RE: Cannot Get BGP peering to come up!!

From: Scott Morris (smorris@ipexpert.com)
Date: Sat Sep 29 2007 - 22:35:08 ART

Being that it's an MD5 hash, the answer would be no, you can't discover it.

However, you CAN go back and re-read the lab for important hints, perhaps on
the first page where you may see mention of "all passwords are XXXXX unless
otherwise specified" which can be incredibly important!

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
 
A Cisco Learning Partner - We Accept Learning Credits!
 
smorris@ipexpert.com
 
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ben
Sent: Saturday, September 29, 2007 1:50 PM
To: spduo
Cc: Narbik Kocharians; dee; Ajay Prakash; ccielab@groupstudy.com
Subject: Re: Cannot Get BGP peering to come up!!

Thats what I would like to think too :) All the same, if there's a way to
discover through troubleshooting, it would be worth knowing. Cisco throws
all sorts of surprises at you.

On 9/29/07, spduo <frenzeus@streamyx.com> wrote:
>
> IMHO, i believe that if there is a requirement to do authentication,
> it will tell you what is the shared password to use. Not that I'm
> aware of that there is a debug tool that tells what is the expected
> password from the backbone routers, though i do not doubt
> troubleshooting is always part of the CCIE lab and that is what keeps it
really interesting!
>
> HTH.
>
> ----- Original Message -----
> *From:* Ben <bmunyao@gmail.com>
> *To:* spduo <frenzeus@streamyx.com>
> *Cc:* Narbik Kocharians <narbikk@gmail.com> ;
> dee<devecchio.turner@sbcglobal.net>; Ajay Prakash
> <ajay.prakash@networkpeople.co.in> ; ccielab@groupstudy.com
> *Sent:* Sunday, September 30, 2007 1:37 AM
> *Subject:* Re: Cannot Get BGP peering to come up!!
>
>
> spduo
>
> In the lab, we do not have access to the backbone routers (R2 in this
> case), and cannot therefore see whats configured. We have to depend no
> troubleshooting skills to establish cause of failure to peer for instance.
>
> Ben
>
>
> On 9/29/07, spduo <frenzeus@streamyx.com> wrote:
> >
> > Rack1R2(config)#do sh run | s bgp
> > router bgp 2
> > no synchronization
> > bgp log-neighbor-changes
> > network 2.2.2.2 mask 255.255.255.255 neighbor 10.1.0.1 remote-as 1
> > > neighbor 10.1.0.1 password IE
> >
> > is the above not the md5 authentication required?
> >
> >
> > ----- Original Message -----
> > From: "Narbik Kocharians" < narbikk@gmail.com>
> > To: "spduo" <frenzeus@streamyx.com>
> > Cc: "Ben" < bmunyao@gmail.com>; "dee" <devecchio.turner@sbcglobal.net>;
> > "Ajay
> > Prakash" <ajay.prakash@networkpeople.co.in >; <ccielab@groupstudy.com>
> > Sent: Saturday, September 29, 2007 7:19 PM
> > Subject: Re: Cannot Get BGP peering to come up!!
> >
> >
> > >I don't see authentication configuration on the second router.
> > >
> > > On 9/28/07, spduo <frenzeus@streamyx.com> wrote:
> > >>
> > >> R1's BGP is indeed initiating a TCP session over to R2 and from the
> > >> debugs
> > >> on R1 it clearly tells that it times out due to remote host (R2) not
> > >> responding. Whereas on R2, it is configured to do md5 authentication
> > on
> > >> the
> > >> TCP segments for BGP; upon receipt of those BGP TCP segments from R1,
> > the
> > >> validation fails on R2 but R2 does not complain to R1 about the
> > >> invalidity
> > >> of the digest - this is in accordance to RFC2385.
> > >>
> > >> -K
> > >>
> > >>
> > >> ----- Original Message -----
> > >> From: "Ben" <bmunyao@gmail.com>
> > >> To: "dee" <devecchio.turner@sbcglobal.net>
> > >> Cc: "Ajay Prakash" <ajay.prakash@networkpeople.co.in>;
> > >> <ccielab@groupstudy.com>
