Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

bgp authent pb

hi all ,

i've got three routers vers 12.2.(13)T two of them are separated by a pix.

my ibgp peering is ok and all works fine.(pix conf ok)

when i perform authent bgp the directly connected routers ibgp still work,

but the peering between routers separated by pix falls down.(no modif needed on pix)

the pix does'nt discard packets (no logs) the two routers log bad authent message.

here are extract of conf without authent.

ra

router bgp 64512

netw 192.168.2.0 mask 255.255.255.0

nei 2.2.2.2 remte-as 64512 (rb behind pix)

no auto-summ

rb

router bgp 64512

nei 1.1.1.1 remte-as 64512 (ra behind pix)

nei 2.2.2.3 remte-as 64512 (rc directly connected)

no auto-summ

rc

router bgp 64512

nei 2.2.2.2 remte-as 64512 (rb direct connected)

no auto-summ

Can i only perform bgp authent on directly connected routers or ebgp peering?

do i need something more than neig a.b.c.d pass test cmde? is it a bug?

Thanks for your help

  • Other Network Infrastructure Subjects
2 REPLIES
Silver

Re: bgp authent pb

The PIX has to be configured to allow the BGP traffic (TCP, port 179) between iBGP peers. Additionally a static NAT translation has to be configured on the PIX to allow routers on the outside to initiate a BGP session with routers on the inside of PIX.

Also check if the password has been configured correctly on the peers. The command that is required is the neighbor {ip-address | peer-group-name} password string command. I don't think there is a restriction on the authentication, it can be done for peers that are not directly connected also. Please also check the ebgp configuration and check if the neighbor commands and the update source have been configured correctly.

Bronze

Re: bgp authent pb

Hi, are the two BGP routers, separated by the PIX, able to ping each other?

Usually, BGP peers are directly connected. If there's a device (such as

a router) separating the two routers, you have to use the ebgp-multihop command to be able to form BGP peering between the two routers.

And as mentioned above, TCP port 179 should not be blocked by the PIX.

Hope this helps.

97
Views
0
Helpful
2
Replies
This widget could not be displayed.