From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Fri Dec 01 2006 - 03:34:38 ART
Agreed, this looks like the behavior, but I cannot see why that ACL is
necessary. If the PIX is tracks state, then that basic packet filtering
statement is not necessary...
Again, this only happens when things go haywire...I am presuming the
"norandomseq" statement is actually messing things up...
I've since taken that statement out, and it works fine again. It was just
when I cleared the NAT translations this started happening...
From: Kal Han [mailto:calikali2006@gmail.com]
Sent: Thursday, November 30, 2006 10:32 PM
To: Lab Rat #109385382
Cc: cisco@groupstudy.com; Cisco certification; security@groupstudy.com
Subject: Re: BGP Through PIX Question #1
when I keep the acl with
permit tcp host x.x.x.x eq bgp host x.x.x.x
permit tcp host x.x.x.x host x.x.x.x eq bgp
Then I did not see this problem.
With only one acl, I think its possible to see
the problem till the peer you want to initiate
the connections actually initiates the connection.
Thanks
Kal
On 11/30/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
Have you guys ever ran in the situation where, after clearing xlate on the
PIX (or something along those lines), the BGP peer authentication starts
going haywire on one of the end-points? It's the message "...Invalid MD5
digest from x.x.x.x (179) to x.x.x.x (11000) (RST)"
Well, I've now run into this more than once, and I can never get it to go
away unless I reload the router or I wait for like 10 minutes.
Is this normal? Has anyone else seen this?
Thanks,
Eddie
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART