Re: bgp peering bad auth md5

ARP comes before TCP. Can't build TCP without having an L3/L2 translation.
Sounds like issue is lower on the stack if no ARP entries are being
generated.

On Thu, Jun 7, 2012 at 6:10 AM, Jochen Bartl <jochen.bartl_at_gmail.com> wrote:

> On 06/07/2012 02:22 PM, Tony Singh wrote:
> > Guys
> >
> > PE>CE
> >
> > Just a question but got a scenario here at work where bgp peerings have
> > failed right after loads of md5 bad auth messages in syslog, do we expect
> > any arp entries on that interface if this happens, or is the security on
> > the tcp session terminated if we have set password either end and it's
> not
> > matching on one end, hence arp will not show anything.
> >
> > ...
>
> BGP uses TCP's MD5 signature option for authentication [1]. Since ARP is
> required (unless you configure manual mappings) on an Ethernet segment
> for sending IP packets to a remote host you should definetly see an ARP
> entry.
>
> If the passwords don't match you should get a log message like this.
>
> %TCP-6-BADAUTH: Invalid MD5 digest from 155.1.0.3(33360) to 155.1.0.5(179)
>
> This log message indicates that no password is configured on the remote
> peer.
>
> %TCP-6-BADAUTH: No MD5 digest from 155.1.0.5(179) to 155.1.0.3(34632) (RST)
>
> If you don't see those log messages you might need to enable "debug ip
> tcp transactions". But take care with that on a production router that
> has a a lot of peers configured.
>
> Since you don't have any ARP entry for your remote peer I would do the
> usual basic checks first.
>
> Best regards,
>
> Jochen
>
>
> 1) Example packet capture with MD5 sig:
> http://www.cloudshark.org/captures/f1d5e781c147
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 07 2012 - 15:44:41 ART