BGP was up.
Routes were received.
Still… traffic was not flowing.
This is one of the most confusing (and common) BGP issues in Palo Alto environments.
๐ The Problem
BGP neighbor shows Established
Expected routes are present in the routing table
But applications behind the firewall fail or take an unexpected path
At first glance, everything looks correct.
๐ง The Missed Detail
In Palo Alto Networks, BGP route exchange ≠ traffic forwarding.
In this case:
Routes were successfully learned via BGP
But the BGP next-hop was not reachable within the same Virtual Router
No valid forwarding entry existed for the next-hop
Result: traffic was silently dropped
๐ ️ What Actually Fixed It
Ensured next-hop reachability inside the Virtual Router
Verified correct VR binding on interfaces
Aligned security policies with the routing design
Once these were corrected, traffic started flowing immediately — no BGP reset required.
๐งฉ Key Takeaway
In Palo Alto, control plane success does not guarantee data plane success.
Always validate:
Next-hop reachability
Virtual Router consistency
Security policy impact
BGP troubleshooting is not just about the protocol —
it’s about forwarding logic.
๐ฌ Have you faced a “BGP is up but traffic is down” situation?
Let’s exchange notes.
No comments:
Post a Comment