BGP peer down indicates that Calico node cannot establish BGP sessions with peers. Common causes include firewall blocking port 179, incorrect peer configuration, or network connectivity issues.
Calico uses BGP (Border Gateway Protocol) to route pod traffic between nodes. When a BGP peer is down, the Calico node cannot establish a BGP session with another node or route reflector, preventing proper network connectivity. This results in pods on different nodes being unable to communicate.
Verify node readiness and check BIRD BGP status:
kubectl get nodes
kubectl logs -n calico-system ds/calico-nodeLook for "BIRD" related errors indicating BGP connectivity issues.
List configured BGP peers to verify correct configuration:
calicoctl get bgppeers -o yaml
calicoctl get bgpconfig -o yamlVerify peer IPs, AS numbers, and node selectors are correct.
From the Calico node, test reachability to peer on port 179:
kubectl exec -it -n calico-system ds/calico-node -- \
nc -zv <peer-ip> 179If connection fails, check firewall rules.
Ensure network policies and host firewalls allow BGP:
# Check if port 179 is open
netstat -tlnp | grep 179
# Verify firewall rules (varies by OS)
iptables -L -n | grep 179
sudo ufw allow 179BGP keepalive requires synchronized clocks:
date
ntpstat
chronyc trackingIf clocks are out of sync, synchronize using NTP or chrony.
Ensure the BGP peer IP is reachable from the node:
ping -c 3 <peer-ip>
traceroute <peer-ip>If unreachable, verify network routes and connectivity.
Verify BGP configuration is not conflicting:
calicoctl get node <node-name> -o yaml | grep -A 5 asNumberEnsure each node has unique router ID and correct AS numbers.
If configuration is correct but BGP still down, restart node:
kubectl rollout restart daemonset/calico-node -n calico-systemMonitor logs during restart to confirm BGP comes up.
For production, use route reflectors to reduce BGP mesh overhead for large clusters. Monitor BGP session status continuously using Prometheus. Verify MTU consistency across network path - MTU mismatches can cause BGP connection failures. For multi-datacenter deployments, ensure BGP speakers on each side are properly configured. Consider using calicoctl node status command for quick diagnostics.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm