juniper here to test with
> mismatch AS
> *Apr  9 00:31:47.691: %BGP-3-NOTIFICATION: received from neighbor 2/2 (peer in wrong AS) 2 bytes 6A39
> mismatch neighbor IP address
> no logged error
> MTU mismatch
> no logged error, session remained up
> Subnet mask mismatch
> session remained up, no logged error
> I haven't created the multihop scenario to see the error messages.
> None of these issues caused the (authentication failure).
> >________________________________
> > From: Chuck Anderson <cra at WPI.EDU>
> >To: nanog at 
> >Sent: Monday, November 25, 2013 11:10 AM
> >Subject: Re: BGP neighbor/configuration testing
> > 
> >
> >Authentication failure might mean (without knowing for sure which on
> >Cisco):
> >
> >- mismatch AS numbers
> >- mismatch neighbor IP addresses
> >- multihop/TTL issues
> >- MTU issues

More information about the NANOG mailing list