BGP routing issues, configs between firewalls and Cloud

Configured VPN using BGP to cloud provider at site A and everything worked as expected, then configure VPN using BGP to cloud provider at site B and traffic from site A to site B broke.

Looking at logs, saw traffic from site A reaching site B then getting routed by BGP through the cloud provider back to site A because BGP is advertising that route as the shortest path.

for logs, look at your BGP summary and the BGP routing table to see where subnets are being routed to

site A subnets are on the left and the VPN subnets are on the right in example below;

get router info routing-table

allpath=router, objname=info, tablename=(null), size=0Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

B 10.11.7.1/24 [20/100] via 128.112.2.214, vpn-cloudprovider-1, 00:01:11

B 10.11.8.0/26 [20/100] via 128.112.2.214, vpn-cloudprovider-1, 00:01:11

B 10.12.1.0/28 [20/100] via 128.112.2.214, vpn-cloudprovider-1, 00:01:11

Create a BGP community, then define a no export rule to prevent routes being advertised to cloud provider do not get propagated to external networks. Assign the new rule to the BGP neighbors and perform this task on both site A and B, this will solve the routing issue and all your traffic will flow as designed.

Here is an example of what i did on site A;

1. Create community

config router community-list

edit "no-export"

config rule

edit 1

set action permit

set match "no-export"

next

end

next

end

2. Create route-map that matches the community

config router route-map

edit "outbound to cloudprovider"

config rule

edit 1

set match-community "no-export"

next

end

next

end

3. Apply route-map to BGP cloudprovider neighbor

config router bgp

config neighbor

edit "128.112.2.214"

set route-map-out "outbound to cloudprovider"

next

end

4. Clear bgp router to take new configs

exec router clear bgp all