BGP unable to establish due to traffic drop on gateway firewall
Article ID: 378369
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- You are running IPV4 and/or IPv6 BGP to peer with next hop router.
- You will observe there are BGP down alarms in the NSX-T UI for either IPV4 or IPv6.
- You have configured BGP allow rules on the Tier-0 Gateway firewall.
- You have configured IPV4 or IPv6 for the IP protocol for the BGP allow rule similar to the screenshot below:
- You will either have inet or inet6 in the rule on the NSX-T edge cli when running command get firewall <firewallinterfaceUUID> ruleset rules
Rule : inout inet protocol tcp from any to any port 179 accept
Rule : inout inet6 protocol tcp from any to any port 179 accept
-
- Inet protocol in the first rule above means IPv4 traffic will be processed only.
- Inet6 protocol in the second rule above means IPv6 traffic will only be processed only.
NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.
Environment
VMware NSX-T Data Center 4.x
VMware NSX-T Data Center 3.x
Cause
- If you a running IPv4 and/or IPv6 BGP the traffic will get dropped by the Tier-0 gateway firewall if the appropriate IP protocol is not enabled. See Documentation for reference.
Resolution
- If you are using IPv4 only then set the IP protocol to IPV4 only.
- If you are using IPv6 only then set the IP protocol to IPv6 only.
- If you are using both then set the IP protocol to IPv4-IPv6.
See Documentation for creating a Gateway Firewall Policy and Rule for reference.
Feedback
Yes
No
Powered by
