From: Scott Vermillion (scott_ccie_list.com@it-ag.com)
Date: Wed Sep 05 2007 - 16:36:16 ART
Hi all,
I want to apologize in advance if this message hits your inbox more than
once today. I think my service provider has begun to filter messages that I
send to the list, as I tried forwarding the below to another account of my
own and it never showed. Only when I changed the title did it get through.
Thus, I may be getting caught in some kind of spam filter and it's entirely
possible that my traffic will eventually be reviewed, deemed not to be spam,
and then released. If you see this message pop up a few times later in the
day, again, my apologies, I'm just experiencing "technical difficulties." I
may have to switch to a different account for the CCIE list if they are in
fact filtering my legitimate traffic...
Regards,
Scott
-----Original Message-----
From: Scott Vermillion [mailto:scott_ccie_list.com@it-ag.com]
Sent: Wednesday, September 05, 2007 11:08 AM
To: 'ccielab@groupstudy.com'
Subject: RE: EBGP AS mispatch
Sent the below last night (sure hope it wasn't me that crashed the list
server, LOL!) but it was apparently black-holed. I actually had to send
this twice because of a minor correction to myself, then I realized I needed
to add one detail, so I've just incorporated everything into a single
message below...
Ah, behold the power of Dynamips! The below text exported from Wireshark
shows an eBGP router sending its local AS in an open message (note: I was
kind enough to go through and manually delete all L2 and L3 headers, as they
weren't germane to the discussion, but I've left in all of the L4 stuff so
the entire initial SYN to final ACK process can be seen). If there is a
mismatch, the router receiving that open will respond with a notification to
the effect that there is a mismatch, but there is no indication of what the
receiving router thought it ought to have been. This was just captured from
the IEWB topology w/ eBGP running between R3 in AS3 and R5 in AS5. I
misconfigured R3 to think that R5 is in AS10. When R5 sends an open
announcing "My AS" to be 5, R3 simply says "bye now" (Bad Peer AS). I don't
see anywhere that R3 is telling R5 what it thought R5's AS should be, so I
don't see how debug could report that sort of thing. Thus, if the BB router
thinks you're in an AS other than what you've configured, all you're going
to get is a notification stating that there is a mismatch (note that "bad
peer AS (2) does not infer anything to do with an AS number, I believe "2"
is just the error sub-code...we're only dealing with AS 3, 5, and 10 in this
configuration). Also, in the text export, all you see is "Data" below that
error sub-code. In the actual trace file, that data is "5," meaning that R3
is simply repeating the AS number that caused the error back to R5 (in other
words, R3 tells R5 that AS5 is bad, does not tell it that 10 is what it
"should have been"). I suppose this all makes sense from a security
perspective...
Regards,
Scott
____
No. Time Source Destination Protocol
Info
20 31.293742 155.1.0.5 155.1.0.3 TCP
64333 > bgp [SYN] Seq=0 Len=0 MSS=1460
Transmission Control Protocol, Src Port: 64333 (64333), Dst Port: bgp (179),
Seq: 0, Len: 0
Source port: 64333 (64333)
Destination port: bgp (179)
Sequence number: 0 (relative sequence number)
Header length: 24 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 16384
Checksum: 0xdd08 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (4 bytes)
Maximum segment size: 1460 bytes
No. Time Source Destination Protocol
Info
21 31.295614 155.1.0.3 155.1.0.5 TCP bgp
> 64333 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
Transmission Control Protocol, Src Port: bgp (179), Dst Port: 64333 (64333),
Seq: 0, Ack: 1, Len: 0
Source port: bgp (179)
Destination port: 64333 (64333)
Sequence number: 0 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 24 bytes
Flags: 0x12 (SYN, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 16384
Checksum: 0x3453 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (4 bytes)
Maximum segment size: 1460 bytes
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 20]
[The RTT to ACK the segment was: 0.001872000 seconds]
No. Time Source Destination Protocol
Info
22 31.297811 155.1.0.5 155.1.0.3 TCP
64333 > bgp [ACK] Seq=1 Ack=1 Win=16384 Len=0
Transmission Control Protocol, Src Port: 64333 (64333), Dst Port: bgp (179),
Seq: 1, Ack: 1, Len: 0
Source port: 64333 (64333)
Destination port: bgp (179)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16384
Checksum: 0x4c10 [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 21]
[The RTT to ACK the segment was: 0.002197000 seconds]
No. Time Source Destination Protocol
Info
23 31.302171 155.1.0.5 155.1.0.3 BGP
OPEN Message
Transmission Control Protocol, Src Port: 64333 (64333), Dst Port: bgp (179),
Seq: 1, Ack: 1, Len: 45
Source port: 64333 (64333)
Destination port: bgp (179)
Sequence number: 1 (relative sequence number)
[Next sequence number: 46 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16384
