BGP Neighbor FSM state monitoring

  • 0
  • 2
  • Question
  • Updated 3 years ago
How do I log/monitor my BGP neighbor's FSM states?

If I do a "show bgp neighbor x.x.x.x", I can see the FSM state (up since, down since, etc), but a change in states doesn't make it to the logs - or at least not by default.

I just found out that that's somewhat important for me to know - we lost one of our provider's Internet connection, but the port was still up, and other than the "zero traffic" there was no indication that they were down - and of course the FSM state from "sh bgp neigh".

It would be great if I could log those (for "documentation reasons", i.e. leverage in talks with the providers), and awesome if I could SNMP query them or send traps for monitoring.

Thanks for all the help!
Photo of Frank


  • 3,490 Points 3k badge 2x thumb

Posted 3 years ago

  • 0
  • 2
Photo of Hernandez, Joshua

Hernandez, Joshua, Employee

  • 1,544 Points 1k badge 2x thumb

If you are not getting any log messages relating to bgp can you run the following command and see if there is a filter dismissing these messages:

show log configuration filter <filter_name>

The filter name is usually "DefaultFilter" if it has not been changed.  This will show any filters that have been setup and if all messages are included in the log display.
Photo of Frank


  • 3,490 Points 3k badge 2x thumb
I do seem to get some BGP warnings, like:
04/30/2015 19:54:14.49 <Warn:BGP.DecisnCoord.NumPeerPfxRchWarnThrsh> [VR 0x00000002] The number of prefixes from a peer has reached the warning threshold.

(which yes, it's a relatively low default threshold of 375,000)

This is what I have:

# sh log configuration filter "DefaultFilter" 
Log Filter Name: DefaultFilter
I/                                                 Severity
E Component   SubComponent Condition               CEWNISVD
- ----------- ------------ ----------------------- --------
I All                                              ********

Include/Exclude: I - Include,  E - Exclude
Component Unreg: * - Component/SubComponent is not currently registered
Severity Values: C - Critical,  E - Error,  W - Warning,  N - Notice,  I - Info
                 * - Pre-assigned severities in effect for specified component
Debug Severity : S - Debug-Summary,  V - Debug-Verbose,  D - Debug-Data
                 + - Debug Severities, but log debug-mode not enabled
If Match parameters present:
Parameter Flags: S - Source,  D - Destination, (as applicable)
                 I - Ingress,  E - Egress,  B - BGP
Parameter Types: Port - Physical Port list,  Slot - Physical Slot #
                 MAC  - MAC address,  IP - IP Address/netmask,  Mask - Netmask
                 VID  - Virtual LAN ID (tag),  VLAN  - Virtual LAN name
                 VR   - Virtual Router Name,  VRID  - VR Identifier
                 VRF  - Virtual Routing and Forwarding Name
                 L4   - Layer-4 Port #,  Num  - Number,  Str  - String
                 Nbr  - Neighbor, Rtr  - Routerid, EAPS - EAPS Domain
                 Proc - Process Name
Strict Match   : Y - every match parameter entered must be present in the event
                 N - match parameters need not be present in the event
Photo of Hernandez, Joshua

Hernandez, Joshua, Employee

  • 1,544 Points 1k badge 2x thumb

Check the BGP log events that are included by using the following command

show log counters bgp

This will show bgp events and if they are included.  Look through them and if you see any you would like to add to the existing filter use the following command:

configure log filter "DefaultFilter" add events <bgp_event> severity <severity> <match_conditions>
Photo of McClane

McClane, Employee

  • 410 Points 250 badge 2x thumb
Frank, I've added the following to my EMS config:

configure log filter DefaultFilter add events BGP.NeighborMgr.PeerEstTrans 
configure log filter DefaultFilter add events BGP.NeighborMgr.PeerFSMDegrade

These gives me peer state change info in the logs which I think is what you're looking for...
Photo of Frank


  • 3,490 Points 3k badge 2x thumb
Ah, I see! The second one I came up with as well, the first one I didn't know about and will add :)

Took me a while to understand the difference between "sh log" and what I get in my syslog. Implicit log targets/filters only visible with "sh conf ems DETAIL" (and PDF user guide links to non-existent sections)

Thanks for the help - now on to seeing if there's an SNMP query or trap I can send to or check from our monitoring platform!