Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




In life things may not go according to plan – and BGP networking is no exception. As you start using your secure routing table and deploying RPKI in your network, customers may notice that in rare situations some networks or IP addresses they want to access have become unreachable.

This chapter discusses steps you can take to find out whether a reported problem is the result of your routing security implementation. Do not expect a full BGP troubleshooting tutorial, just some tips and tricks and a few pointers on where to find additional information that can come in handy.


A good starting point for troubleshooting BGP is the Juniper Networks TechLibrary:

Check If a Destination is Present In the Routing Table

Junos OS uses two databases (tables) for routing information:

  • Routing table: Contains all the routing information learned by all routing protocols [RIB].

  • Forwarding table: Contains the routes actually used to forward packets [FIB].

Junos OS installs all active routes from the routing table into the forwarding table. The active routes are routes that are used to forward packets to their destinations. The Junos operating system kernel maintains a master copy of the forwarding table. It copies the forwarding table to the Packet Forwarding Engine, which is the component responsible for forwarding packets.

If a customer suggests that a certain prefix seems unreachable, you need to check the route(s) to that prefix. In order to make sure the route has been installed and the destination is reachable from your network, you should look in both the routing and forwarding table.

There are three ways to check the different tables:

  • show route <destination-prefix>: This will display the routing table entries.

  • show route forwarding-table destination <destination-prefix>: This will show the routing engine's version of the destination prefix in the forwarding table.

  • show pfe route ip prefix <destination-prefix>: This will show the forwarding table entry that is actually installed in each PFE.

In a perfect world the destination prefix will be visible in all three scenarios and should show an RPKI valida-tion-state: valid if it has a valid ROA and passed the RPKI validation.

Check RPKI Validation State of a Route

In order to check if a route is used, it is essential to be able to display information about the route validation database when RPKI route validation is configured. You can query all route validation records that match a given prefix or origin-autonomous-system. In addition, you can filter the output by a specific RPKI cache session:

Validation states can be any of the states defined in RFC 6811:

  • Valid

  • Invalid

  • Unknown

But also, another state that means “validation was not run against this at all”:

  • Unverified

Unverified is different from unknown; a route that is unverified might be any of valid, invalid, or unknown, if validation were attempted. Unverified basically means that Origin Validation (RPKI) simply isn’t enabled or isn’t running on your router.


For additional commands visit the Juniper TechLibrary: documentation/en_US/junos/topics/reference/command-summary/show-validation-database.html

Check If the RPKI Validator is Reachable and the Database is Up-to-Date

show validation statistics

This command shows statistics about the validation database. Obviously if you have enabled RPKI and the connection with the validator is working, you should see entries in the database:

Tech Library reference:

show validation database

This command shows you the actual content of the database:

Tech Library reference:

show validation session

If your validation database is empty or you want to check to see if your validators are still up and running, you can do so with the show validation session brief and show validation session detail commands:

Note that the third session in this output shows connect instead of up. This is most likely the result of configuring all three sessions under the same RPKI group; if you do so, only two sessions will come up and any additional ones will stay down if you don’t change the maximum number of validators per group.

show validation session detail

Re-Run Validation, Optionally, Against Only Specified Routes

When BGP origin validation is configured and for some reason the database gets corrupted, or you would like to refresh it, manually request a route validation policy to be reevaluated. This command causes dependent route validation records to be reevaluated. Dependent route validation records are exactly matching and more specific records:

Tech Library reference: