Re: Cannot Get BGP peering to come up!!

From: spduo (frenzeus@streamyx.com)
Date: Sat Sep 29 2007 - 14:43:43 ART

• Next message: Ben: "Re: Cannot Get BGP peering to come up!!"
• Previous message: Ben: "Re: what is wrong with SLA"
• Maybe in reply to: Ajay Prakash: "Cannot Get BGP peering to come up!!"
• Next in thread: Ben: "Re: Cannot Get BGP peering to come up!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

IMHO, i believe that if there is a requirement to do authentication, it will tell you what is the shared password to use. Not that I'm aware of that there is a debug tool that tells what is the expected password from the backbone routers, though i do not doubt troubleshooting is always part of the CCIE lab and that is what keeps it really interesting!

HTH.
  ----- Original Message -----
  From: Ben
  To: spduo
  Cc: Narbik Kocharians ; dee ; Ajay Prakash ; ccielab@groupstudy.com
  Sent: Sunday, September 30, 2007 1:37 AM
  Subject: Re: Cannot Get BGP peering to come up!!

  spduo

  In the lab, we do not have access to the backbone routers (R2 in this case), and cannot therefore see whats configured. We have to depend no troubleshooting skills to establish cause of failure to peer for instance.

  Ben

  On 9/29/07, spduo <frenzeus@streamyx.com> wrote:
    Rack1R2(config)#do sh run | s bgp
    router bgp 2
    no synchronization
    bgp log-neighbor-changes
    network 2.2.2.2 mask 255.255.255.255
    neighbor 10.1.0.1 remote-as 1
> neighbor 10.1.0.1 password IE

    is the above not the md5 authentication required?

    ----- Original Message -----
    From: "Narbik Kocharians" < narbikk@gmail.com>
    To: "spduo" <frenzeus@streamyx.com>
    Cc: "Ben" < bmunyao@gmail.com>; "dee" <devecchio.turner@sbcglobal.net>; "Ajay
    Prakash" <ajay.prakash@networkpeople.co.in >; <ccielab@groupstudy.com>
    Sent: Saturday, September 29, 2007 7:19 PM
    Subject: Re: Cannot Get BGP peering to come up!!

>I don't see authentication configuration on the second router.
>
> On 9/28/07, spduo <frenzeus@streamyx.com> wrote:
>>
>> R1's BGP is indeed initiating a TCP session over to R2 and from the
>> debugs
>> on R1 it clearly tells that it times out due to remote host (R2) not
>> responding. Whereas on R2, it is configured to do md5 authentication on
>> the
>> TCP segments for BGP; upon receipt of those BGP TCP segments from R1, the
>> validation fails on R2 but R2 does not complain to R1 about the
>> invalidity
>> of the digest - this is in accordance to RFC2385.
>>
>> -K
>>
>>
>> ----- Original Message -----
>> From: "Ben" <bmunyao@gmail.com>
>> To: "dee" <devecchio.turner@sbcglobal.net>
>> Cc: "Ajay Prakash" <ajay.prakash@networkpeople.co.in>;
>> <ccielab@groupstudy.com>
>> Sent: Thursday, September 27, 2007 9:38 PM
>> Subject: Re: Cannot Get BGP peering to come up!!
>>
>>
>> > Here is what I get with mismatched BGP authentication
>> >
>> > R1----------------------R2
>> > server(179) client
>> >
>> > Configuration and error on the client side (possibly BB):
>> >
>> > Rack1R2(config)#do sh run | s bgp
>> > router bgp 2
>> > no synchronization
>> > bgp log-neighbor-changes
>> > network 2.2.2.2 mask 255.255.255.255
>> > neighbor 10.1.0.1 remote-as 1
>> > neighbor 10.1.0.1 password IE
>> > no auto-summary
>> > Rack1R2(config)#
>> >
>> > .2(24344)
>> > *Mar 1 00:52:25.483: %TCP-6-BADAUTH: No MD5 digest from 10.1.0.1(179)
>> to
>> > 10.1.0.2(24344)
>> > Rack1R2(config-router)#
>> > *Mar 1 00:52:31.151: %TCP-6-BADAUTH: No MD5 digest from
>> > 10.1.0.1(64659)
>> > to
>> > 10.1.0.2(179)
>> >
>> >
>> > Configuration and error on the BGP server side:
>> >
>> > Rack1R1(config)#do sh run | s bgp
>> > router bgp 1
>> > no synchronization
>> > bgp log-neighbor-changes
>> > neighbor 10.1.0.2 remote-as 2
>> > no auto-summary
>> > ip bgp-community new-format
>> > Rack1R1(config)#
>> >
>> > Rack1R1(config-if)#
>> > *Mar 1 02:36: 38.743: BGP: 10.1.0.2 open active, local address 10.1.0.1
>> > Rack1R1(config-if)#
>> > *Mar 1 02:37:08.751: BGP: 10.1.0.2 open failed: Connection timed out;
>> > remote host not responding, open active delayed 31212ms (35000ms max,
>> 28%
>> > jitter)
>> > Rack1R1(config-if)#
>> >
>> > On R1, there is no clue on the reason for not peering. The error
>> > message
>> > is
>> > cryptic. Perhaps if we could get R1 to initiate the BGP TCP session, we
>> > may
>> > get to see TCP-BADAUTH error. Anyone has an idea how to force a router
>> to
>> > initiate a BGP session?
>> >
>> > TIA
>> >
>> > Ben
>> >
>> >
>> >
>> >
>> > On 9/27/07, dee <devecchio.turner@sbcglobal.net> wrote:
>> >>
>> >> Based on the ip address you gave..assuming this is internetwork expert
>> >> and
>> >> from what I remember bb2 has a password of (md5) CISCO... Debug ip bgp
>> >> events and even without the debug it should tell you invalid hsh or
>> >> something similar?
>> >>
>> >>
>> >> On 9/27/07 2:15 AM, "Ajay Prakash" <ajay.prakash@networkpeople.co.in>
>> >> wrote:
>> >>
>> >> > Hello,
>> >> >
>> >> >
>> >> >
>> >> > I am kind of stuck while trying to get the BGP peering up between R2
>> >> > (192.10.2.2) and BB1 (192.10.2.254). Please give me some tips as to
>> how
>> >> to
>> >> > troubleshoot this
>> >> >
>> >> >
>> >> >
>> >> > R2 Fa0/0 ---------------- BB2
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2(config-router)#do sh run | s bgp
>> >> >
>> >> > router bgp 200
>> >> >
>> >> > no synchronization
>> >> >
>> >> > bgp log-neighbor-changes
>> >> >
>> >> > neighbor 154.2.23.3 remote-as 300
>> >> >
>> >> > neighbor 154.2.23.3 send-community
>> >> >
>> >> > neighbor 192.10.2.1 remote-as 200
>> >> >
>> >> > neighbor 192.10.2.1 send-community
>> >> >
>> >> > neighbor 192.10.2.254 remote-as 254
>> >> >
>> >> > neighbor 192.10.2.254 ebgp-multihop 255 <<------ I dont think
>> >> > required,
>> >> > but just put in while trying to troubleshoot
>> >> >
>> >> > neighbor 192.10.2.254 update-source BVI1
>> >> >
>> >> > neighbor 192.10.2.254 send-community
>> >> >
>> >> > no auto-summary
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2#sh run int bvi1
>> >> >
>> >> > interface BVI1
>> >> >
>> >> > ip address 192.10.2.2 255.255.255.0
>> >> >
>> >> > end
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2#sh run int fa0/0
>> >> >
>> >> > interface FastEthernet0/0
>> >> >
>> >> > no ip address
>> >> >
>> >> > duplex auto
>> >> >
>> >> > speed auto
>> >> >
>> >> > bridge-group 1
>> >> >
>> >> > end
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2(config-router)#do sh ip bgp summ
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>> >> > State/PfxRcd
>> >> >
>> >> > 154.2.23.3 4 300 21 21 13 0 0
>> >> 00:14:24 0
>> >> >
>> >> > 192.10.2.1 4 200 23 20 13 0 0
>> >> 00:16:27 10
>> >> >
>> >> > 192.10.2.254 4 254 0 0 0 0 0
>> >> never Active
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2#p 192.10.2.254
>> >> >
>> >> >
>> >> >
>> >> > Type escape sequence to abort.
>> >> >
>> >> > Sending 5, 100-byte ICMP Echos to 192.10.2.254, timeout is 2
>> >> > seconds:
>> >> >
>> >> > !!!!!
>> >> >
>> >> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2#traceroute 192.10.2.254
>> >> >
>> >> >
>> >> >
>> >> > Type escape sequence to abort.
>> >> >
>> >> > Tracing the route to 192.10.2.254
>> >> >
>> >> >
>> >> >
>> >> > 1 192.10.2.254 4 msec
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2(config-router)#
>> >> >
>> >> > *Dec 17 08:42:26.950: BGP: 192.10.2.254 open failed: Connection
>> >> > timed
>> >> out;
>> >> > remote host not responding, open active delayed 34335ms (35000ms
>> >> > max,
>> >> 28%
>> >> > jitter)
>> >> >
>> >> >
>> >> >
>> >> > Rack2R2#debu ip bgp
>> >> >
>> >> > *Dec 17 08:35:15.482: BGP: Regular scanner event timer
>> >> >
>> >> > *Dec 17 08:35:15.482: BGP: Import timer expired. Walking from 1 to 1
>> >> >
>> >> > Rack2R2#debu ip bgp
>> >> >
>> >> > *Dec 17 08:35:29.926: BGP: 192.10.2.254 open failed: Connection
>> >> > timed
>> >> out;
>> >> > remote host not responding, open active delayed 31912ms (35000ms
>> >> > max,
>> >> 28%
>> >> > jitter)
>> >> >
>> >> > *Dec 17 08:35:30.482: BGP: Regular scanner event timer
>> >> >
>> >> > *Dec 17 08:35:30.482: BGP: Import timer expired. Walking from 1 to 1
>> >> >
>> >> >
>> _______________________________________________________________________
>> >> > Subscription information may be found at:
>> >> > http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
>
> --
> Narbik Kocharians
> CCIE# 12410 (R&S, SP, Security)
> CCSI# 30832
> www.Net-WorkBooks.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ben: "Re: Cannot Get BGP peering to come up!!"
• Previous message: Ben: "Re: what is wrong with SLA"
• Maybe in reply to: Ajay Prakash: "Cannot Get BGP peering to come up!!"
• Next in thread: Ben: "Re: Cannot Get BGP peering to come up!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART