Debugging MikroTik BGP Peering Problems: A Complete Troubleshooting Guide

Byadmin
Share
Tweet
Share
Pin
0 Shares

BGP peering failures disrupt networks without warning. MikroTik RouterOS handles BGP differently than Cisco or Juniper platforms. Network engineers need specific knowledge to debug BGP issues in MikroTik environments effectively.

This guide provides practical solutions for MikroTik BGP troubleshooting. You will learn to identify, diagnose, and resolve BGP peering problems using RouterOS tools and commands. You can also read BGP on MikroTik: A Complete Configuration Guide

Table of Contents

Understanding MikroTik BGP Fundamentals

BGP States in RouterOS

MikroTik BGP sessions progress through six states:

  1. Idle – BGP waits to start. No connection attempts occur.
  2. Connect – Router initiates TCP connection to peer.
  3. Active – TCP connection failed. Router tries again.
  4. OpenSent – TCP established. OPEN message sent.
  5. OpenConfirm – OPEN received. KEEPALIVE sent.
  6. Established – Session operational. Routes exchange.

Check current state using:

/routing bgp peer print status

MikroTik BGP Architecture Overview

RouterOS organizes BGP configuration into three main components:

  • BGP Instance – Defines router-ID, AS number, and redistribution settings
  • BGP Peers – Configures neighbor relationships and session parameters
  • Routing Filters – Controls route advertisement and acceptance

Essential MikroTik BGP Debugging Commands and Tools

Command Line Tools

Master these essential BGP debugging commands:

View Peer Status

/routing bgp peer print status
Flags: X - disabled, E - established 
 0 E name="ISP1" instance=default remote-address=203.0.113.1 remote-as=65001 
     tcp-md5-key="" nexthop-choice=default multihop=no route-reflect=no 
     hold-time=3m ttl=255 in-filter="" out-filter="" address-families=ip 
     default-originate=never remove-private-as=no as-override=no passive=no 
     use-bfd=no remote-id=203.0.113.1 local-address=203.0.113.2 
     uptime=1w3d4h55m36s prefix-count=524288 updates-sent=145 
     updates-received=892341 withdrawn-sent=12 withdrawn-received=4521 
     remote-hold-time=3m used-hold-time=3m used-keepalive-time=1m 
     refresh-capability=yes as4-capability=yes state=established

Monitor BGP Peer in Real-Time

/routing bgp peer monitor ISP1
        remote-address: 203.0.113.1
          remote-as: 65001
               state: established
              uptime: 1w3d4h56m12s
        prefix-count: 524288
       updates-sent: 145
   updates-received: 892342
     withdrawn-sent: 12
 withdrawn-received: 4521

Check Advertised Routes

/routing bgp advertisements print where peer=ISP1
Flags: U - unreachable, S - suppressed 
 0   peer=ISP1 dst=10.0.0.0/24 nexthop=203.0.113.2 origin=0 
     local-pref=100 as-path="65002" atomic-aggregate=no

View BGP Networks

/routing bgp network print
Flags: X - disabled, A - active 
 0 A network=10.0.0.0/24 synchronize=no

Filter BGP Logs

/log print where topics~"bgp"

Winbox Monitoring Features

Winbox provides visual BGP monitoring tools:

  • Navigate to Routing → BGP → Peers for session status
  • Double-click any peer to see detailed statistics
  • Use Routing → BGP → Advertisements to view advertised prefixes
  • Check IP → Routes and filter by BGP to see received routes

Advanced Debugging with Packet Sniffer

Capture BGP packets for deep analysis:

/tool sniffer
set filter-port=179 filter-protocol=tcp
start duration=60 file-name=bgp-capture

Download the capture file and analyze it with Wireshark. Look for:

  • TCP handshake completion
  • BGP OPEN message exchanges
  • NOTIFICATION messages indicating errors
  • UPDATE message contents

Common MikroTik BGP Peering Problems and Solutions

BGP Session Won’t Establish

Problem 1: TCP Connection Issues

Symptoms:

  • BGP state stuck in “Connect” or “Active”
  • No TCP connection on port 179

Diagnosis Commands:

# Check if peer is reachable
/ping 203.0.113.1 count=5

# Verify TCP connectivity
/system telnet 203.0.113.1 port=179

# Check firewall rules
/ip firewall filter print where dst-port=179 or src-port=179

Common Solutions:

1. Add firewall accept rules:

/ip firewall filter add chain=input protocol=tcp dst-port=179 \
    src-address=203.0.113.1 action=accept place-before=0 \
    comment="Allow BGP from ISP1"
    
/ip firewall filter add chain=output protocol=tcp src-port=179 \
    dst-address=203.0.113.1 action=accept place-before=0 \
    comment="Allow BGP to ISP1"

2. Fix MTU issues:

/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=1420 passthrough=yes \
    comment="Clamp TCP MSS for BGP"

3. Ensure NAT bypass for BGP:

/ip firewall nat add chain=srcnat src-address=203.0.113.2 \
    dst-address=203.0.113.1 protocol=tcp dst-port=179 \
    action=accept place-before=0 comment="Bypass NAT for BGP"

Problem 2: Authentication Failures

Symptoms:

  • TCP connects but BGP fails
  • Log shows “BGP: Authentication failed”

Solution:

# Set MD5 password (must match on both peers)
/routing bgp peer set ISP1 tcp-md5-key="SecurePassword123"

# Enable BGP debugging
/system logging add topics=bgp,!packet action=memory

Problem 3: Router-ID Conflicts

Symptoms:

  • BGP establishes then immediately drops
  • Error: “Bad router-id”

Solution:

# Set explicit router-id
/routing bgp instance set default router-id=10.0.0.1

# Verify router-id
/routing bgp instance print

BGP Session Flapping

Problem 1: Hold Timer Mismatches

Configuration Fix:

# Standard hold time configuration
/routing bgp peer set ISP1 hold-time=180s keepalive-time=60s

# For sensitive links, use BFD
/routing bfd interface add interface=ether1 interval=100ms min-rx=100ms
/routing bgp peer set ISP1 use-bfd=yes

Problem 2: Resource Limitations

Check Resources:

/system resource print
                  uptime: 5w3d12h47m8s
                 version: 7.11.2 (stable)
              build-time: Aug/31/2023 10:45:21
        factory-software: 7.1
             free-memory: 245.8MiB
            total-memory: 1024.0MiB
                     cpu: Intel(R)
               cpu-count: 4
           cpu-frequency: 2400MHz
                cpu-load: 45%
          free-hdd-space: 46.7MiB
         total-hdd-space: 128.0MiB

Solutions for Memory Issues:

# Limit maximum prefixes
/routing bgp peer set ISP1 max-prefix-limit=550000 max-prefix-restart-time=120

# Enable route filtering to reduce memory usage
/routing filter add chain=bgp-in-ISP1 prefix=0.0.0.0/0 prefix-length=8-24 \
    action=accept comment="Accept only /8 to /24"
    
/routing filter add chain=bgp-in-ISP1 action=reject \
    comment="Reject everything else"
    
/routing bgp peer set ISP1 in-filter=bgp-in-ISP1

Route Advertisement Problems

Routes Not Being Advertised

Diagnosis:

# Check if network is added to BGP
/routing bgp network print

# Verify route exists in routing table
/ip route print where dst-address=10.0.0.0/24

# Check outbound filters
/routing filter print where chain~"out"

Solution Example:

# Add network to BGP
/routing bgp network add network=10.0.0.0/24 synchronize=no

# Create outbound filter
/routing filter add chain=bgp-out-ISP1 prefix=10.0.0.0/24 \
    action=accept set-bgp-prepend=2 comment="Advertise local network"
    
/routing filter add chain=bgp-out-ISP1 action=reject \
    comment="Don't advertise anything else"

/routing bgp peer set ISP1 out-filter=bgp-out-ISP1

Routes Not Being Received

Common Causes and Fixes:

1. Check inbound filters:

/routing filter print where chain~"in"

# Create permissive filter for testing
/routing filter add chain=bgp-in-test action=accept \
    comment="Accept all for testing"
    
/routing bgp peer set ISP1 in-filter=bgp-in-test

2. Verify next-hop reachability:

# Check if next-hop is reachable
/ip route print where dst-address=203.0.113.1

# Force next-hop change if needed
/routing bgp peer set ISP1 nexthop-choice=force-self

MikroTik-Specific BGP Quirks and Gotchas

RouterOS Version Differences

Version 6 vs Version 7 BGP Configuration

RouterOS v6 syntax:

/routing bgp instance set default as=65002 router-id=10.0.0.1
/routing bgp peer add remote-address=203.0.113.1 remote-as=65001

RouterOS v7 syntax:

/routing bgp connection add remote.address=203.0.113.1 remote.as=65001 \
    local.role=ebgp name=ISP1 routing-table=main

Hardware Limitations

BGP performance varies by platform:

Platform Full Table Capability Recommended Max Prefixes Convergence Time
CCR1009 Yes (with 2GB+ RAM) 1,000,000 45-60 seconds
CCR1036 Yes 2,000,000 30-45 seconds
hEX No 5,000 5-10 seconds
CHR (4GB RAM) Yes 2,000,000 20-30 seconds

Step-by-Step BGP Troubleshooting Methodology

Systematic Troubleshooting Approach

1: Verify Physical and IP Connectivity

# Check interface status
/interface print where name=ether1

# Test IP connectivity
/ping 203.0.113.1 count=5 size=1400

# Verify routing to peer
/ip route print where 203.0.113.1 in dst-address

2: Validate BGP Configuration

# Check BGP instance
/routing bgp instance print

# Verify peer configuration
/routing bgp peer print detail

# Review filter chains
/routing filter print

3: Analyze BGP Session State

# Current state and statistics
/routing bgp peer print status

# Monitor state changes
/routing bgp peer monitor ISP1

# Check BGP logs
/log print where topics~"bgp" time>2h

4: Examine Route Tables

# Check received routes
/ip route print where received-from=ISP1

# Verify advertised routes
/routing bgp advertisements print where peer=ISP1

# Analyze BGP route selection
/ip route print detail where bgp-as-path!=""

Quick Troubleshooting Decision Tree

  1. Is TCP connection established?
    • No → Check firewall, NAT, routing
    • Yes → Continue to step 2
  2. Is BGP session in Established state?
    • No → Check MD5, timers, router-id
    • Yes → Continue to step 3
  3. Are routes being received?
    • No → Check inbound filters, prefix limits
    • Yes → Continue to step 4
  4. Are routes being advertised?
    • No → Check networks, outbound filters
    • Yes → BGP operational

Real-World Case Studies

Case 1: Multi-homed ISP Connection Issues

Scenario: Company has two ISP connections. Primary ISP works fine. Backup ISP session establishes but no routes received.

Debugging Process:

# Check both peer statuses
/routing bgp peer print status
Flags: X - disabled, E - established 
 0 E name="ISP1" remote-as=65001 state=established prefix-count=524288
 1 E name="ISP2" remote-as=65002 state=established prefix-count=0

Problem Found: ISP2 requires specific BGP communities to send routes.

Solution:

# Create inbound filter with community setting
/routing filter add chain=bgp-in-ISP2 \
    set-bgp-communities=65002:100 action=accept \
    comment="Set required community for ISP2"
    
/routing bgp peer set ISP2 in-filter=bgp-in-ISP2

# After applying filter, routes appear
/routing bgp peer print status where name=ISP2
Flags: X - disabled, E - established 
 0 E name="ISP2" remote-as=65002 state=established prefix-count=450231

Case 2: iBGP Full Mesh Problems

Scenario: Internal BGP between three routers. Routes from Router1 don’t reach Router3.

