Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
3
Replies

PIX 525 BGP drop

khaile
Level 1
Level 1

‎01-16-2004 06:27 AM - edited ‎02-20-2020 11:12 PM

The ACL hit count show nothing

access-list capture1 line 1 permit tcp host 172.68.101.1 eq bgp any (hitcnt=0)

access-list capture1 line 2 permit tcp any host 172.68.101.1 eq bgp (hitcnt=0)

were as the router shows me

Jan 16 07:40:25: %BGP-5-ADJCHANGE: neighbor 10.176.251.24 Down Peer closed the session

Jan 16 07:40:25: %BGP-5-ADJCHANGE: neighbor 172.68.150.23 Down Peer closed the session

Jan 16 07:41:04: %BGP-5-ADJCHANGE: neighbor 172.68.150.23 Up

Jan 16 07:41:11: %BGP-5-ADJCHANGE: neighbor 10.176.251.24 Up

at the mean time I see the following from the PIX log

2004-01-16 07:40:23 Local4.Info 172.68.101.254 Jan 16 2004 07:40:23: %PIX-6-106015: Deny TCP (no connection) from 172.68.150.23/179 to 172.68.101.1/11032 flags PSH ACK on interface outside

2004-01-16 07:40:23 Local4.Info 172.68.101.254 Jan 16 2004 07:40:23: %PIX-6-106015: Deny TCP (no connection) from 172.68.150.23/179 to 172.68.101.2/18097 flags PSH ACK on interface outside

2004-01-16 07:40:23 Local4.Info 172.68.101.254 Jan 16 2004 07:40:23: %PIX-6-106015: Deny TCP (no connection) from 172.68.150.23/179 to 172.68.101.1/11032 flags PSH ACK on interface outside

this happens once every 48 or so hours, any idea would be appriciated.

Note: the FW=172.68.101.254 internal router= 172.68.101.1 and external router= 172.68.150.23

0 Helpful
3 Replies 3

ramesh.krishnan
Level 1
Level 1

‎01-16-2004 04:12 PM

try out giving the port number intead of "bgp"...FYI its tcp port 179.

ramesh

0 Helpful

shannong
Level 4
Level 4

‎01-16-2004 04:29 PM

Is that a capture ACL? If so, to what interface did you apply it? The Pix only captures traffic on the input of an interface and not on the output.Is there any NAT involved for the BGP peer addresses? Have you changed the hello interval? How many hops away are the neighbors?

I notice the remote peers closed the session actively and at the same time. This means that they probably lost their keepalives to the interal router for some reason and sent a teardown message.

The best way to troubleshoot this is make sure all devices have synchronized time and catch all firewall logs along with debugging BGP on the router. This will tell us why it is tearing down? ie, timeouts, BGP software error followed with a reset, etc

0 Helpful

khaile
Level 1
Level 1
In response to shannong

‎01-19-2004 06:16 AM

Thank you very much guys for your help. I've found out late on Friday that the couse of this problem is clearing Xlate. Whenever, I clear xlate the BGP fells. During the weekend I leave the network to run without touching it and so far no BGP error. In addition, I check the logfile for port 179 and did not find any. However, I'm surprise that xlate causes such a problem, so in the near future or until I got resolution, I may not clear xlate anymore. Any help would be appriciated. thanks again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card