Your company uses multi-vendor routing platforms (Cisco and Juniper) and has multiple sites connected via MPLS from a service provider.
Each remote site has a GRE tunnel with the Headquarter (HQ) and a BGP session over this tunnel, in order to learn prefixes that you don't want to be exchanged with your MPLS provider.

After attending a security training, your Security Team raised concerns about ICMP-based attacks and decided to block ICMP messages on all physical interfaces connected to outside networks on all border routers in all sites, and they implement this protection as shown in the below diagram:

quiz-18-1

Some time after the Security Team implemented the above changes, you notice that the BGP session with Site-2 (Juniper-based CE) started to flap impacting the connectivity to this site.
After getting some more info, it seems that all Juniper-based CE sites are affected (BGP sessions go UP, they try to exchange prefixes but then NOTIFICATION is received and BGP goes down), while the BGP sessions to the Cisco-based CE sites are ok.

What is the problem and how to solve it?

Post your answer in the 'Comments' section below and subscribe to this blog to get the detailed solution and more interesting quizzes.