PSA: PAN-OS Drops BGP peers with an invalid NLRI / Always filter inbound prefixes from Avi Vantage
If Avi Vantage IPAM cannot allocate an address for a new vIP, it will advertise an all-zeros host address -
This will cause Palo Alto PAN-OS to restart a peer - even if it is not the immediate downstream prefix. Palo Alto uses routed as their dynamic routing engine - so this is probably default behavior inherited from there:
1**** EXCEPTION 0x4103 - 57 (0000) **** I:008e7cd1 F:00000004 2qbmlpar2.c 1352 :at 20:54:21, 2 May 2021 (1822572648 ms) 3UPDATE message contains NLRI of 0.0.0.0. 4 5**** PROBLEM 0x4102 - 46 (0000) **** I:008e7cd1 F:00000004 6qbnmmsg.c 1074 :at 20:54:21, 2 May 2021 (1822572648 ms) 7NM has received an UPDATE message that failed to parse. 8Entity index = 1 9Local address = 10.6.64.9 10Local port = 0 11Remote address = 10.6.64.12 12Remote port = 0 13Scope ID = 0 14 15**** EXCEPTION 0x4102 - 71 (0000) **** I:008e7cd1 F:00000020 16qbnmsnd2.c 167 :at 20:54:21, 2 May 2021 (1822572648 ms) 17A NOTIFICATION message is being sent to a neighbor due to an unexpected 18problem. 19NM entity index = 1 20Local address = 10.6.64.9 21Local port = 0 22Remote address = 10.6.64.12 23Remote port = 0 24Scope ID = 0 25Remote AS number = 64905 26Remote BGP ID = 0X0A06400C 27Error code = UPDATE Message Error (3) 28Error subcode = Invalid Network Field (10)
This could cause a network outage for all subtending networks on this peer. Consider this a friendly reminder to always leverage route filtering between autonomous systems!
Unfortunately, strict import filters on PAN-OS did not resolve this issue.