the topology is so simple, 2 Switches are running VRRP and use VRRP virtual IP address to establish BGP peer with a Router, and configure MD5 authentication for BGP.
but we found that the Routes show "BGP MD5 Auth error" on it, and after configure the command“peer listen-only" on the VRRP Slave switch, the error message terminated.
the analysis for this issue is below:
The root cause for the “BGP MD5 Auth error" is that VRRP slave couldn’t receive TCP response packets from peer device, so VRRP slave will try to send TCP request packets with MD5 digest continuously. And peer device only can response packets to VRRP master, since VRRP Master and VRRP Slave were using different source TCP port, so VRRP Master will verify the packets failed when it received the packets which should be sent to VRRP Slave.
If VRRP Master verified the packet failed, VRRP will notice the peer device, in this case, peer device will get the error message “BGP MD5 Auth error”.
after cutomer configure "peer linten-only" on VRRP Slave switch, the slave switch will stop sending TCP packets. and the error message will terminated.
