On Thu, Apr 30, 2020 at 7:55 AM Chris Wopat <[log in to unmask]> wrote:
On 4/30/20 7:49 AM, David Farmer wrote:

> We're running IOS XR, I found these droppings in our logs;
>

RP/0/RP0/CPU0:Apr 29 21:50:26.798 CDT: bgp[1068]:
%ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from
neighbor 206.108.255.2 (VRF: default) - message length 59 bytes, error
flags 0x00000200, action taken "TreatAsWdr". Error details: "Error
0x00000200, Field "Attr-data", Attribute 2 (Flags 0x40, Length 0), Data
[400200]". NLRIs: [IPv4 Unicast] 198.179.154.0/23
RP/0/RP1/CPU0:Apr 29 21:50:26.797 CDT: bgp[1068]:
%ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from
neighbor 206.108.255.2 (VRF: default) - message length 59 bytes, error
flags 0x00000200, action taken "TreatAsWdr". Error details: "Error
0x00000200, Field "Attr-data", Attribute 2 (Flags 0x40, Length 0), Data
[400200]". NLRIs: [IPv4 Unicast] 198.179.154.0/23
>
> Maybe try resting you BGP sessions.
>
We're seeing a weird next-hop ip on that prefix (rfc1918) and its hidden
on our net.

Is 10.223.129.2 something internal to route server #2?

 > show route 198.179.154.0 hidden detail

inet.0: 795967 destinations, 2081403 routes (795589 active, 0 holddown,
1604 hidden)
198.179.154.0/23 (3 entries, 1 announced)
          BGP
                 Next hop type: Router, Next hop index: 0
                 Address: 0x113614cc
                 Next-hop reference count: 1
                 Source: 206.108.255.2
                 Next hop: 10.223.129.2 via xe-0/1/5.300, selected
                 Session Id: 0x0
                 State: <Hidden Ext>
                 Inactive reason: Unusable path
                 Local AS: 65400 Peer AS: 53679
                 Age: 10:02:05
                 Validation State: unverified
                 Task: BGP_53679.206.108.255.2
                 AS path: I
                 Communities: target:21693:1000
                 Router ID: 206.108.255.2
                 Hidden reason: protocol nexthop is not on the interface

Here is what I see;

BGP routing table entry for 198.179.154.0/23

Versions:

  Process           bRIB/RIB  SendTblVer

  Speaker           14008256    14008256

Last Modified: Apr 29 21:50:26.404 for 10:08:07

Paths: (1 available, best #1)

  Advertised IPv4 Unicast paths to update-groups (with more than one peer):

    1.2 1.7 1.11 1.18 

  Advertised IPv4 Unicast paths to peers (in unique update groups):

    146.57.254.0    146.57.252.9    146.57.252.217  146.57.248.131  

    146.57.253.81   146.57.253.9    146.57.253.157  146.57.255.184  

  Path #1: Received by speaker 1

  Advertised IPv4 Unicast paths to update-groups (with more than one peer):

    1.2 1.7 1.11 1.18 

  Advertised IPv4 Unicast paths to peers (in unique update groups):

    146.57.254.0    146.57.252.9    146.57.252.217  146.57.248.131  

    146.57.253.81   146.57.253.9    146.57.253.157  146.57.255.184  

  21693

    206.108.255.115 from 206.108.255.1 (206.108.255.1)

      Origin IGP, localpref 180, valid, external, best, group-best, import-candidate

      Received Path ID 0, Local Path ID 1, version 14008256

      Community: 57:12 57:10500 57:10505

      Extended community: RT:21693:1000 

      Origin-AS validity: not-found 

It is an Xcel Energy Prefix, which jives with ARIN;

--
===============================================
David Farmer               Email:[log in to unmask]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1