INC_SC_PRIMARY_WAN_BGP_DOWN
Focus
Focus
Prisma Access

INC_SC_PRIMARY_WAN_BGP_DOWN

Table of Contents

INC_SC_PRIMARY_WAN_BGP_DOWN

Learn about the INC_SC_PRIMARY_WAN_BGP_DOWN incident.

Synopsis

The primary WAN BGP for the service connection is down.
Incident Code—INC_SC_PRIMARY_WAN_BGP_DOWN
Severity—Warning
For details about incident severity, see Incidents Distribution Over Time in Incidents and Alerts Overview.

Required License

Prisma Access

Details

Raise condition
The tunnel's BGP peer is down for at least 10 minutes.
Clear condition
The tunnel's BGP peer is up for at least 8 minutes.

Correlated Alerts

  • AL_SC_PRIMARY_WAN_BGP_DOWN
  • AL_SC_PRIMARY_WAN_BGP_FLAP

Remediation

  1. Confirm whether the IPSec tunnel is active or not. If the tunnel is up but BGP is still down, proceed to next step 2. If the IPSec tunnel is down, proceed to step 4.
  2. Perform a ping from your machine to the SC's BGP peer to confirm whether it fails. If the ping fails, go to step 3. If the ping succeeds, proceed to step 4.
  3. Perform traceroute to the BGP peer to see whether traceroute is failing within your network. If it is, work with your network team to resolve the connectivity issue. If traceroute is failing outside of your network, contact your ISP. If it is still not resolved, open a case with Palo Alto Networks Customer Support Portal and provide all of the above information.
  4. Review for any resource utilization issues on the device where this tunnel terminates. If there are any in-path devices prior to the terminating device, review there as well.
  5. Perform ping and traceroute to review for any latency inconsistencies or packet loss between the site and the Prisma Access location. Contact your ISP if there is packet loss. If there is no packet loss or results are inconclusive:
    1. Isolate some test traffic and perform packet captures.
    2. Check for any TCPs that are out of order, lost segments, or retransmission, which might indicate packet loss through the tunnel.
    3. If you observe these issues, take packet captures of the ESP traffic, so you can check the public IP addresses between the Prisma Access location service IP address and the remote VPN peer IP address.
    4. Review for gaps in the ESP sequence numbers, which indicates in-path packet loss, or out-of-order ESP sequence numbers, which indicate reordering by a network device in the path.
  6. If there are other network devices in the path prior to the terminating device, perform steps a through d to help isolate the problematic network device.
  7. If you still can't resolve this issue, contact Palo Alto Networks Customer Support Portal.