I have what I think might be a bug, but I wanted to sanity check it, and maybe see if others can reproduce. It also seems possible (probable?) that this may be an issue with FRR upstream, but I’m not sure.
I can produce this with both 2025.11-stream and 2026.01.13-0018-rolling.
When you add an address to an interface that is PHY down but ADMIN up, the ouput of “show ip route” shows a kernel route for that network as valid, and selected. If there is a route with a next hop in that network, that kernel route is considered valid for recursively resolving that route.
Conditions -
-
Add an IP address to a link which is ADMIN UP but PHY/LINE PROTO DOWN
-
Add a default route with next-hop in the network of the newly added address (may work with non-default, have not tried) as either only default or as lowest (best) AD default
Once the above conditions are met:
-
show ip route is incorrect (shows static route resolvable recursively, and selected - >, even though next hop interface is down. It appears to be using selected, inserted kernel route to recursively resolve even though it is marked linkdown)
-
Router can no longer insert default route with worse AD than the invalid route until it is corrected (flapping the downed interface by either bringing it up and down or admining down and then up clears the condition). This includes DHCP learned routes. If a static route with better AD is added, it will insert but then it cannot be removed until condition is cleared.
What it looks like to me:
!!! Interface state
admin@vyos:\~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
---
eth0 - 00:00:00:00:53:c1 default 1500 u/D
eth1 - 00:00:00:00:53:be default 1500 u/D TEST STATIC
eth2 - 00:00:00:00:53:bf default 1500 u/D
eth3 10.101.4.12/22 00:00:00:00:53:c0 default 1500 u/u DHCP WAN
lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u
::1/128
!!! show ip route
admin@vyos:\~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, \* - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>\* 0.0.0.0/0 \[254/0\] via 10.101.4.1, eth3, weight 1, 00:00:54
C>\* 10.101.4.0/22 is directly connected, eth3, weight 1, 00:00:54
K \* 10.101.4.0/22 \[0/0\] is directly connected, eth3, weight 1, 00:00:54
L>\* 10.101.4.12/32 is directly connected, eth3, weight 1, 00:00:54
!!! Query ip route show
admin@vyos:\~$ ip route show
default nhid 242 via 10.101.4.1 dev eth3 proto static metric 20
10.101.4.0/22 dev eth3 proto kernel scope link src 10.101.4.12
!!! Ping offlink
admin@vyos:\~$ ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
64 bytes from 8.8.4.4: icmp_seq=1 ttl=63 time=0.373 ms
!!! Add ip address, static default with next hop in same net to interface that is ADMIN UP but LINE PROTO/PHY DOWN
admin@vyos# set interfaces ethernet eth1 address 192.168.22.2/30
\[edit\]
admin@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.22.1
\[edit\]
admin@vyos# commit
\[edit\]
!!! show ip route is incorrect (shows static resolvable recursively, and selected - >, even though next hop interface is down.)
!!! It appears to be going based on selected, inserted kernel route even though it is marked linkdown
admin@vyos:\~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, \* - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>r 0.0.0.0/0 \[1/0\] via 192.168.22.1 (recursive), weight 1, 00:00:40
r via 192.168.22.1, eth1 onlink, weight 1, 00:00:40
S \* 0.0.0.0/0 \[254/0\] via 10.101.4.1, eth3, weight 1, 00:03:14
C>\* 10.101.4.0/22 is directly connected, eth3, weight 1, 00:03:14
K \* 10.101.4.0/22 \[0/0\] is directly connected, eth3, weight 1, 00:03:14
L>\* 10.101.4.12/32 is directly connected, eth3, weight 1, 00:03:14
K>\* 192.168.22.0/30 \[0/0\] is directly connected, eth1 linkdown, weight 1, 00:00:41
!!! Zebra/FRR correctly identifies that this default cannot be installed
Jan 13 20:43:00 vyos vyos-configd\[930\]: Sending reply: SUCCESS with output
Jan 13 20:43:00 vyos watchfrr\[1578\]: \[WFP93-1D146\] configuration write completed with exit code 0
Jan 13 20:43:00 vyos watchfrr\[1578\]: \[VTVCM-Y2NW3\] Configuration Read in Took: 00:00:00
Jan 13 20:43:00 vyos zebra\[1599\]: default(0:254):0.0.0.0/0: Route install failed
Jan 13 20:43:00 vyos staticd\[1653\]: route_notify_owner: Route 0.0.0.0/0 failed to install for table: 254
Jan 13 20:43:00 vyos zebra\[1599\]: \[EC 4043309074\] Failed to install Nexthop (259\[192.168.22.1 if 4 vrfid 0\]) into the kernel
Jan 13 20:43:00 vyos zebra\[1599\]: \[EC 4043309093\] netlink-dp (NS 0) error: Invalid argument, type=RTM_NEWROUTE(24), seq=715, pid=2861755101
Jan 13 20:43:00 vyos zebra\[1599\]: Extended Error: Nexthop id does not exist
Jan 13 20:43:00 vyos zebra\[1599\]: \[EC 4043309093\] netlink-dp (NS 0) error: Network is down, type=RTM_NEWNEXTHOP(104), seq=714, pid=2861755101
Jan 13 20:43:00 vyos zebra\[1599\]: Extended Error: Carrier for nexthop device is down
!!! Because we did not trigger a change of default that was learned by DHCP, it remains in linux routing and forwarding is ok
!!! However the router can now no longer install routes with worse AD than the invalid static. It can install routes with better AD
!!! But once it has, it cannot remove them. This will persist until interface is flapped either logically or physically, or device is rebooted
admin@vyos:\~$ ip route show
default nhid 242 via 10.101.4.1 dev eth3 proto static metric 20
10.101.4.0/22 dev eth3 proto kernel scope link src 10.101.4.12
192.168.22.0/30 dev eth1 proto kernel scope link src 192.168.22.2 dead linkdown
!!! bring DHCP interface up and down by pulling cable
!!! Router got new lease, issued command to re-add route to FRR, however route cannot add
Jan 13 20:53:04 vyos dhclient-script-vyos\[37920\]: Command was executed successfully via vtysh: "ip route 0.0.0.0/0 10.101.4.1 eth3 tag 210 254 "
Jan 13 20:53:04 vyos dhclient-script-vyos\[37920\]: Sending command to vtysh
Jan 13 20:53:04 vyos dhclient-script-vyos\[37920\]: Converted vtysh command: "ip route 0.0.0.0/0 10.101.4.1 eth3 tag 210 254 "
admin@vyos:\~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, \* - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S 0.0.0.0/0 \[254/0\] via 10.101.4.1, eth3, weight 1, 00:02:13
S>r 0.0.0.0/0 \[1/0\] via 192.168.22.1 (recursive), weight 1, 00:12:17
r via 192.168.22.1, eth1 onlink, weight 1, 00:12:17
C>\* 10.101.4.0/22 is directly connected, eth3, weight 1, 00:02:14
K \* 10.101.4.0/22 \[0/0\] is directly connected, eth3, weight 1, 00:02:14
L> 10.101.4.12/32 is directly connected, eth3 inactive, weight 1, 00:14:51
L>\* 10.101.4.13/32 is directly connected, eth3, weight 1, 00:02:14
K>\* 192.168.22.0/30 \[0/0\] is directly connected, eth1 linkdown, weight 1, 00:12:18
admin@vyos:\~$ ip route show
10.101.4.0/22 dev eth3 proto kernel scope link src 10.101.4.13
192.168.22.0/30 dev eth1 proto kernel scope link src 192.168.22.2 dead linkdown
!!! Cannot ping offlink
admin@vyos:\~$ ping 8.8.4.4
/bin/ping: connect: Network is unreachable