Common fixes

Straight answers to the errors that send people to Google at 1am, then a lab to practice the fix until it sticks.

• BGP stuck in ActiveA BGP neighbor stuck in Active means the router can't open a TCP session to the peer. The usual causes are a wrong remote-AS, no IP reachability, or TCP 179 being blocked. Here's how to find which.
• BGP established but no routesYour BGP session is up but you're not receiving (or sending) any prefixes. The usual cause is nothing being advertised (a missing network statement or redistribution), not the session itself.
• Host can't reach another subnetRouters can ping each other but hosts on different subnets can't reach each other. The cause is almost always a missing route, and remember a path is needed in both directions.
• OSPF stuck in EXSTART / EXCHANGEOSPF neighbors stuck in EXSTART or EXCHANGE is the classic MTU-mismatch symptom. Here's why it happens and the handful of things to check.
• DHCP clients not getting an address across a routerClients on a subnet a router-hop from the DHCP server lease nothing, because DHCP discovery is broadcast and routers don't forward broadcasts. The fix is a DHCP relay (ip helper-address) on the client-side interface, plus a route back to the client subnet.
• NAT port forward not workingAn outside client can't reach an inside server through a port forward. The usual causes are a missing or wrong destination-NAT rule, no return path, the server not actually listening, or a firewall dropping the new connection.
• Wrong switch elected as spanning-tree rootSpanning tree elected the wrong root, so traffic takes a suboptimal path. With default priorities the switch with the lowest MAC wins by accident. The fix is to lower the priority on the switch you want as root.
• EtherChannel ports suspended (LACP not bundling)Port-channel members show suspended or independent and the bundle won't form. LACP is not negotiating: both sides passive, one side static 'on' against LACP, mismatched channel-group, or mismatched member settings.
• BGP not choosing the preferred pathBGP is choosing an upstream you didn't intend. Best-path selection runs a fixed order of tiebreakers; to control your own outbound choice use local-preference (or weight), and to influence inbound use AS-path prepending.
• OSPF taking the wrong pathOSPF is sending traffic over a low-bandwidth backup instead of the high-bandwidth path. OSPF picks the lowest total cost, and cost is derived from bandwidth, so on equal-cost or misjudged links it can pick the wrong one. Raise the cost on the backup or set it explicitly.
• sudoers syntax error, locked out of sudoA syntax error in the sudoers file makes sudo refuse to run at all. Always edit with visudo, which validates before saving. Recover via a root shell or visudo -c, then scope each rule to least privilege.
• SSH permission denied (publickey) after disabling passwordsAfter turning off password auth, SSH rejects you with 'permission denied (publickey)'. That means the server accepted no key you offered: usually a missing authorized_keys entry, wrong ~/.ssh permissions, or an AllowUsers rule that excludes you.
• Cron job not runningA cron job that never fires is usually a wrong schedule, a missing newline at the end of the crontab, cron's minimal environment (PATH and relative paths), or output going nowhere so failures are invisible.
• Container port published but not reachable from outsideA container's published port works locally but not from other hosts. A common cause is the host firewall default-dropping the port: nftables/iptables on the host has to permit it even when Docker's mapping is correct.