BGP Notification Message

A BGP notification message is sent when an error condition is detected by the BGP process. The TCP connection with that BGP peer is closed after sending the notification message. Usually, the BGP process will log this notification in syslog, which would help us to identify the reason why the BGP session was brought down.

In this post, BGP notification message format along with error codes and subcodes are discussed.

Notification Message format:

BGP header(fixed 19 bytes which has marker, length and type fields) + Notification message [that has Error + Error subcode + Data field (variable length)]. Data field depends on Error and Error subcode.

when a notification is received/sent, BGP syslog message is displayed on console/vty line as below: (from a Dell switch)

STKUNIT0-M:CP %BGP-5-ADJCHANGE: VRF default Connection with neighbor 3.3.3.1 closed. Bad Peer AS received

In addition to syslog, Dell switches running FTOS would log the notification history in raw hex format in the output of “show ip bgp neighbor x.x.x.x” command. Due to limited logging buffer space, BGP notification logs might have been overwritten by other syslog messages. In those cases, to troubleshoot and identify the root cause of any outage caused by BGP flap, this raw hex output in the show command would be helpful.

Dell#Show ip bgp neighbor
<snip>
 Last reset 00:01:47, due to Maximum prefix limit reached
 Notification History
 'Connection Reset' Sent : 34 Recv : 0
 Last notification (len 21) sent 00:01:47 ago
 ffffffff ffffffff ffffffff ffffffff 00150306 01000000

Decoding Hex dump: BGP Header + Notification message:

BGP Header:  Marker (ffffffff ffffffff ffffffff fffffff)
Length: 0x0015 = 21
Message Type:0x03 = Notification
Error: 0x06 = Cease
Error Subcode: 0x01 = There is no subcode for cease error
Data: set to zeros.

Last notification (len 23) received 00:00:10 ago
 ffffffff ffffffff ffffffff ffffffff 00170302 02fe1400

BGP Header: Marker (ffffffff ffffffff ffffffff fffffff)
Length: 0x0017 = 23
Message Type:0x03 = Notification
Error: 0x02 = OPEN message error
Error Subcode: 0x02 = Bad Peer AS
Data: 0xfe14 = Inform peer that they use 65044 as their AS, which is wrong.

Following table has the list of BGP notification error/subcodes.

Error Code Error Subcode When this notification is sent?
1-Message Header Error 1 – Connection Not Synchronized2 – Bad Message Length

3 – Bad Message Type

Discussed in RFC-4271 Section-6.1. Link
2-OPEN Message Error 1 – Unsupported Version2 – Bad Peer AS

3 – Bad BGP Identifier

4 – Unsupported Optional Parameter

5 – Authentication Failure

6 – Unacceptable Hold Time

Discussed in RFC-4271 section-6.2. Link
3-UPDATE Message Error 1 – Malformed Attribute List2 – Unrecognized Well-known Attribute

3 – Missing Well-known Attribute

4 – Attribute Flags Error

5 – Attribute Length Error

6 – Invalid ORIGIN Attribute

7 – AS Routing Loop

8 – Invalid NEXT_HOP Attribute

9 – Optional Attribute Error

10 – Invalid Network Field

11 – Malformed AS_PATH

Discussed in RFC-4271. Section-6.3. Link
4-Hold Timer Expired No Subcode When the HOLD down timer expires.
5-Finite State Machine Error No Subcode Any error detected by the BGP Finite State Machine
6-Cease No Subcode When the prefix advertised by a neighbor reaches its maximum-prefix limit configured, BGP neighbor is brought down by sending this notification message.
Advertisements
This entry was posted in bgp, Force10, Routing and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s