BGP connection not established with Peer and stuck in "Connect" state of BGP.

There is no reachability issue between source and destination and also TCP port 179 (BGP Port) is Open on both Source and Peer.

Based on the packet capture, a SYN packet is sent to the peer, but there is no response. Similarly, from the peer's side, a SYN packet is delivered to the Edge node, however no response is sent with any acknowledgement. The scenario will look like the below::

## Edge> start capture <interface Uplink interface UUID> direction dual expression host Destination-BGP-IP and port 179

SYN Packet going out of the Edge uplink for Destination-BGP-IP:

04:32:44.200557 X.X.X.X:38:b2 > X.X.X.X:1f:06, ethertype 802.1Q (0x8100), length 90: vlan 0, p 0, ethertype IPv4, Source-BGP-IP.37683 > Destination-BGP-IP.179: Flags [S], seq 4017496212, win 62720, options [nop,nop,md5 shared secret not supplied with -M, can't check -####,mss 8960,nop,nop,sackOK,nop,wscale 8], length 0 <base64>####</base64>

SYN Packet Received from the Destination-BGP-IP on Edge uplink for Source-BGP-IP: 

04:32:44.200557 X.X.X.X:1f:06 > X.X.X.X:38:b2, ethertype 802.1Q (0x8100), length 90: vlan 0, p 0, ethertype IPv4, Destination-BGP-IP.37696> Source-BGP-IP.179: Flags [S], seq 4017499622, win 62720, options [nop,nop,md5 shared secret not supplied with -M, can't check -####,mss 8960,nop,nop,sackOK,nop,wscale 8], length 0 <base64>####</base64>

It is noticed that the TCP options include an MD5 field, indicating that MD5 authentication/password is configured for BGP. This enabled the MD5 option in the TCP handshake, which led us to investigate the MD5 hash error in the logs

In var/log/syslog file from the affected Edge Node following log entries are seen:

2023-05-23T20:37:39.064Z edgenode.localhost kernel - - - [10027703.550290] TCP: MD5 Hash failed for (source-bgp-ip, 46784)->(destination-bgp-ip, 179)

VMware NSX

• Either the passwords configured on both ends do not match, or the password has not been configured on one side for BGP.
• $ is not a supported character for BGP password and will cause MD5 checksum error.

• Verify the password and update on both the ends with the same password.
• remove $ from the password and update the password from both the ends.

Please refer this document to configure password in NSX edge : Configure BGP

Impact/Risks:

• unable to establish BGP connection when $ is in the password of the BGP configuration.
• unable to establish BGP connection when there is password mismatch in the BGP configuration on either side.