Configuration on Router2 (Route Reflector):

# Configure Router2 as route reflector
/routing bgp instance set default client-to-client-reflection=yes

# Set clients
/routing bgp peer set Router1 route-reflect=yes
/routing bgp peer set Router3 route-reflect=yes

# Add cluster-id for loop prevention
/routing bgp instance set default cluster-id=10.0.0.2

Case 3: BGP Over IPSec Tunnels

Scenario: BGP session over IPSec tunnel constantly flaps.

Problem: MTU issues causing BGP packet fragmentation.

Solution:

# Set tunnel MTU
/interface ipip set ipip-tunnel1 mtu=1400

# Configure TCP MSS clamping
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    in-interface=ipip-tunnel1 action=change-mss new-mss=1360

# Adjust BGP timers for tunnel
/routing bgp peer set RemoteSite hold-time=240s keepalive-time=80s

Proactive BGP Monitoring and Prevention

Setting Up Effective Logging

# Configure BGP-specific logging
/system logging add topics=bgp,!packet action=disk prefix=BGP

# Add critical BGP events to syslog
/system logging action add name=remote target=remote \
    remote=192.168.1.100 remote-port=514
    
/system logging add topics=bgp,error,critical action=remote

Automated Monitoring Scripts

BGP Session Monitor Script:

/system script add name=bgp-monitor source={
    :local peer "ISP1"
    :local state [/routing bgp peer get $peer state]
    :if ($state != "established") do={
        /tool e-mail send to="noc@company.com" \
            subject="BGP Alert: $peer is $state" \
            body="BGP peer $peer is in state: $state"
        :log error "BGP peer $peer is down - state: $state"
    }
}

# Schedule to run every 5 minutes
/system scheduler add name=bgp-check interval=5m on-event=bgp-monitor

Prefix Count Monitor:

/system script add name=prefix-monitor source={
    :local maxPrefixes 550000
    :local peer "ISP1"
    :local currentPrefixes [/routing bgp peer get $peer prefix-count]
    
    :if ($currentPrefixes > $maxPrefixes) do={
        :log warning "High prefix count from $peer: $currentPrefixes"
        /routing bgp peer disable $peer
        :delay 60s
        /routing bgp peer enable $peer
    }
}

BGP Best Practices for MikroTik

  • Always use prefix lists:
/ip firewall address-list add list=our-networks address=10.0.0.0/8
/ip firewall address-list add list=our-networks address=192.168.0.0/16

/routing filter add chain=bgp-out prefix-list=our-networks action=accept
/routing filter add chain=bgp-out action=reject
  • Implement bogon filtering:
/routing filter add chain=bgp-in prefix=0.0.0.0/8 action=reject
/routing filter add chain=bgp-in prefix=10.0.0.0/8 action=reject
/routing filter add chain=bgp-in prefix=127.0.0.0/8 action=reject
/routing filter add chain=bgp-in prefix=169.254.0.0/16 action=reject
/routing filter add chain=bgp-in prefix=172.16.0.0/12 action=reject
/routing filter add chain=bgp-in prefix=192.168.0.0/16 action=reject
/routing filter add chain=bgp-in prefix=224.0.0.0/4 action=reject
  • Regular configuration backups:
/system backup save name=bgp-config-backup
/export file=bgp-config-text

Advanced BGP Debugging Techniques

Using RouterOS API for BGP Analysis

Python script example for BGP monitoring:

import routeros_api

connection = routeros_api.RouterOsApiPool(
    '192.168.88.1',
    username='admin',
    password='password'
)
api = connection.get_api()

# Get BGP peer status
bgp_peers = api.get_resource('/routing/bgp/peer')
for peer in bgp_peers.get():
    print(f"Peer: {peer['name']}, State: {peer['state']}, "
          f"Prefixes: {peer['prefix-count']}")

connection.disconnect()

Traffic Engineering Debugging

Verify BGP community handling:

# Check received communities
/ip route print detail where received-from=ISP1
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 0 ADb  dst-address=8.8.8.0/24 gateway=203.0.113.1
        gateway-status=203.0.113.1 reachable via ether1 distance=20
        scope=40 target-scope=30 bgp-as-path="65001,15169"
        bgp-communities=65001:100,65001:200 bgp-origin=igp
        received-from=ISP1

