A couple of years ago I configured a topology for a business partner extranet much like the one sketched below.
No dynamic routing was allowed on the firewall. Layer 9 didn't trust it to run an IGP, so the firewall was configured with static routes:
- Known internal nets (registered and 1918 space) pointed in
- Default route pointed out
Two eBGP sessions were configured to learn business partner prefixes (not shown) from the external switch, and redistribute them into the IGP. It was a small number of prefixes, and they were thoroughly filtered and quantity-limited, making things safe for the IGP.
But it didn't work correctly: Only one BGP session could be brought up at a time, but never both at once.
The cause of the error took me more hours of head-scratching than I care to admit. In my defense, the topology was actually quite a bit more complicated than depicted here. Presented here is the bare minimum required to recreate the problem.
The problem was neither a firewall policy issue, nor a typo. Any typos here are just typos.
Can you spot my mistake? Which session comes up, and what's wrong with the other one?