Saturday, August 29, 2020

Palo Alto firewall - How to Restart/Refresh (soft reset) BGP Sessions


Restarting a BGP session will build the BGP routing table from scratch (intrusive). Refreshing the session will only fetch out for new routes (non-intrusive).

Restarting a BGP session is equivalent to Hard reset, and refreshing a BGP session is Soft reset in the Cisco world.

Hard reset—A hard reset tears down the specified peering sessions including the TCP connection and deletes routes coming from the specified peer.

Soft reset—A soft reset uses stored prefix information to reconfigure and activate BGP routing tables without tearing down existing peering sessions. Soft reconfiguration uses stored update information, at the cost of additional memory for storing the updates, to allow you to apply new BGP policy without disrupting the network. Soft reconfiguration can be configured for inbound or outbound sessions.

To restart/refresh BGP sessions, run the following commands:

For self initiation:
> test routing bgp virtual-router default restart self   (for restarting BGP connections)

admin@firewall> test routing bgp virtual-router default restart self

Waiting for shutdown BGP local instance for virtual-router default...timeout.
Restarting BGP local instance for virtual-router default ...done.

> test routing bgp virtual-router default refresh self   (for refreshing BGP connections)


From Peer side:
> test routing bgp virtual-router default restart peer  (for restarting BGP connections)

admin@firewall(active)> test routing bgp virtual-router default restart peer aws_transit_gateway1

waiting for shutdown BGP peer aws_transit_gateway1...
waiting for bring up BGP peer aws_transit_gateway1...
Restart BGP session with peer aws_transit_gateway1 for virtual-router default performed.

> test routing bgp virtual-router default refresh peer  (for refreshing BGP connections)

admin@firewall(active)> test routing bgp virtual-router default refresh peer aws_transit_gateway1

Send BGP refresh request to peer aws_transit_gateway1 for virtual-router default.


Note: Depending on where the connection needs to be restarted/refreshed, it may require running the commands in privilege mode.


To check the BGP routes sent to BGP peer:

admin@firewall1(active)> show routing protocol bgp
> loc-rib          Show BGP local-rib
> loc-rib-detail   Show BGP local-rib
> peer             Show BGP peer status
> peer-group       Show BGP peer group status
> policy           Show BGP route-map status
> rib-out          Show BGP routes sent to BGP peer
> rib-out-detail   Show BGP routes sent to BGP peer
> summary          Show BGP summary information

admin@firewall1(active)> show routing protocol bgp rib-out


VIRTUAL ROUTER: default (id 1)
  ==========
  Prefix             Nexthop          Peer       Originator       Adv Status  Aggr Status     AS-Path
 10.6.0.0/16         169.254.44.118   aws_transit_gateway1 0.0.0.0          advertised  aggregate route 6363
 10.16.60.0/24       169.254.44.118   aws_transit_gateway1 0.0.0.0          advertised  no aggregation  6363

total routes shown: 2


No comments: