Problem and solution when BGP peer cannot be established


The BGP peer establishment on the firewall needs to use port 179 to establish TCP sessions and requires that OPEN messages be properly exchanged. Perform as follows to rectify the issue:

1. Check whether the AS number and IP address among peers are correct by using the display bgp peer command.
2. Check whether the router IDs configured on both BGP peers are conflicting by using the display bgp peer command.
3. If the loopback interface is used, check whether the peer connect-interface command is configured to specify the loopback interface as the source interface for sending BGP packets.
4. If EBGP neighbors are not directly connected to the physical layer, check whether the peer ebgp-max-hop command is configured.
5. Check whether there are available routes to the peer in the routing table.
6. Check whether there are reachable routes to the specified connect-interface by using the ping -a source-ip-address host-address command.
7. Check whether the ACL that is used to disable TCP port 179 is configured.

Other related questions:
Meanings of BGP peer status
In addition to the common Idle and Established status, BGP peer also has the following status: 1. active: indicates that the TCP connection of the BGP session has not been established. 2. no neg: indicates that the negotiation is not performed. If IPv4 Unicast is configured at one end, and IPv4 Unicast and IPv4 Multicast are configured at the other end, after the peer is established, you can discover that IPv4 Unicast negotiation succeeds, and the BGP peer is in Established status. However, the IPv4 Multicast is in no neg status in that IPv4 Multicast is not configured at one end. 3. Idle (Admin): indicates the BGP peer is proactively disabled, and there is no attempt to establish it again. If the peer ignore command is executed, or this peer is set to be down through the MIB, this peer remains in this status.

Problem and solution when the IPSec tunnel cannot be established between the USG6300 and Windows 8 system
The IPSec tunnel established using the Windows 8 dial-up software on the USG6000 is interrupted at a certain interval. You can use other VPN tunnels, such as L2TP.

Problem and solution when a firewall cannot be added to the NMS
To solve the problem that a firewall cannot be added to the NMS (NMS workstation), perform the following steps: 1. Check whether the SNMP settings on the firewall are correct. For example, check whether the SNMP version matches the NMS. 2. Check whether the NMS is reachable to the firewall. 3. Check whether access management in SNMP mode is enabled on the interface connecting the firewall to the NMS. That is, you need to run the service-manage snmp enable command on the interface to allow the peer device to access the firewall in SNMP mode. By default, the SNMP permission of the interface is disabled. In this case, even if the security policy for the interzone between the zone where the interface resides and the Local zone is enabled, you cannot access the device through the interface. This is because that the service-manage function has a higher priority than the security policy. For details, see USG6350 can't add to the NMS server.

Why are loopback addresses used to establish BGP peer relationships
Loopback interfaces are logical interfaces. Compared with physical interfaces, loopback interfaces are not affected by links and can reduce the Border Gateway Protocol (BGP) flapping.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top