Unstable BGP & BFDB?

ibmufa · June 16, 2022, 6:55pm

I work in a NOC. Had a customer reporting unstable BGP adjacency. The logs certaily suggested BG was unstable? But when we checked the PE, there were no events showing BGP ever bounced. Only time we saw BGP go down was when the customer admin shut down their BGP/port.

What would cause what they are experiencing yet nothing suggested that at the PE?

And whats the meaning of Peering to x.x.x.x cannot be enabled because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/0/1?

See Logs provided below

Jun 14 04:30:55 GMT: %BGP-5-NBR_RESET: Neighbor x.x.x.x reset (BFD adjacency down)
Jun 14 04:30:55 GMT: %BGP-5-ADJCHANGE: neighbor x.x.x.x Down BFD adjacency down
Jun 14 04:30:55 GMT: %BGP_SESSION-5-ADJCHANGE: neighbor x.x.x.x IPv4 Unicast topology base removed from session  BFD adjacency down
Jun 14 04:30:56 GMT: %EEM_T3R_BGP_DOWN-5-LOG: EEM-REG-SLOG-EBGP-Down-B100: BGP peer x.x.x.x changed state to down
Jun 14 04:31:07 GMT: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh x.x.x.x proc:BGP, idb:GigabitEthernet0/0/2 handle:3 act
Jun 14 04:31:07 GMT: %BGP-5-ADJCHANGE: neighbor x.x.x.x Up 
Jun 14 04:31:08 GMT: %EEM_T3R_BGP_UP-5-LOG: EEM-REG-SLOG-EBGP-Up-B100: BGP peer x.x.x.x changed state to up
Jun 14 04:34:27 GMT: %EEM_T3R_PEER_SHUT-1-LOG: EEM-REG-EEM-Activate-B100: Peering to x.x.x.x cannot be enabled because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/0/1
Jun 14 04:35:51 GMT: %EEM_T3R_PEER_SHUT-1-LOG: EEM-REG-EEM-Deactivate-B100: Peering to x.x.x.x cannot be shutdown because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/1/0
Jun 14 04:37:51 GMT: %EEM_T3R_PEER_SHUT-1-LOG: EEM-REG-EEM-Deactivate-B100: Peering to x.x.x.x cannot be shutdown because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/1/0
Jun 14 04:38:21 GMT: %EEM_T3R_PEER_SHUT-1-LOG: EEM-REG-EEM-Activate-B100: Peering to x.x.x.x cannot be enabled because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/0/1
Jun 14 04:38:23 GMT: %EEM_T3R_PEER_SHUT-1-LOG: EEM-REG-EEM-Activate-B100: Peering to x.x.x.x cannot be enabled because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/0/1
Jun 14 05:11:03 GMT: %BGP-5-NBR_RESET: Neighbor x.x.x.x reset (BFD adjacency down)
Jun 14 05:11:03 GMT: %BGP-5-ADJCHANGE: neighbor x.x.x.x Down BFD adjacency down
Jun 14 05:11:03 GMT: %BGP_SESSION-5-ADJCHANGE: neighbor x.x.x.x IPv4 Unicast topology base removed from session  BFD adjacency down
Jun 14 05:11:04 GMT: %EEM_T3R_BGP_DOWN-5-LOG: EEM-REG-SLOG-EBGP-Down-B100: BGP peer x.x.x.x changed state to down
Jun 14 05:11:20 GMT: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh x.x.x.x proc:BGP, idb:GigabitEthernet0/0/2 handle:3 act
Jun 14 05:11:20 GMT: %BGP-5-ADJCHANGE: neighbor x.x.x.x Up 
Jun 14 05:11:20 GMT: %EEM_T3R_BGP_UP-5-LOG: EEM-REG-SLOG-EBGP-Up-B100: BGP peer x.x.x.x changed state to up
Jun 14 05:14:42 GMT: %EEM_T3R_PEER_SHUT-1-LOG: EEM-REG-EEM-Activate-B100: Peering to x.x.x.x cannot be enabled because EEM is enabled in passive/logging mode only. REGIONAL_EEM_ACTIVE is set to FALSE/SCR/0/1
Jun 14 05:18:46 GMT: %BGP-5-NBR_RESET: Neighbor x.x.x.x reset (BFD adjacency down

Thanks in Advance

lagapidis · June 19, 2022, 6:11am

Hello ibmufa

There are several things in play here. First of all, your customer reported an unstable BGP adjacency. How did they come to that conclusion? If the PE has no logged BGP-related events, then the BGP adjacency is not unstable. Ask them first what symptoms they saw to make them conclude that the adjacency is unstable. That way you can make your own judgment on what the root of the problem is.

Secondly, concerning the Syslogs you shared, from what device are these logs? From the PE router? You mentioned that the PE router had no indication of a BGP-related failure, however here we clearly see that BGP peerings are failing and reestablishing. (I’m assuming you have sanitized the output with the x.x.x.x and that is not what is found in the original logs, correct?)

Now to examine what is actually happening in the logs. Here we can see that there is an EEM script in play. EEM is the Cisco IOS Embedded Event Manager, which is a scripting tool that lets you perform actions automatically on an IOS device based on certain events like CLI messages, Syslog messages, and others. You can find out more about EEM scripting at the following lesson:

We also see that BFD is in play as well, which may affect the operation of BGP. Now in order to fully understand what is happening, it would be helpful to see the EEM script that has been created that responds to the state of the BGP peering. That way we can determine exactly what is happening and what is actually triggering these changes.

Can you examine the EEM script that is configured on the device and clarify the situation with the original symptoms that the customer is experiencing so that we can help you further?

I hope this has been helpful!

Laz

ibmufa · July 22, 2022, 3:09am

I am sorry for the late response!

Those logs were from the customer router . Nothing in the PE logs. And yes, tried to santize And thanks for the link

lagapidis · July 26, 2022, 5:00am

Hello Itai

Any other information about the EEM script or the BFD implementation? Also, what device does the x.x.x.x address belong to?

Laz