tag:blogger.com,1999:blog-3266263034124005485.post8382568308841316804..comments2024-03-24T23:19:30.504+00:00Comments on Fragmentation Needed: BGP Adjacency - Spot The Errorchris margethttp://www.blogger.com/profile/09716555871346949419noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-3266263034124005485.post-79333503826878245282012-03-30T19:05:40.393+01:002012-03-30T19:05:40.393+01:00Hey Jeremy, thank you for the compliment.
Does &#...Hey Jeremy, thank you for the compliment.<br /><br />Does 'vpc peer-gateway' decrement TTL when bridging through the "wrong" Nexus 7K?<br /><br />Maybe that's not what you meant.chris margethttps://www.blogger.com/profile/06646973209424821070noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-66921896887379058512012-03-29T14:41:30.489+01:002012-03-29T14:41:30.489+01:00Chris,
Great blog; I've enjoyed reading throu...Chris,<br /><br />Great blog; I've enjoyed reading through your archives. The problem you describe here is also present when you use 'vpc peer-gateway' on the firewall-facing VLAN. Not that this has much to do with your issue here; just an FYI.<br /><br />Jeremy FillibenJeremy Fillibenhttps://www.blogger.com/profile/07558728700926286196noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-44405322181416270282010-12-06T12:56:21.071+00:002010-12-06T12:56:21.071+00:00Hey Greg, thanks for your comment.
These were Scr...Hey Greg, thanks for your comment.<br /><br />These were ScreenOS boxes. I don't know if they play games with the TCP ISN, but I didn't have any problems in that regard.<br /><br />Either way, I /think/ that the ISN randomization is only an issue if MD5 authentication is configured between the neighbors.<br /><br />I'm not completely sure about that, but can't see how else the BGP session would notice ISN games played by an intermediate device.chris margethttps://www.blogger.com/profile/09716555871346949419noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-10825548580742937552010-12-06T12:29:40.707+00:002010-12-06T12:29:40.707+00:00I would also have been concerned about BGP through...I would also have been concerned about BGP through the firewall. Certain firewalls may randomise the TCP Sequence number which breaks BGP. (e.g. Cisco ASA).EtherealMindhttp://etherealmind.comnoreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-11878575988773596792010-11-26T18:32:24.437+00:002010-11-26T18:32:24.437+00:00The problem was a combination of HSRP and eBGP mul...The problem was a combination of HSRP and eBGP multihop.<br /><br />Because of the firewall's routes pointing at the HSRP address, one of the internal routers was 3 hops away (in the inbound direction only):<br /><br />A -> external: 2 hops<br />B -> external: 2 hops<br />external -> HSRP primary: 2 hops<br />external -> HSRP secondary: 3 hops<br /><br />I fixed this by adding 32-bit routes on the firewall:<br />192.168.255.1 -> 192.168.20.2<br />192.168.255.2 -> 192.168.20.3<br /><br />Routing traffic from the VLAN 20 (or 30) interface to the Lo0 interface doesn't count as a hop, so "multihop 2" is sufficient so long as we're not taking the *extra* hop across VLAN 10.chris margethttps://www.blogger.com/profile/09716555871346949419noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-10666915086788308152010-11-26T16:39:34.114+00:002010-11-26T16:39:34.114+00:00Is it not the ebgp multihop either? Very curious o...Is it not the ebgp multihop either? Very curious on the answer to this.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-66212911867608252972010-11-24T21:56:06.727+00:002010-11-24T21:56:06.727+00:00Removing HSRP isn't an option: The firewall d...Removing HSRP isn't an option: The firewall doesn't run a routing protocol, so some FHRP is required.<br /><br />The firewall isn't dropping any packets.chris margethttps://www.blogger.com/profile/09716555871346949419noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-33824935847086248752010-11-24T05:00:27.514+00:002010-11-24T05:00:27.514+00:00I'm guessing it has something to do with your ...I'm guessing it has something to do with your HSRP setup on on vlan20 on both internal routers. The default route on the firewall for internal subnets points to ~20.1, which is the HSRP virtual IP, and that IP only maps to one of the routers at a time. Since BGP is using loopbacks for src/dest IPs, the path to both internal routers will head through default route ~20.1. I bet the firewall drops the traffic to one of the routers because the incoming and outgoing traffic to it are using different interfaces (asymmetric). Removing HSRP should fix it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-21769348775553317082010-11-24T04:12:20.042+00:002010-11-24T04:12:20.042+00:00ebgp multihop should be 3ebgp multihop should be 3Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-18415578747418012662010-11-24T02:35:19.734+00:002010-11-24T02:35:19.734+00:00Running HSRP? Which is active/passive. You can'...Running HSRP? Which is active/passive. You can't create a BGP session with the standby router?Chrisnoreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-37896571778254635982010-11-24T02:31:32.787+00:002010-11-24T02:31:32.787+00:00Remote AS number fixed. The problem lies elsewher...Remote AS number fixed. The problem lies elsewhere.chris margethttps://www.blogger.com/profile/09716555871346949419noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-36824152028623062512010-11-24T01:57:39.006+00:002010-11-24T01:57:39.006+00:00This comment has been removed by the author.chris margethttps://www.blogger.com/profile/09716555871346949419noreply@blogger.comtag:blogger.com,1999:blog-3266263034124005485.post-19464929485109711532010-11-23T23:30:18.838+00:002010-11-23T23:30:18.838+00:00Remote AS number is incorrect.Remote AS number is incorrect.Anonymousnoreply@blogger.com