Overview
BGP is the routing protocol that holds the internet together โ and the one most likely to cause a major outage if misconfigured. Unlike IGPs, BGP is policy-driven, session-based, and unforgiving of small errors. This guide covers systematic troubleshooting from session establishment through route propagation, followed by hardening best practices for production deployments.
// BGP Topology โ eBGP Peering + iBGP Route Reflector
// BGP Finite State Machine
Step 1 โ Verify Neighborship
Start every BGP troubleshoot here. Never assume the session is up.
cisco
! Check all BGP neighbors and their stateR1# show bgp summaryR1# show bgp neighbors 10.0.0.2! Check if TCP 179 session existsR1# show tcp brief | include 179! Verify route to peer existsR1# show ip route 10.0.0.2! Check BGP process and AS numberR1# show run | section router bgpIf stuck in Active state โ the most common issue is a missing or wrong update-source. eBGP peers use the directly connected interface by default. iBGP peers using loopbacks must have update-source Loopback0 configured.
cisco
router bgp 65001 neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 update-source Loopback0 ! required for iBGP over loopback neighbor 10.0.0.2 ebgp-multihop 2 ! required if eBGP over non-direct linkStep 2 โ Diagnose OPEN Message Failures
If the session reaches OpenSent but drops, it's almost always one of these:
cisco
! Check for BGP notifications (tells you exactly why session dropped)R1# show bgp neighbors 10.0.0.2 | include notification|error|hold! Common errors in output:! "Notification message sent: hold time expired" โ hold timer too short! "Notification message sent: Bad AS" โ remote-as mismatch! "Notification message received: MD5 mismatch" โ password mismatchcisco
! Verify timers match on both sides (or set to 0 to disable hold timer)router bgp 65001 neighbor 10.0.0.2 timers 10 30 ! keepalive 10s, hold 30s neighbor 10.0.0.2 password MySecret ! must be identical on both peersStep 3 โ Route Advertisement Issues
Session is up but routes are missing. Work through these checks in order.
cisco
! What routes are we sending to the peer?R1# show bgp neighbors 10.0.0.2 advertised-routes! What routes are we receiving from the peer?R1# show bgp neighbors 10.0.0.2 received-routesR1# show bgp neighbors 10.0.0.2 routes ! received AND passing local policy! Check if route is in BGP table at allR1# show bgp 192.168.10.0/24! If route missing from BGP table entirely โ check network statementR1# show run | section router bgp | include network! Route must exist EXACTLY in routing table to be advertised via network statementR1# show ip route 192.168.10.0 255.255.255.0Common gotcha: A network statement requires an exact match in the IP routing table. If you have network 10.0.0.0 mask 255.255.0.0 but only 10.0.1.0/24 in the RIB, BGP will not advertise it.
cisco
! Alternative โ use redistribution (with a route-map filter!)router bgp 65001 redistribute connected route-map CONNECTED_TO_BGP redistribute static route-map STATIC_TO_BGPStep 4 โ Route Not Installed in RIB
BGP has the route but it's not making it into the routing table.
cisco
! Check BGP table for the prefix โ look at the flagsR1# show bgp 10.10.0.0/16! ">" = best path selected! "i" = learned via iBGP! No ">" = not best โ check why! Common reasons path is not best:! 1. Weight (Cisco-proprietary, higher = better, local to router)! 2. Local Preference (higher = better, shared within AS)! 3. AS Path length (shorter = better)! 4. Origin code (IGP < EGP < Incomplete)! 5. MED (lower = better, compared between same AS)! 6. iBGP vs eBGP (eBGP preferred)! 7. IGP metric to next-hop! Check next-hop reachability โ BGP routes with unreachable next-hop are unusableR1# show bgp 10.10.0.0/16 | include Next HopR1# show ip route 203.0.113.1 ! verify next-hop is reachable! iBGP next-hop issue โ next-hop-self fixes thisrouter bgp 65001 neighbor 10.0.0.3 next-hop-self ! set yourself as next-hop for iBGP peersStep 5 โ Route Filtering Troubleshoot
Prefix lists, route-maps, and communities are silent killers.
