BGP – Active open failed – tcb is not available

So i had an issue with BGP where it wouldn’t establish a neighbor relationship.  

I ran the usual ‘debug ip bgp’ but it only showed ‘connection timed out’

Here is a sample debug output of one of the neighbour setup attempts;

198.51.100.12 active went from Idle to Active
198.51.100.12 open active, local address 198.51.100.13
198.51.100.12 open failed: Connection timed out; remote host not responding
198.51.100.12 Active open failed - tcb is not available, open active delayed 12288ms (35000ms max, 60% jitter)
ses global 198.51.100.12 act Reset (Active open failed).
198.51.100.12 active went from Active to Idle

This output led me (wrongly) down various paths, checking ACL’s, layer 2 connectivity etc. all of which turned up nothing, all the while the BGP neighbour was attempting to establish but simply timing out.

I did at this point thing about MD5 authentication – but there was nothing in the debug…

So, as this is a new non-production install i thought lets go further down the stack and and see exactly whats going on with these packets with the command ‘debug ip tcp transactions’ command.

In amongst some random bits and pieces, i noticed this in one of the outputs;

Router1#debug ip tcp transactions address 198.51.100.12
MD5 received, but NOT expected from 198.51.100.12:29517 to 198.51.100.13:179

Bingo! The remote end is configured for MD5 but the local end wasn’t, I assume the reason why I didn’t see any authentication errors on my side is because authentication isn’t configured at all – the remote end would likely have received numerous authentication errors, however that ‘remote end’ was BT and it took 24 hours and for me to actually tell them they had MD5 configured and not told us the password to get this particular problem resolved.

Leave a Reply

Your email address will not be published. Required fields are marked *