12-06-2011 05:26 PM - edited 03-04-2019 02:32 PM
Hi,
we have been having issue with getting bgp session up with our ISP. The problem starts when we enable MD5 auth for BGP it does not come up and stays in Active state, as soon as we remove the password the session is up and running.
The MD5 auth for BGP was working for a couple of months and it suddenly decided to not work. there are half open tcps and SYNRCVD initiated from ISP side when we enable MD5
Router at our end c2800nm-advipservicesk9-mz.124-15.T7.BIN
Below packet capture, please note I.S.P.A = ISP IP address C.U.S.T = Our IP address
TCP Packet debugging is on for address I.S.P.A
Dec 7 11:43:00.327: tcp0: I LISTEN I.S.P.A:8006 C.U.S.T:179 seq 2753436622
OPTS 24 SYN WIN 65000
Dec 7 11:43:00.327: tcp0: O SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458
OPTS 24 ACK 2753436623 SYN WIN 16384
Dec 7 11:43:02.327: tcp0: R SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458
OPTS 24 ACK 2753436623 SYN WIN 16384
Dec 7 11:43:03.155: tcp0: I SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2753436622
OPTS 24 SYN WIN 65000
Dec 7 11:43:03.155: tcp0: O SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458
OPTS 20 ACK 2753436623 WIN 16384
Dec 7 11:43:03.155: TCP0: bad seg from I.S.P.A-- bad sequence number: port 179 seq 2753436622 ack 0 rcvnxt 2753436623 rcvwnd 16384 len 0
Dec 7 11:43:06.327: tcp0: R SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458
OPTS 24 ACK 2753436623 SYN WIN 16384
Dec 7 11:43:09.155: tcp0: I SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2753436622
OPTS 24 SYN WIN 65000
Dec 7 11:43:09.155: tcp0: O SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458
OPTS 20 ACK 2753436623 WIN 16384
Dec 7 11:43:09.155: TCP0: bad seg from I.S.P.A-- bad sequence number: port 179 seq 2753436622 ack 0 rcvnxt 2753436623 rcvwnd 16384 len 0
Removing password gets the session up and running while enabling password breaks the session. MD5 is probably only 16 bytes while the ISP confirms they have MTU of 9000 bytes. Appreciate any input
AP
12-06-2011 09:37 PM
Hi Amar,
Though trival, but have you confirmed with your ISP, what password they are using and also whether they are deploying the encryption.
I have seen couple of time, that by mistake during upgradation or some troubleshooting, password gets changed (manual mistake).
So I suggest you to confirm with your ISP about the password and encryption at their end.
Regards,
Smitesh
12-07-2011 03:40 PM
Hi Smitesh,
Yes we have confirmed with the ISP the password is certainly fine, we are not seeing any MD5 mismatch errors.
Ta
12-07-2011 06:11 PM
could it be that your router and the ISP router are separated by a Cisco Pix/ASA or Checkpoint firewall?
If it is a Checkpoint firewall, they need to disable tcp sequence randonmization in Checkpoint SmartDefense (R65) or IPS (R70 and higher).
If this is a Cisco firewall, they need to do something similar this:
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 norandomseq nail
with Cisco newer version, you may need to implement Modular Policy Framework (MPF) to turn off tcp option 19
If there are no firewalls in between, then disregard what I said above
12-07-2011 09:44 PM
Thanks for your input David, there are no firewalls within the path.
12-07-2011 10:00 PM
Hi Amar,
Simply, ISP is lying.
Just think if password are same on both ends, why your BGP session will even come UP when you remove the password at your end.
Regards,
Smitesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide