IPS4240 in bypassmode-auto cause BGP peering failure
Recently installed IPS4240's running inline. With "bypass-mode auto" the BGP peering (with password) between 2 routers either side of the IPS unit drops. The error logs indicate bad MD5 hash on both units. In "bypass-mode on" BGP peering with password is fine.
Re: IPS4240 in bypassmode-auto cause BGP peering failure
This is probably being dropped or modified by some of the "normalizer" engine signatures in the IPS. Basically the IPS in inline mode does a lot of TCP checks and drops or modifies packets with certain bits set. It probably doesn't like the fact the MD5 hash is set as TCP option bit 19 and is modifying it somehow, which then fails your authentication on the remote peer.
Go into whatever configuration tool you're using and enable the "produce-verbose-alert" on all the 13xx signatures (1300-1330). Then check your alerts for an alert with a victim/attacker IP addresses of your BGP routers, see what signature it was that actually fired, then disable that signature (or add a filter so that it doesn't fire for that IP address pair anymore). This will stop it doing whatever it is doing to your BGP packets and it should work from then on.
It'll probably be one of the sub-sigs under 1330, as this does a lot of different checks on various parts of the TCP packet.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :