Learn about the INC_SC_PRIMARY_WAN_BGP_DOWN incident.
Synopsis
The primary WAN BGP for the service connection is down.
Incident Code—INC_SC_PRIMARY_WAN_BGP_DOWN
Severity—Warning
Required License
Prisma Access
Details
Raise condition
The tunnel's BGP peer is down for at least 10 minutes.
Clear condition
The tunnel's BGP peer is up for at least 8 minutes.
Correlated Alerts
AL_SC_PRIMARY_WAN_BGP_DOWN
AL_SC_PRIMARY_WAN_BGP_FLAP
Remediation
Confirm whether the IPSec tunnel is active or not. If the tunnel is up but BGP
is still down, proceed to next step 2. If the IPSec tunnel is down, proceed to
step 4.
Perform a ping from your machine to the SC's BGP peer to
confirm whether it fails. If the ping fails, go to step 3. If
the ping succeeds, proceed to step 4.
Perform traceroute to the BGP peer to see whether
traceroute is failing within your network. If it is, work
with your network team to resolve the connectivity issue. If
traceroute is failing outside of your network, contact
your ISP. If it is still not resolved, open a case with Palo Alto Networks Customer Support Portal and
provide all of the above information.
Review for any resource utilization issues on the device where this tunnel
terminates. If there are any in-path devices prior to the terminating device,
review there as well.
Perform ping and traceroute to review for
any latency inconsistencies or packet loss between the site and the Prisma Access location. Contact your ISP if there is packet loss. If there
is no packet loss or results are inconclusive:
Isolate some test traffic and perform packet captures.
Check for any TCPs that are out of order, lost segments, or
retransmission, which might indicate packet loss through the
tunnel.
If you observe these issues, take packet captures of the ESP traffic, so
you can check the public IP addresses between the Prisma Access
location service IP address and the remote VPN peer IP address.
Review for gaps in the ESP sequence numbers, which indicates in-path
packet loss, or out-of-order ESP sequence numbers, which indicate
reordering by a network device in the path.
If there are other network devices in the path prior to the terminating device,
perform steps a through d to help
isolate the problematic network device.