Re: Cannot Get BGP peering to come up!!

From: Ben (bmunyao@gmail.com)
Date: Sat Sep 29 2007 - 13:46:24 ART

Hi Narbik,

I was testing Dee's comment that you should get a log along the lines
"invalid hsh or something similar", when a BB router has BGP authentication.
The demo established that the BB side indeed will get that error messages,
but the router we have access to, and which we are required to configure BGP
to peer with the backbone, gets a different not exactly informative message.
I still have no idea how we can identify authentication to be the culprit.
Any suggestions?

TIA

Ben

On 9/29/07, Narbik Kocharians <narbikk@gmail.com> wrote:
>
> I don't see authentication configuration on the second router.
>
> On 9/28/07, spduo <frenzeus@streamyx.com> wrote:
>
> > R1's BGP is indeed initiating a TCP session over to R2 and from the
> > debugs
> > on R1 it clearly tells that it times out due to remote host (R2) not
> > responding. Whereas on R2, it is configured to do md5 authentication on
> > the
> > TCP segments for BGP; upon receipt of those BGP TCP segments from R1,
> > the
> > validation fails on R2 but R2 does not complain to R1 about the
> > invalidity
> > of the digest - this is in accordance to RFC2385.
> >
> > -K
> >
> >
> > ----- Original Message -----
> > From: "Ben" <bmunyao@gmail.com>
> > To: "dee" < devecchio.turner@sbcglobal.net>
> > Cc: "Ajay Prakash" <ajay.prakash@networkpeople.co.in>;
> > < ccielab@groupstudy.com>
> > Sent: Thursday, September 27, 2007 9:38 PM
> > Subject: Re: Cannot Get BGP peering to come up!!
> >
> >
> > > Here is what I get with mismatched BGP authentication
> > >
> > > R1----------------------R2
> > > server(179) client
> > >
> > > Configuration and error on the client side (possibly BB):
> > >
> > > Rack1R2(config)#do sh run | s bgp
> > > router bgp 2
> > > no synchronization
> > > bgp log-neighbor-changes
> > > network 2.2.2.2 mask 255.255.255.255
> > > neighbor 10.1.0.1 remote-as 1
> > > neighbor 10.1.0.1 password IE
> > > no auto-summary
> > > Rack1R2(config)#
> > >
> > > .2(24344)
> > > *Mar 1 00:52:25.483: %TCP-6-BADAUTH: No MD5 digest from 10.1.0.1(179)
> > to
> > > 10.1.0.2(24344)
> > > Rack1R2(config-router)#
> > > *Mar 1 00:52:31.151: %TCP-6-BADAUTH: No MD5 digest from 10.1.0.1
> > (64659)
> > > to
> > > 10.1.0.2(179)
> > >
> > >
> > > Configuration and error on the BGP server side:
> > >
> > > Rack1R1(config)#do sh run | s bgp
> > > router bgp 1
> > > no synchronization
> > > bgp log-neighbor-changes
> > > neighbor 10.1.0.2 remote-as 2
> > > no auto-summary
> > > ip bgp-community new-format
> > > Rack1R1(config)#
> > >
> > > Rack1R1(config-if)#
> > > *Mar 1 02:36:38.743: BGP: 10.1.0.2 open active, local address
> > 10.1.0.1
> > > Rack1R1(config-if)#
> > > *Mar 1 02:37:08.751: BGP: 10.1.0.2 open failed: Connection timed out;
> > > remote host not responding, open active delayed 31212ms (35000ms max,
> > 28%
> > > jitter)
> > > Rack1R1(config-if)#
> > >
> > > On R1, there is no clue on the reason for not peering. The error
> > message
> > > is
> > > cryptic. Perhaps if we could get R1 to initiate the BGP TCP session,
> > we
> > > may
> > > get to see TCP-BADAUTH error. Anyone has an idea how to force a router
> > to
> > > initiate a BGP session?
> > >
> > > TIA
> > >
> > > Ben
> > >
> > >
> > >
> > >
> > > On 9/27/07, dee < devecchio.turner@sbcglobal.net> wrote:
> > >>
> > >> Based on the ip address you gave..assuming this is internetwork
> > expert
> > >> and
> > >> from what I remember bb2 has a password of (md5) CISCO... Debug ip
> > bgp
> > >> events and even without the debug it should tell you invalid hsh or
> > >> something similar?
> > >>
> > >>
> > >> On 9/27/07 2:15 AM, "Ajay Prakash" < ajay.prakash@networkpeople.co.in
