On 06/07/2012 02:22 PM, Tony Singh wrote:
> Guys
>
> PE>CE
>
> Just a question but got a scenario here at work where bgp peerings have
> failed right after loads of md5 bad auth messages in syslog, do we expect
> any arp entries on that interface if this happens, or is the security on
> the tcp session terminated if we have set password either end and it's not
> matching on one end, hence arp will not show anything.
>
> ...
BGP uses TCP's MD5 signature option for authentication [1]. Since ARP is
required (unless you configure manual mappings) on an Ethernet segment
for sending IP packets to a remote host you should definetly see an ARP
entry.
If the passwords don't match you should get a log message like this.
%TCP-6-BADAUTH: Invalid MD5 digest from 155.1.0.3(33360) to 155.1.0.5(179)
This log message indicates that no password is configured on the remote
peer.
%TCP-6-BADAUTH: No MD5 digest from 155.1.0.5(179) to 155.1.0.3(34632) (RST)
If you don't see those log messages you might need to enable "debug ip
tcp transactions". But take care with that on a production router that
has a a lot of peers configured.
Since you don't have any ARP entry for your remote peer I would do the
usual basic checks first.
Best regards,
Jochen
1) Example packet capture with MD5 sig:
http://www.cloudshark.org/captures/f1d5e781c147
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 07 2012 - 15:10:20 ART
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART