BGP - Routing problems with some Networks

fred_m · ‎06-01-2007

Hi Guys

I have one cisco 2800 runing BGP with my own AS. I have only one ISP.

I have one default route staticly configured to my ISP.

In my router i don't have any filters.

I have an issue that some networks on internet can't ping my servers inside my AS.

Most off all other networks can ping fine, just few big networks such as bellsouth and verisign can't ping my servers.

I've tried a lot of thing, like put source ip in my loopback and ping from it to servers (work), receive default route via bgp, change default route from ip to interface and i didn't have success.

I did a debug ip icmp and see this messages just one that networks try to ping my AS servers:

000366: *Jun 1 23:56:05.815 PCTime: ICMP: time exceeded (time to live)

sent to xx.xx.xx.xx (dest was xx.xx.xx.xx my AS)

I'm trying to figure out how to solve this problem.

Can one help me with this issue ?

Thanks.

Fred

Danilo Dy · ‎06-01-2007

Hi Fred,

Can you post your config?

Dandy

fred_m · ‎06-02-2007

Follow bellow.

Current configuration : 3067 bytes

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxxxxxxxxxxxxxxx

!

clock timezone PCTime -8

no network-clock-participate wic 1

no aaa new-model

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

ip cef

!

no ip bootp server

ip domain name company.com

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

voice-card 0

no dspfarm

!

voice service voip

!

username xxxxxxxxx

!

controller E1 0/1/0

clock source internal

!

controller E1 0/1/1

!

interface FastEthernet0/0

description ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address xx.xx.xx.xx 255.255.255.0 (my AS network)

no cdp enable

!

interface FastEthernet0/0.11

no cdp enable

!

interface FastEthernet0/0.12

no cdp enable

!

interface FastEthernet0/0.13

encapsulation dot1Q 13

no cdp enable

!

interface FastEthernet0/0.14

encapsulation dot1Q 14

no cdp enable

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1.10

no cdp enable

!

interface Serial0/0/0

ip address xx.xx.xx.xx 255.255.255.252 (my isp interface)

encapsulation ppp

no cdp enable

!

interface Serial0/0/1

no ip address

shutdown

clockrate 2000000

no cdp enable

!

router bgp xxxxx (my as number)

no synchronization

bgp log-neighbor-changes

network xx.xx.xx.0 mask 255.255.240.0 (my as range)

aggregate-address xx.xx.xx.0 255.255.240.0 as-set

redistribute connected

redistribute static

neighbor xx.xx.xx.xx remote-as xxxx (my isb neighbor and as)

auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx (default gateway for my ISP)

ip route xx.xx.xx.xx 255.255.255.0 xx.xx.xx.xx (route to one subnet of my AS inside my network point to internal gateway)

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

logging trap debugging

no cdp run

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Thanks.

bjornarsb · ‎06-02-2007

Hi,

This is a case for you ISP, not you.

Its a classic issue of AS-path filter (or prefix-filter).

Your IPS have to "talk" to Verisign's ISP.

HTH, rate if it does using the croll-box at the bottom right .

BR,

Bjornarsb

fred_m · ‎06-02-2007

I have a ticket open with them, but they insist that this is mine problem.

If some one can give some hint i can send to my ISP for analyse.

Thanks.

Fred

bjornarsb · ‎06-02-2007

No,

its NOT you problem.

Use this and it might give you infomation that you can use against your ISP.

http://www.bgp4.as/looking-glasses

BR,

Bjornarsb

balajitvk · ‎06-02-2007

Hi Fred,

Pls. do see thro.... some of the route-servers publicly available and see where it gets droping....

If it gets droped @ your isp, you can show this as reference....

http://www.traceroute.org/

Choose your relevant route-server and have a try....

Rate if it does,

Rgs,

fred_m · ‎06-02-2007

How can i collect some evidences of AS-path filter and show to my ISP ?

Thanks.

Fred

balajitvk · ‎06-02-2007

Hi Fred,

See the releavant route server output and if the drop is not @ your end, You can tell the isp to troubleshoot where it is getting blocked or how to get permitted... That is there responsibility to get it done...

Rgs

Danilo Dy · ‎06-03-2007

Hi,

Can you execute the following in your router and post the output in this forum?

1. Check if you are advertising correctly your prefixes to your ISP.

show ip bgp neighbors xx.xx.xx.xx advertised-routes | include xx.xx.xx.0

2. Check if the route is in BGP routing table.

show ip bgp xx.xx.xx.0 255.255.240.0 longer-prefixes

3. Check if there is an exact route in the routing table.

show ip route xx.xx.xx.0 255.255.240.0 longer-prefixes

NOTE: You have to replace "summary-only" with "no auto-summary". I suspect that component networks are suppressed by "summary-only". After replacing, execute the 3 routing checks above again.

Dandy