PSA: PAN-OS Drops BGP peers with an invalid NLRI / Always filter inbound prefixes from Avi Vantage

May 2, 2021 · 2 min read · Datacenter Networking PAN-OS Routing & Switching Studies Avi BGP NSX-T NSX-ALB ·

If Avi Vantage IPAM cannot allocate an address for a new vIP, it will advertise an all-zeros host address - 0.0.0.0/32:

This will cause Palo Alto PAN-OS to restart a peer - even if it is not the immediate downstream prefix. Palo Alto uses routed as their dynamic routing engine - so this is probably default behavior inherited from there:

 1**** EXCEPTION   0x4103 - 57   (0000) **** I:008e7cd1 F:00000004  
 2qbmlpar2.c 1352 :at 20:54:21, 2 May 2021 (1822572648 ms)  
 3UPDATE message contains NLRI of 0.0.0.0.  
 4  
 5**** PROBLEM     0x4102 - 46   (0000) **** I:008e7cd1 F:00000004  
 6qbnmmsg.c 1074 :at 20:54:21, 2 May 2021 (1822572648 ms)  
 7NM has received an UPDATE message that failed to parse.  
 8Entity index               = 1  
 9Local address              = 10.6.64.9  
10Local port                 = 0  
11Remote address             = 10.6.64.12  
12Remote port                = 0  
13Scope ID                   = 0  
14  
15**** EXCEPTION   0x4102 - 71   (0000) **** I:008e7cd1 F:00000020  
16qbnmsnd2.c 167 :at 20:54:21, 2 May 2021 (1822572648 ms)  
17A NOTIFICATION message is being sent to a neighbor due to an unexpected  
18problem.  
19NM entity index       = 1  
20Local address         = 10.6.64.9  
21Local port            = 0  
22Remote address        = 10.6.64.12  
23Remote port           = 0  
24Scope ID              = 0  
25Remote AS number      = 64905  
26Remote BGP ID         = 0X0A06400C  
27Error code            = UPDATE Message Error (3)  
28Error subcode         = Invalid Network Field (10)

This could cause a network outage for all subtending networks on this peer. Consider this a friendly reminder to always leverage route filtering between autonomous systems!

Unfortunately, strict import filters on PAN-OS did not resolve this issue.