BGP Cease Subcode definition

When you deal with Cisco and BGP, you probably know syslog messages like this:

Apr 11 16:34:38 ROUTER 1026843: Apr 11 16:34:38.010 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/2 (cease) 0 bytes
Apr 17 14:13:41 ROUTER 30082: Apr 17 14:13:41.126 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/0 (cease) 0 bytes
Apr 27 05:30:39 ROUTER 1028828: Apr 27 05:30:39.833 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/3 (cease) 0 bytes
May  5 08:12:03 ROUTER 38467: May  5 08:12:03.644 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/4 (cease) 0 bytes
May  7 06:06:04 ROUTER 38956: May  7 06:06:04.092 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/6 (cease) 0 bytes
May 10 13:28:39 ROUTER 4366: May 10 13:28:38.919 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/7 (cease) 0 bytes

I think in backbone environments, your BGP should be stable and you don’t want to see lots of these messages. But at a big peering point, it’s the normal “noise”….

According to RFC4486, Cisco reports the Subcode of Cease Notification Message (blue) in the log message.
Here’s an overview of subcode definition:

Subcode Meaning
1 Maximum Number of Prefixes Reached
2 Administrative Shutdown
3 Peer De-configured
4 Administrative Reset
5 Connection Rejected
6 Other Configuration Change
7 Connection Collision Resolution
8 Out of Resources

and here comes a deeper explanation (also taken from the RFC):

  • If a BGP speaker decides to terminate its peering with a neighbor because the number of address prefixes received from the neighbor exceeds a locally configured upper bound,  then the speaker MUST send to the neighbor a NOTIFICATION message  with the Error Code Cease and the Error Subcode “Maximum Number of Prefixes Reached“.
  • If a BGP speaker decides to administratively shut down its peering with a neighbor, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Administrative Shutdown“.
  • If a BGP speaker decides to de-configure a peer, then the speaker  SHOULD send a NOTIFICATION message with the Error Code Cease and the  Error Subcode “Peer De-configured“.
  • If a BGP speaker decides to administratively reset the peering with a neighbor, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Administrative Reset“.
  • If a BGP speaker decides to disallow a BGP connection (e.g., the peer is not configured locally) after the speaker accepts a transport protocol connection, then the BGP speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Connection Rejected“.
  • If a BGP speaker decides to administratively reset the peering with a neighbor due to a configuration change other than the ones described above, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Other Configuration Change“.
  • If a BGP speaker decides to send a NOTIFICATION message with the Error Code Cease as a result of the collision resolution procedure then the subcode SHOULD be set to “Connection Collision Resolution“.
  • If a BGP speaker runs out of resources (e.g., memory) and decides to reset a session, then the speaker MAY send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Out of Resources“.

4 comments to BGP Cease Subcode definition

  • sap

    Thanks a lot, the explanaition and the information is awesome. it helped me.

  • peter

    What does this code mean ?

    Aug 28 04:21:24.203: %BGP-3-NOTIFICATION: sent to neighbor x.x.x.x passive 6/0 (cease) 0 bytes

  • admin

    RFC says this:

    If a BGP speaker decides to administratively reset the peering with a neighbor due to a configuration change other than the ones described above, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Other Configuration Change“.

  • Rik

    To re-word peter’s question as the response from admin appears to be incorrect…
    Having checked RFC 4486 - Subcodes for BGP Cease Notification Message, The line

    Apr 17 14:13:41 ROUTER 30082: Apr 17 14:13:41.126 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/0 (cease) 0 bytes

    Appears to have been made up, rather than a genuine msg as sub-code 0 is not documented in the RFC. Unless Cisco use 0 to indicate something else ?

    Additionally peter’s example has “passive” in the text. I’d guess that might relate to the BGP peer being passive, but I don’t really know. As usual the error messages manual is conviently concise on this msg and doesn’t even explain that the first number (6) is the cease and the 2nd number is the sub-code.

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>