# Set local preference based on community
/routing filter add chain=bgp-in \
    bgp-communities=65001:100 \
    set-bgp-local-pref=150 \
    action=accept

BGP Load Balancing Configuration

# Enable ECMP for BGP
/routing bgp instance set default load-balance=yes

# Configure multiple peers with same preference
/routing bgp peer set ISP1 in-filter=set-pref-100
/routing bgp peer set ISP2 in-filter=set-pref-100

# Create preference filters
/routing filter add chain=set-pref-100 \
    set-bgp-local-pref=100 action=accept

# Verify ECMP routes
/ip route print where dst-address=0.0.0.0/0
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
 0 ADb  dst-address=0.0.0.0/0 gateway=203.0.113.1
        gateway-status=203.0.113.1 reachable via ether1
 1 ADb  dst-address=0.0.0.0/0 gateway=203.0.113.5
        gateway-status=203.0.113.5 reachable via ether2

Quick Reference Command Cheat Sheet

Essential BGP Commands

# Quick status check
/routing bgp peer pr st

# Monitor specific peer
/routing bgp peer monitor [find name=ISP1]

# Reset BGP session
/routing bgp peer refresh ISP1
/routing bgp peer resend ISP1

# Emergency disable all BGP
/routing bgp peer disable [find]

# View BGP routes only
/ip route print where bgp-as-path!=""

# Check BGP memory usage
/routing bgp instance print stats

# Export BGP configuration
/routing bgp export file=bgp-backup

# Clear BGP route cache
/routing bgp peer clear-cache [find]

Common Filter Examples

# Accept default route only
/routing filter add chain=bgp-in-default \
    prefix=0.0.0.0/0 action=accept
/routing filter add chain=bgp-in-default action=reject

# AS-PATH prepending
/routing filter add chain=bgp-out-prepend \
    prefix=10.0.0.0/24 \
    set-bgp-prepend=3 \
    action=accept

# Set MED (metric)
/routing filter add chain=bgp-out \
    set-bgp-med=100 \
    action=accept

# Filter by AS-PATH regex
/routing filter add chain=bgp-in \
    bgp-as-path="^65001_[0-9]+$" \
    action=accept

Troubleshooting Checklist

  1. ☐ Physical connectivity verified
  2. ☐ IP connectivity confirmed (ping works)
  3. ☐ TCP port 179 accessible (telnet test)
  4. ☐ Firewall rules checked
  5. ☐ NAT rules reviewed
  6. ☐ BGP configuration validated
  7. ☐ MD5 passwords match
  8. ☐ Router-IDs unique
  9. ☐ AS numbers correct
  10. ☐ Timers compatible
  11. ☐ Filters reviewed
  12. ☐ Routes in table
  13. ☐ Memory adequate
  14. ☐ CPU usage normal
  15. ☐ Logs checked

Conclusion

Key Takeaways

  1. Always verify Layer 3 connectivity first – BGP requires working IP connectivity
  2. Check firewall and NAT rules – Common cause of BGP failures in MikroTik
  3. Monitor resource usage – Full BGP tables require adequate memory
  4. Use filters extensively – Protect your network and control routing
  5. Implement monitoring before problems occur – Proactive monitoring prevents outages

Action Items

  • Audit your current BGP configurations
  • Implement the monitoring scripts provided
  • Document your BGP topology and filters
  • Create a troubleshooting runbook using this guide
  • Test your backup BGP sessions regularly

Further Learning

Enhance your BGP expertise with these resources:

  • MikroTik Certified Routing Engineer (MTCRE) certification
  • RFC 4271 – Border Gateway Protocol 4 specification
  • MikroTik Wiki BGP documentation
  • BGP labs using EVE-NG or GNS3 with CHR images

BGP troubleshooting in MikroTik requires systematic approaches and platform-specific knowledge. This guide provides the tools and techniques to resolve BGP issues efficiently. Implement these practices to maintain stable BGP operations in your MikroTik network.

Check our list of MikroTik guides.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *