BGP error handling
BGP error detection and response — NOTIFICATION codes and subcodes, revised error handling (treat-as-withdraw), and connection collision resolution.
Contents
Error handling model
RFC 4271 uses a strict error model: detect an error, send a NOTIFICATION, close the session. This causes complete route withdrawal from the peer — disruptive for a protocol carrying the full Internet routing table.
RFC 7606 introduced revised error handling that allows certain UPDATE errors to be handled by treating the affected route as withdrawn rather than tearing down the entire session.
Error codes and subcodes
Code 1: Message Header Error
| Subcode | Name | Trigger |
|---|---|---|
| 1 | Connection Not Synchronized | Marker field not all ones |
| 2 | Bad Message Length | Length < 19 or > 4096, or wrong for message type |
| 3 | Bad Message Type | Unrecognized Type field value |
Data field: Bad Message Length includes the erroneous Length value. Bad Message Type includes the erroneous Type value.
Code 2: OPEN Message Error
| Subcode | Name | Trigger |
|---|---|---|
| 1 | Unsupported Version Number | Version field not supported |
| 2 | Bad Peer AS | AS number not acceptable per configuration |
| 3 | Bad BGP Identifier | Not a valid unicast IPv4 address |
| 4 | Unsupported Optional Parameter | Parameter Type not recognized |
| 5 | Deprecated | Was Authentication Failure |
| 6 | Unacceptable Hold Time | Hold Time = 1 or 2 seconds |
| 7 | Unsupported Capability | Added by RFC 5492 |
Data field: Unsupported Version Number includes the highest locally-supported version less than what the peer bid.
Code 3: UPDATE Message Error
| Subcode | Name | Trigger |
|---|---|---|
| 1 | Malformed Attribute List | Total length inconsistent, or duplicate attribute |
| 2 | Unrecognized Well-known Attribute | Well-known attribute not implemented |
| 3 | Missing Well-known Attribute | Mandatory attribute absent from UPDATE |
| 4 | Attribute Flags Error | Flags inconsistent with Type Code |
| 5 | Attribute Length Error | Length doesn’t match expected for type |
| 6 | Invalid ORIGIN Attribute | ORIGIN value not 0, 1, or 2 |
| 7 | Deprecated | Was AS Routing Loop |
| 8 | Invalid NEXT_HOP Attribute | Not a valid IP host address |
| 9 | Optional Attribute Error | Recognized optional attribute has invalid value |
| 10 | Invalid Network Field | NLRI syntactically incorrect |
| 11 | Malformed AS_PATH | AS_PATH fails syntactic check |
Data field: typically includes the offending attribute (type, length, value). Missing Well-known Attribute includes only the Type Code.
Code 4: Hold Timer Expired
No subcodes. Sent when no KEEPALIVE, UPDATE, or NOTIFICATION arrives within the negotiated Hold Time.
Code 5: Finite State Machine Error
No subcodes in RFC 4271. RFC 6608 added subcodes:
| Subcode | Name |
|---|---|
| 1 | Receive Unexpected Message in OpenSent State |
| 2 | Receive Unexpected Message in OpenConfirm State |
| 3 | Receive Unexpected Message in Established State |
Code 6: Cease
Administrative or resource-driven session teardown. RFC 4486 defined subcodes:
| Subcode | Name | Common trigger |
|---|---|---|
| 1 | Maximum Number of Prefixes Reached | Prefix limit exceeded |
| 2 | Administrative Shutdown | Operator-initiated (carries shutdown message) |
| 3 | Peer De-configured | Neighbor removed from configuration |
| 4 | Administrative Reset | Session cleared by operator |
| 5 | Connection Rejected | Inbound connection refused |
| 6 | Other Configuration Change | Config change requires session reset |
| 7 | Connection Collision Resolution | Lost collision detection |
| 8 | Out of Resources | Memory or CPU exhaustion |
RFC 7606: Revised UPDATE error handling
The original model resets the session for any UPDATE error. RFC 7606 changes this for most attribute-level errors:
| Condition | RFC 4271 action | RFC 7606 action |
|---|---|---|
| Malformed well-known mandatory attribute | Session reset | Treat-as-withdraw |
| Unrecognized well-known attribute | Session reset | Treat-as-withdraw |
| Attribute flags error | Session reset | Treat-as-withdraw |
| Invalid NEXT_HOP | Log and ignore route | Treat-as-withdraw |
| Malformed optional transitive attribute | Session reset | Treat-as-withdraw |
| Missing well-known attribute | Session reset | Treat-as-withdraw |
“Treat-as-withdraw” means: the routes in that UPDATE are removed from Adj-RIB-In as if a withdrawal was received, but the session remains up. Other routes from the same peer are unaffected.
Conditions that still require session reset under RFC 7606:
- Malformed Attribute List (structural corruption)
- Any error that makes it impossible to determine which NLRI are affected
NEXT_HOP semantic checking
NEXT_HOP has two validation layers:
Semantic errors do not trigger a NOTIFICATION — the route is logged and ignored, keeping the session alive.
Connection collision detection
When two peers simultaneously initiate TCP connections, both reach OpenSent or OpenConfirm. Upon receiving an OPEN from a peer that already has another connection in OpenConfirm:
- Compare BGP Identifiers as 4-octet unsigned integers
- Higher ID wins — the connection initiated by the higher-ID speaker survives
- The loser sends Cease NOTIFICATION on the duplicate connection
A collision with an existing Established session keeps the Established connection and closes the new one (unless CollisionDetectEstablishedState is enabled).
Operational impact
Session flaps from UPDATE errors (pre-7606)
A single malformed UPDATE from a peer resets the entire session. For a peer advertising 900k+ prefixes, this means full re-convergence. RFC 7606 support is critical for production stability.
Hold Timer tuning
The default 180-second Hold Time (60-second keepalive) is conservative. Some operators reduce to 9/3 seconds for fast detection, but this risks false positives on congested control planes. RFC 9687 adds a Send Hold Timer that detects a stuck local TCP socket (peer appears up but never drains the buffer).
Prefix limits
Max-prefix limits (Cease subcode 1) are a defense against route leaks and hijacks. Operators configure thresholds per address family per peer.