When you say "no logged error" with mismatched neighbor IP address, what do you mean? Did the session just not establish at all? How long did you wait for it to attempt to establish? On Juniper, if it sees a BGP connection come from an IP address that doesn't match a local "neighbor" statement, it will send a BGP Notification, code 2 (Open Message Error), subcode 5 (authentication failure), which is exactly what you are seeing. If one side is using a loopback IP instead of a physical IP for the local-address, that would cause both a multihop/TTL issue and a neighbor IP mismatch. Another possibility is if you have exceeded the max prefix limit for the session. One side will get stuck in Idle state which may cause the other side to send the same "authentication failure" notification. On Mon, Nov 25, 2013 at 03:07:28PM -0800, Eric A Louie wrote:
All Cisco/Cisco, I don't have a Juniper here to test with
mismatch AS *AprĀ 9 00:31:47.691: %BGP-3-NOTIFICATION: received from neighbor 10.250.254.253 2/2 (peer in wrong AS) 2 bytes 6A39
mismatch neighbor IP address no logged error
MTU mismatch no logged error, session remained up
Subnet mask mismatch session remained up, no logged error
I haven't created the multihop scenario to see the error messages.
None of these issues caused the (authentication failure).
________________________________ From: Chuck Anderson <cra@WPI.EDU> To: nanog@nanog.org Sent: Monday, November 25, 2013 11:10 AM Subject: Re: BGP neighbor/configuration testing
Authentication failure might mean (without knowing for sure which on Cisco):
- mismatch AS numbers - mismatch neighbor IP addresses - multihop/TTL issues - MTU issues