Re: BGP malformed update/attribute list
This is an IOS-XR message. You can use the CLI exec command "show bgp update in error" to display the update and analyze it further. Kind Regards, Jakob -----------------original message -------------------------- From: Randy Bush <randy@psg.com> just to aol, and other posts did not show full nlri May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from neighbor 123.45.67.89 (VRF: default) - message length 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24 randy
You can use the CLI exec command
"show bgp update in error" to display the update and analyze it further.
RP/0/RSP0/CPU0:r2.dfw#show bgp update in error detail VRF "default" Malformed Update messages: 19 Neighbors that received malformed Update messages: 2 Last malformed update received: May 20 07:02:30.421 (2d13h ago) there was much more data in the log message
May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from neighbor 123.45.67.89 (VRF: default) - message length 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24
but the timestamps differ a bit randy
The log message is rate limited, so not every received update will generate a log. If you send me one of the updates, I can tell you how it’s malformed. Regards, Jakob.
On May 23, 2025, at 04:29, Randy Bush <randy@psg.com> wrote:
You can use the CLI exec command
"show bgp update in error" to display the update and analyze it further.
RP/0/RSP0/CPU0:r2.dfw#show bgp update in error detail
VRF "default" Malformed Update messages: 19 Neighbors that received malformed Update messages: 2 Last malformed update received: May 20 07:02:30.421 (2d13h ago)
there was much more data in the log message
May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from neighbor 123.45.67.89 (VRF: default) - message length 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24
but the timestamps differ a bit
randy
Hi Randy, Jakob, The "show bgp update in error detail" command is broken in IOS-XR, it doesn't show any detail just the summary that you saw. However, if you use it with an explicit BGP neighbor, with "show bgp update in error neighbor A.B.C.D detail" you should get a detailed report with the last 5 malformed messages. So, in your case example from the log, "show bgp update in error neighbor 123.45.67.8d9 detail" ;-) I tried it on all our upstreams and got lucky with AS3356. Also, there actually were multiple malformed messages, that is the reason the timestamp in the summary differed from your log, as the summary only shows the last malformed update and the log probably did not log all of them. Best regards, Chris On 22.05.2025 22:29, Randy Bush via NANOG wrote:
You can use the CLI exec command
"show bgp update in error" to display the update and analyze it further. RP/0/RSP0/CPU0:r2.dfw#show bgp update in error detail
VRF "default" Malformed Update messages: 19 Neighbors that received malformed Update messages: 2 Last malformed update received: May 20 07:02:30.421 (2d13h ago)
there was much more data in the log message
May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from neighbor 123.45.67.89 (VRF: default) - message length 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24 but the timestamps differ a bit
randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3KMANWRB...
participants (3)
-
Chris Welti -
Jakob Heitz (jheitz) -
Randy Bush