cisco
! Check what route-maps/prefix-lists are applied to the peerR1# show bgp neighbors 10.0.0.2 | include policy|map|list|filter! Test a prefix against a prefix-listR1# show ip prefix-list MYLIST 10.10.0.0/24! Test a prefix against a route-mapR1# debug ip bgp 10.0.0.2 updates ! WARNING: verbose, use with caution in prodR1# undebug all! Check community values on a prefixR1# show bgp 10.10.0.0/16 | include CommunityStep 6 โ Convergence and Route Flapping
cisco
! Check BGP flap historyR1# show bgp neighbors 10.0.0.2 | include flaps|reset|drops! Check dampening status (if enabled)R1# show bgp dampened-pathsR1# show bgp flap-statistics! Clear specific neighbor (soft reset โ no session drop)R1# clear ip bgp 10.0.0.2 softR1# clear ip bgp 10.0.0.2 soft in ! re-apply inbound policyR1# clear ip bgp 10.0.0.2 soft out ! re-advertise outboundBGP Best Practices
| Category | Best Practice | Command / Notes |
|---|---|---|
| Security | Always use MD5 authentication | neighbor x.x.x.x password SECRET |
| Security | Enable GTSM (TTL security) | neighbor x.x.x.x ttl-security hops 1 |
| Security | Filter bogons and private ASNs inbound | Use prefix-list + AS-path filter |
| Stability | Set explicit timers | neighbor x.x.x.x timers 10 30 |
| Stability | Use BFD for fast failure detection | neighbor x.x.x.x fall-over bfd |
| Stability | Enable soft-reconfiguration inbound | neighbor x.x.x.x soft-reconfiguration inbound |
| Policy | Always filter with route-maps, not distribute-lists | More flexible, supports communities |
| Policy | Use communities for policy tagging | Scales better than per-peer prefix lists |
| iBGP | Use Route Reflectors instead of full mesh | neighbor x.x.x.x route-reflector-client |
| iBGP | Always set next-hop-self on RR or ASBR | neighbor x.x.x.x next-hop-self |
BGP Hardening โ Anti-Spoofing and Prefix Limits
cisco
! Limit maximum prefixes from a peer (prevents table overflow attacks)router bgp 65001 neighbor 10.0.0.2 maximum-prefix 1000 80 ! warn at 80%, drop session at 1000! Reject private ASNs from eBGP peersrouter bgp 65001 neighbor 10.0.0.2 filter-list 10 in!ip as-path access-list 10 deny _64[5-9][0-9]2_ip as-path access-list 10 deny _6[5-9][0-9]3_ip as-path access-list 10 permit .*! Block bogon prefixes inboundip prefix-list BOGONS deny 10.0.0.0/8 le 32ip prefix-list BOGONS deny 172.16.0.0/12 le 32ip prefix-list BOGONS deny 192.168.0.0/16 le 32ip prefix-list BOGONS deny 0.0.0.0/8 le 32ip prefix-list BOGONS permit 0.0.0.0/0 le 32!router bgp 65001 neighbor 10.0.0.2 prefix-list BOGONS inQuick Reference โ BGP Troubleshoot Checklist
| Symptom | First Check | Fix |
|---|---|---|
| Stuck in Active | Route to peer IP, source interface | Add static route, set update-source |
| Session drops repeatedly | show bgp neighbors โ notification message | Fix AS, password, or hold timer |
| Routes not advertised | show bgp advertised-routes to peer | Check network stmt, route-map permit |
| Routes received but not in RIB | show bgp prefix โ is it best path? | Fix next-hop, weight, local-pref |
| iBGP routes not propagating | Full mesh or RR configured? | Add RR or missing iBGP peers |
| Flapping session | Interface stability, BFD, MTU | Fix physical, tune timers, add BFD |