> > >> Sent: Thursday, September 27, 2007 9:38 PM
> > >> Subject: Re: Cannot Get BGP peering to come up!!
> > >>
> > >>
> > >> > Here is what I get with mismatched BGP authentication
> > >> >
> > >> > R1----------------------R2
> > >> > server(179) client
> > >> >
> > >> > Configuration and error on the client side (possibly BB):
> > >> >
> > >> > Rack1R2(config)#do sh run | s bgp
> > >> > router bgp 2
> > >> > no synchronization
> > >> > bgp log-neighbor-changes
> > >> > network 2.2.2.2 mask 255.255.255.255
> > >> > neighbor 10.1.0.1 remote-as 1
> > >> > neighbor 10.1.0.1 password IE
> > >> > no auto-summary
> > >> > Rack1R2(config)#
> > >> >
> > >> > .2(24344)
> > >> > *Mar 1 00:52:25.483: %TCP-6-BADAUTH: No MD5 digest from 10.1.0.1
> > (179)
> > >> to
> > >> > 10.1.0.2(24344)
> > >> > Rack1R2(config-router)#
> > >> > *Mar 1 00:52:31.151: %TCP-6-BADAUTH: No MD5 digest from
> > >> > 10.1.0.1(64659)
> > >> > to
> > >> > 10.1.0.2(179)
> > >> >
> > >> >
> > >> > Configuration and error on the BGP server side:
> > >> >
> > >> > Rack1R1(config)#do sh run | s bgp
> > >> > router bgp 1
> > >> > no synchronization
> > >> > bgp log-neighbor-changes
> > >> > neighbor 10.1.0.2 remote-as 2
> > >> > no auto-summary
> > >> > ip bgp-community new-format
> > >> > Rack1R1(config)#
> > >> >
> > >> > Rack1R1(config-if)#
> > >> > *Mar 1 02:36: 38.743: BGP: 10.1.0.2 open active, local address
> > 10.1.0.1
> > >> > Rack1R1(config-if)#
> > >> > *Mar 1 02:37:08.751: BGP: 10.1.0.2 open failed: Connection timed
> > out;
> > >> > remote host not responding, open active delayed 31212ms (35000ms
> > max,
> > >> 28%
> > >> > jitter)
> > >> > Rack1R1(config-if)#
> > >> >
> > >> > On R1, there is no clue on the reason for not peering. The error
> > >> > message
> > >> > is
> > >> > cryptic. Perhaps if we could get R1 to initiate the BGP TCP
> > session, we
> > >> > may
> > >> > get to see TCP-BADAUTH error. Anyone has an idea how to force a
> > router
> > >> to
> > >> > initiate a BGP session?
> > >> >
> > >> > TIA
> > >> >
> > >> > Ben
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On 9/27/07, dee <devecchio.turner@sbcglobal.net> wrote:
> > >> >>
> > >> >> Based on the ip address you gave..assuming this is internetwork
> > expert
> > >> >> and
> > >> >> from what I remember bb2 has a password of (md5) CISCO... Debug ip
> > bgp
> > >> >> events and even without the debug it should tell you invalid hsh
> > or
> > >> >> something similar?
> > >> >>
> > >> >>
> > >> >> On 9/27/07 2:15 AM, "Ajay Prakash" <
> > ajay.prakash@networkpeople.co.in>
> > >> >> wrote:
> > >> >>
> > >> >> > Hello,
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > I am kind of stuck while trying to get the BGP peering up
> > between R2
> > >> >> > (192.10.2.2) and BB1 (192.10.2.254). Please give me some tips as
> > to
> > >> how
> > >> >> to
> > >> >> > troubleshoot this
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > R2 Fa0/0 ---------------- BB2
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2(config-router)#do sh run | s bgp
> > >> >> >
> > >> >> > router bgp 200
> > >> >> >
> > >> >> > no synchronization
> > >> >> >
> > >> >> > bgp log-neighbor-changes
> > >> >> >
> > >> >> > neighbor 154.2.23.3 remote-as 300
> > >> >> >
> > >> >> > neighbor 154.2.23.3 send-community
> > >> >> >
> > >> >> > neighbor 192.10.2.1 remote-as 200
> > >> >> >
> > >> >> > neighbor 192.10.2.1 send-community
> > >> >> >
> > >> >> > neighbor 192.10.2.254 remote-as 254
> > >> >> >
> > >> >> > neighbor 192.10.2.254 ebgp-multihop 255 <<------ I dont think
> > >> >> > required,
> > >> >> > but just put in while trying to troubleshoot
> > >> >> >
> > >> >> > neighbor 192.10.2.254 update-source BVI1
> > >> >> >
> > >> >> > neighbor 192.10.2.254 send-community
> > >> >> >
> > >> >> > no auto-summary
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2#sh run int bvi1
> > >> >> >
> > >> >> > interface BVI1
> > >> >> >
> > >> >> > ip address 192.10.2.2 255.255.255.0
> > >> >> >
> > >> >> > end
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2#sh run int fa0/0
> > >> >> >
> > >> >> > interface FastEthernet0/0
> > >> >> >
> > >> >> > no ip address
> > >> >> >
> > >> >> > duplex auto
> > >> >> >
> > >> >> > speed auto
> > >> >> >
> > >> >> > bridge-group 1
> > >> >> >
> > >> >> > end
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2(config-router)#do sh ip bgp summ
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ
> > Up/Down
> > >> >> > State/PfxRcd
> > >> >> >
> > >> >> > 154.2.23.3 4 300 21 21 13 0 0
> > >> >> 00:14:24 0
> > >> >> >
> > >> >> > 192.10.2.1 4 200 23 20 13 0 0
> > >> >> 00:16:27 10
> > >> >> >
> > >> >> > 192.10.2.254 4 254 0 0 0 0 0
> > >> >> never Active
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2#p 192.10.2.254
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Type escape sequence to abort.
> > >> >> >
> > >> >> > Sending 5, 100-byte ICMP Echos to 192.10.2.254, timeout is 2
> > >> >> > seconds:
> > >> >> >
> > >> >> > !!!!!
> > >> >> >
> > >> >> > Success rate is 100 percent (5/5), round-trip min/avg/max =
> > 1/2/4 ms
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2#traceroute 192.10.2.254
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Type escape sequence to abort.
> > >> >> >
> > >> >> > Tracing the route to 192.10.2.254
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > 1 192.10.2.254 4 msec
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2(config-router)#
> > >> >> >
> > >> >> > *Dec 17 08:42:26.950: BGP: 192.10.2.254 open failed: Connection
> > >> >> > timed
> > >> >> out;
> > >> >> > remote host not responding, open active delayed 34335ms (35000ms
> >
> > >> >> > max,
> > >> >> 28%
> > >> >> > jitter)
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > Rack2R2#debu ip bgp
> > >> >> >
> > >> >> > *Dec 17 08:35:15.482: BGP: Regular scanner event timer
> > >> >> >
> > >> >> > *Dec 17 08:35:15.482: BGP: Import timer expired. Walking from 1
> > to 1
> > >> >> >
> > >> >> > Rack2R2#debu ip bgp
> > >> >> >
> > >> >> > *Dec 17 08:35:29.926: BGP: 192.10.2.254 open failed: Connection
> > >> >> > timed
> > >> >> out;
> > >> >> > remote host not responding, open active delayed 31912ms (35000ms
> > >> >> > max,
> > >> >> 28%
> > >> >> > jitter)
> > >> >> >
> > >> >> > *Dec 17 08:35:30.482: BGP: Regular scanner event timer
> > >> >> >
> > >> >> > *Dec 17 08:35:30.482: BGP: Import timer expired. Walking from 1
> > to 1
> > >> >> >
> > >> >> >
> > >>
> > _______________________________________________________________________
> > >> >> > Subscription information may be found at:
> > >> >> > http://www.groupstudy.com/list/CCIELab.html
> > >> >>
> > >> >>
> > _______________________________________________________________________
> > >> >> Subscription information may be found at:
> > >> >> http://www.groupstudy.com/list/CCIELab.html
> > >> >
> > >> >
> > _______________________________________________________________________
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >
> > >
> > >
> > > --
> > > Narbik Kocharians
> > > CCIE# 12410 (R&S, SP, Security)
> > > CCSI# 30832
> > > www.Net-WorkBooks.com
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:17 ART