DEV Community

loading...

PSA: PAN-OS Drops BGP peers with an invalid NLRI / Always filter inbound prefixes from Avi Vantage

Nick Schmidt
I am a network engineer based out of Alaska, pursuing various methods of achieving SRE/NRE
Originally published at blog.engyak.net on ・2 min read

If Avi Vantage IPAM cannot allocate an address for a new vIP, it will advertise an all-zeros host address - 0.0.0.0/32:

This will cause Palo Alto PAN-OS to restart a peer - even if it is not the immediate downstream prefix. Palo Alto uses _ routed _as their dynamic routing engine - so this is probably default behavior inherited from there:

****EXCEPTION 0x4103 - 57 (0000)**** I:008e7cd1 F:00000004qbmlpar2.c 1352 :at 20:54:21, 2 May 2021 (1822572648 ms)UPDATE message contains NLRI of 0.0.0.0.****PROBLEM 0x4102 - 46 (0000)**** I:008e7cd1 F:00000004qbnmmsg.c 1074 :at 20:54:21, 2 May 2021 (1822572648 ms)NM has received an UPDATE message that failed to parse.Entity index = 1Local address = 10.6.64.9Local port = 0Remote address = 10.6.64.12Remote port = 0Scope ID = 0****EXCEPTION 0x4102 - 71 (0000)**** I:008e7cd1 F:00000020qbnmsnd2.c 167 :at 20:54:21, 2 May 2021 (1822572648 ms)A NOTIFICATION message is being sent to a neighbor due to an unexpectedproblem.NM entity index = 1Local address = 10.6.64.9Local port = 0Remote address = 10.6.64.12Remote port = 0Scope ID = 0Remote AS number = 64905Remote BGP ID = 0X0A06400CError code = UPDATE Message Error (3)Error subcode = Invalid Network Field (10)
Enter fullscreen mode Exit fullscreen mode

This could cause a network outage for all subtending networks on this peer. Consider this a friendly reminder to always leverage route filtering between autonomous systems!

Unfortunately, strict import filters on PAN-OS did not resolve this issue.

Discussion (0)