Sometimes the status of a BGP peer includes the following values:
md5AuthEnabled:true
statusReason:MD5_AUTH_INTERNAL_PROBLEM
The first value indicates that you have successfully configured MD5
authentication. However, the second value—astatusReasonvalue ofMD5_AUTH_INTERNAL_PROBLEM—indicates that an internal error has prevented
Cloud Router from being able to configure MD5 authentication. For that
reason, the BGP session status isDOWN. In this case, you don't need to do
anything. Cloud Router tries to recover and bring the session back up. If the
session is taking more than one hour to back up, contactGoogle Cloud
Support.
When you set up MD5 authentication, the Cloud Router and its peer router must
use the same secret authentication key. If a mismatch occurs, the two routers
cannot communicate. If you think that there's been a mismatch, one solution is
to update the key that is used by the Cloud Router. For information about how
to make this change, seeUpdate the authentication
key.
If you're not sure whether there's been a key mismatch, look for troubleshooting
solutions in your peer router's documentation. Many routers have logs that
record whether or not there's been a key mismatch.
Auto generated MD5 key is longer than on-premises device can support
You can auto generate the MD5 key by clickingGenerate and Copyin the UI
console. For more information, seeAdd authentication to an existing
session. If the
auto generated MD5 key is longer than your on-premises can support, you can
configure MD5 key manually through UI or Google Cloud CLI or API.
On-premises routes without a MED value are taking priority
If the Cloud Router receives an on-premises route that doesn't have a
MED value, the Cloud Router follows the behavior described inRFC
4271.
The Cloud Router treats the route with the highest
priority by assuming the lowest possible MED value (0).
What's next
For more information about how to use Cloud Logging to monitor
Cloud Router, seeView logs and metrics.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Troubleshoot BGP peering\n========================\n\nThis guide is for troubleshooting peering issues, such as MD5\nauthentication or on-premises routes without MED values having priority.\n\nFor additional troubleshooting information, see the following:\n\n- [Troubleshoot BGP sessions](/network-connectivity/docs/router/support/troubleshoot-bgp-sessions)\n- [Troubleshoot BGP routes and route\n selection](/network-connectivity/docs/router/support/troubleshoot-bgp-routes)\n- [Troubleshoot Cloud Router log messages](/network-connectivity/docs/router/support/troubleshoot-log-messages)\n\nBGP peer status is `MD5_AUTH_INTERNAL_PROBLEM`\n----------------------------------------------\n\nSometimes the status of a BGP peer includes the following values:\n\n- `md5AuthEnabled`: `true`\n- `statusReason`: `MD5_AUTH_INTERNAL_PROBLEM`\n\nThe first value indicates that you have successfully configured MD5\nauthentication. However, the second value---a `statusReason` value of\n`MD5_AUTH_INTERNAL_PROBLEM`---indicates that an internal error has prevented\nCloud Router from being able to configure MD5 authentication. For that\nreason, the BGP session status is `DOWN`. In this case, you don't need to do\nanything. Cloud Router tries to recover and bring the session back up. If the\nsession is taking more than one hour to back up, contact [Google Cloud\nSupport](/network-connectivity/docs/router/support/getting-support).\n\nFor information about how to check the peer's status, see [Check authentication\nstatus](/network-connectivity/docs/router/how-to/use-md5-authentication#check-status).\n\nCloud Router and peer use different MD5 keys\n--------------------------------------------\n\nWhen you set up MD5 authentication, the Cloud Router and its peer router must\nuse the same secret authentication key. If a mismatch occurs, the two routers\ncannot communicate. If you think that there's been a mismatch, one solution is\nto update the key that is used by the Cloud Router. For information about how\nto make this change, see [Update the authentication\nkey](/network-connectivity/docs/router/how-to/use-md5-authentication#update-key).\n\nIf you're not sure whether there's been a key mismatch, look for troubleshooting\nsolutions in your peer router's documentation. Many routers have logs that\nrecord whether or not there's been a key mismatch.\n\nAuto generated MD5 key is longer than on-premises device can support\n--------------------------------------------------------------------\n\nYou can auto generate the MD5 key by clicking **Generate and Copy** in the UI\nconsole. For more information, see [Add authentication to an existing\nsession](/network-connectivity/docs/router/how-to/use-md5-authentication#add-authentication). If the\nauto generated MD5 key is longer than your on-premises can support, you can\nconfigure MD5 key manually through UI or Google Cloud CLI or API.\n\nOn-premises routes without a MED value are taking priority\n----------------------------------------------------------\n\nIf the Cloud Router receives an on-premises route that doesn't have a\nMED value, the Cloud Router follows the behavior described in [RFC\n4271](https://datatracker.ietf.org/doc/html/rfc4271).\nThe Cloud Router treats the route with the highest\npriority by assuming the lowest possible MED value (`0`).\n\nWhat's next\n-----------\n\n- For more information about how to use Cloud Logging to monitor\n Cloud Router, see\n [View logs and metrics](/network-connectivity/docs/router/how-to/viewing-logs-metrics).\n\n- For additional support, see\n [Getting support](/network-connectivity/docs/router/support/getting-support).\n\n- For information about BGP session states, see\n [BGP session states](/network-connectivity/docs/router/concepts/bgp-states).\n\n- For information about diagnostic messages and session states related to\n Bidirectional Forwarding Detection (BFD), see\n [BFD diagnostic messages and session states](/network-connectivity/docs/router/concepts/bfd-states).\n\n- For issues related to using Cloud Router with Router appliance,\n see\n [Troubleshooting Router appliance](/network-connectivity/docs/network-connectivity-center/support/troubleshooting#troubleshooting-ra)\n in the Network Connectivity Center documentation."]]