> > >
> > >> wrote:
> > >>
> > >> > Hello,
> > >> >
> > >> >
> > >> >
> > >> > I am kind of stuck while trying to get the BGP peering up between
> > R2
> > >> > (192.10.2.2) and BB1 (192.10.2.254). Please give me some tips as to
> > how
> > >> to
> > >> > troubleshoot this
> > >> >
> > >> >
> > >> >
> > >> > R2 Fa0/0 ---------------- BB2
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2(config-router)#do sh run | s bgp
> > >> >
> > >> > router bgp 200
> > >> >
> > >> > no synchronization
> > >> >
> > >> > bgp log-neighbor-changes
> > >> >
> > >> > neighbor 154.2.23.3 remote-as 300
> > >> >
> > >> > neighbor 154.2.23.3 send-community
> > >> >
> > >> > neighbor 192.10.2.1 remote-as 200
> > >> >
> > >> > neighbor 192.10.2.1 send-community
> > >> >
> > >> > neighbor 192.10.2.254 remote-as 254
> > >> >
> > >> > neighbor 192.10.2.254 ebgp-multihop 255 <<------ I dont think
> > >> > required,
> > >> > but just put in while trying to troubleshoot
> > >> >
> > >> > neighbor 192.10.2.254 update-source BVI1
> > >> >
> > >> > neighbor 192.10.2.254 send-community
> > >> >
> > >> > no auto-summary
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2#sh run int bvi1
> > >> >
> > >> > interface BVI1
> > >> >
> > >> > ip address 192.10.2.2 255.255.255.0
> > >> >
> > >> > end
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2#sh run int fa0/0
> > >> >
> > >> > interface FastEthernet0/0
> > >> >
> > >> > no ip address
> > >> >
> > >> > duplex auto
> > >> >
> > >> > speed auto
> > >> >
> > >> > bridge-group 1
> > >> >
> > >> > end
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2(config-router)#do sh ip bgp summ
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> > >> > State/PfxRcd
> > >> >
> > >> > 154.2.23.3 4 300 21 21 13 0 0
> > >> 00:14:24 0
> > >> >
> > >> > 192.10.2.1 4 200 23 20 13 0 0
> > >> 00:16:27 10
> > >> >
> > >> > 192.10.2.254 4 254 0 0 0 0 0
> > >> never Active
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2#p 192.10.2.254
> > >> >
> > >> >
> > >> >
> > >> > Type escape sequence to abort.
> > >> >
> > >> > Sending 5, 100-byte ICMP Echos to 192.10.2.254, timeout is 2
> > seconds:
> > >> >
> > >> > !!!!!
> > >> >
> > >> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4
> > ms
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2#traceroute 192.10.2.254
> > >> >
> > >> >
> > >> >
> > >> > Type escape sequence to abort.
> > >> >
> > >> > Tracing the route to 192.10.2.254
> > >> >
> > >> >
> > >> >
> > >> > 1 192.10.2.254 4 msec
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2(config-router)#
> > >> >
> > >> > *Dec 17 08:42:26.950: BGP: 192.10.2.254 open failed: Connection
> > timed
> > >> out;
> > >> > remote host not responding, open active delayed 34335ms (35000ms
> > max,
> > >> 28%
> > >> > jitter)
> > >> >
> > >> >
> > >> >
> > >> > Rack2R2#debu ip bgp
> > >> >
> > >> > *Dec 17 08:35:15.482: BGP: Regular scanner event timer
> > >> >
> > >> > *Dec 17 08:35:15.482: BGP: Import timer expired. Walking from 1 to
> > 1
> > >> >
> > >> > Rack2R2#debu ip bgp
> > >> >
> > >> > *Dec 17 08:35:29.926: BGP: 192.10.2.254 open failed: Connection
> > timed
> > >> out;
> > >> > remote host not responding, open active delayed 31912ms (35000ms
> > max,
> > >> 28%
> > >> > jitter)
> > >> >
> > >> > *Dec 17 08:35: 30.482: BGP: Regular scanner event timer
> > >> >
> > >> > *Dec 17 08:35:30.482: BGP: Import timer expired. Walking from 1 to
> > 1
> > >> >
> > >> >
> > _______________________________________________________________________
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Narbik Kocharians
> CCIE# 12410 (R&S, SP, Security)
> CCSI# 30832
> www.Net-WorkBooks.com

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART