Re: BGP MD5 logs from Sadiq Yakasai on 2010-08-24 (Ccielab archives 08/2010)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Tue, 24 Aug 2010 11:20:58 +0100

Hi,

If all the above suggestions do not work, then is there an ASA firewall or
IPS device inline between the 2 pairs?

By default, the ASA firewall will clear the TCP options that carry this
authentication information - therefore one neighbor will always complain of
no authentication from the other neighbor. Below is a link with a good
configuration example on how to resolve this.

http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/

By default, IIRC the IPS has a signature also that clear the TCP options
just the same way the ASA does. For this, either remove option 19 from the
signature in question, diable the signature all together to take enable your
authentication information to be carried across.

Hope thats somewhat helpful.

Sadiq

On Tue, Aug 24, 2010 at 5:35 AM, Bryan <deadheadblues_at_gmail.com> wrote:

> Masroor,
>
> Notice the packet is an RST. This happens on the old TCP connection
> when the BGP peer comes up on a new TCP connection with
> authentication.
>
> Do "show tcp brief" to see a list of TCP connections then kill the old
> one that is still hanging around. You will see a line corresponding to
> port 179 that is likely in the TIME_WAIT stage or something similar.
> Clear this one with "clear tcp tcb #######".
>
> This happens with BGP and LDP because they both use TCP.
>
> On Mon, Aug 23, 2010 at 7:35 PM, masroor ali <masror.ali_at_gmail.com> wrote:
> > hi,
> >
> > i am getting these logs even having same passwords on both sides, any
> idea
> > how to configure MD5 in BGP??
> >
> > %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to
> 192.10.1.10(33278)
> > (RST)
> > --
> > Regards,
> > Masroor Ali
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Tue Aug 24 2010 - 11:20:58 ART

This archive was generated by hypermail 2.2.0 : Wed Sep 01 2010 - 11:20:53 ART