Checksum: 0x8961 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Border Gateway Protocol
OPEN Message
Marker: 16 bytes
Length: 45 bytes
Type: OPEN Message (1)
Version: 4
My AS: 5 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Hold time: 180
BGP identifier: 155.1.5.5
Optional parameters length: 16 bytes
Optional parameters
Capabilities Advertisement (8 bytes)
Parameter type: Capabilities (2)
Parameter length: 6 bytes
Multiprotocol extensions capability (6 bytes)
Capability code: Multiprotocol extensions capability (1)
Capability length: 4 bytes
Capability value
Address family identifier: IPv4 (1)
Reserved: 1 byte
Subsequent address family identifier: Unicast (1)
Capabilities Advertisement (4 bytes)
Parameter type: Capabilities (2)
Parameter length: 2 bytes
Route refresh capability (2 bytes)
Capability code: Route refresh capability (128)
Capability length: 0 bytes
Capabilities Advertisement (4 bytes)
Parameter type: Capabilities (2)
Parameter length: 2 bytes
Route refresh capability (2 bytes)
Capability code: Route refresh capability (2)
Capability length: 0 bytes
No. Time Source Destination Protocol
Info
24 31.306719 155.1.0.3 155.1.0.5 BGP
NOTIFICATION Message
Transmission Control Protocol, Src Port: bgp (179), Dst Port: 64333 (64333),
Seq: 1, Ack: 46, Len: 23
Source port: bgp (179)
Destination port: 64333 (64333)
Sequence number: 1 (relative sequence number)
[Next sequence number: 24 (relative sequence number)]
Acknowledgement number: 46 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16339
Checksum: 0x41d8 [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 23]
[The RTT to ACK the segment was: 0.004548000 seconds]
Border Gateway Protocol
NOTIFICATION Message
Marker: 16 bytes
Length: 23 bytes
Type: NOTIFICATION Message (3)
Error code: OPEN Message Error (2)
Error subcode: Bad Peer AS (2)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Data
No. Time Source Destination Protocol
Info
25 31.310282 155.1.0.5 155.1.0.3 TCP
64333 > bgp [FIN, PSH, ACK] Seq=46 Ack=24 Win=16361 Len=0
Transmission Control Protocol, Src Port: 64333 (64333), Dst Port: bgp (179),
Seq: 46, Ack: 24, Len: 0
Source port: 64333 (64333)
Destination port: bgp (179)
Sequence number: 46 (relative sequence number)
Acknowledgement number: 24 (relative ack number)
Header length: 20 bytes
Flags: 0x19 (FIN, PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...1 = Fin: Set
Window size: 16361
Checksum: 0x4bda [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 24]
[The RTT to ACK the segment was: 0.003563000 seconds]
No. Time Source Destination Protocol
Info
26 31.312194 155.1.0.3 155.1.0.5 TCP bgp
> 64333 [ACK] Seq=24 Ack=47 Win=16339 Len=0
Transmission Control Protocol, Src Port: bgp (179), Dst Port: 64333 (64333),
Seq: 24, Ack: 47, Len: 0
Source port: bgp (179)
Destination port: 64333 (64333)
Sequence number: 24 (relative sequence number)
Acknowledgement number: 47 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16339
Checksum: 0x4bf8 [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 25]
[The RTT to ACK the segment was: 0.001912000 seconds]
No. Time Source Destination Protocol
Info
27 31.422106 155.1.0.3 155.1.0.5 TCP bgp
> 64333 [FIN, PSH, ACK] Seq=24 Ack=47 Win=16339 Len=0
Frame 27 (47 bytes on wire, 47 bytes captured)
Transmission Control Protocol, Src Port: bgp (179), Dst Port: 64333 (64333),
Seq: 24, Ack: 47, Len: 0
Source port: bgp (179)
Destination port: 64333 (64333)
Sequence number: 24 (relative sequence number)
Acknowledgement number: 47 (relative ack number)
Header length: 20 bytes
Flags: 0x19 (FIN, PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...1 = Fin: Set
Window size: 16339
Checksum: 0x4bef [correct]
[Good Checksum: True]
[Bad Checksum: False]
No. Time Source Destination Protocol
Info
28 31.424323 155.1.0.5 155.1.0.3 TCP
64333 > bgp [ACK] Seq=47 Ack=25 Win=16361 Len=0
Transmission Control Protocol, Src Port: 64333 (64333), Dst Port: bgp (179),
Seq: 47, Ack: 25, Len: 0
Source port: 64333 (64333)
Destination port: bgp (179)
Sequence number: 47 (relative sequence number)
Acknowledgement number: 25 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16361
Checksum: 0x4be1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 27]
[The RTT to ACK the segment was: 0.002217000 seconds]
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Tuesday, September 04, 2007 5:35 PM
To: 'NITIN NITIN'; 'Cecil Wilson'; 'Greg Wendel'
Cc: 'Joseph Brunner'; 'NET HE'; bit.gossip@chello.nl; ccielab@groupstudy.com
Subject: RE: EBGP AS mispatch
Ahhhhhhh.... Got it. I don't recall being able to figure that part out
even with debugs running. But you could always look then on the BB router
side. The BGI notification message will be pretty much the same on both
sides, but you could try debugs and see if you see any mention of "00C8"
which would be 200 (or whatever AS you pick).
I don't think I've ever really looked in that direction before, but you
could check it out!
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
smorris@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART