BGP peer issue

amar_5664 · ‎12-06-2011

Hi,

we have been having issue with getting bgp session up with our ISP. The problem starts when we enable MD5 auth for BGP it does not come up and stays in Active state, as soon as we remove the password the session is up and running.

The MD5 auth for BGP was working for a couple of months and it suddenly decided to not work. there are half open tcps and SYNRCVD initiated from ISP side when we enable MD5

Router at our end c2800nm-advipservicesk9-mz.124-15.T7.BIN

Below packet capture, please note I.S.P.A = ISP IP address C.U.S.T = Our IP address

TCP Packet debugging is on for address I.S.P.A

Dec 7 11:43:00.327: tcp0: I LISTEN I.S.P.A:8006 C.U.S.T:179 seq 2753436622

OPTS 24 SYN WIN 65000

Dec 7 11:43:00.327: tcp0: O SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458

OPTS 24 ACK 2753436623 SYN WIN 16384

Dec 7 11:43:02.327: tcp0: R SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458

OPTS 24 ACK 2753436623 SYN WIN 16384

Dec 7 11:43:03.155: tcp0: I SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2753436622

OPTS 24 SYN WIN 65000

Dec 7 11:43:03.155: tcp0: O SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458

OPTS 20 ACK 2753436623 WIN 16384

Dec 7 11:43:03.155: TCP0: bad seg from I.S.P.A-- bad sequence number: port 179 seq 2753436622 ack 0 rcvnxt 2753436623 rcvwnd 16384 len 0

Dec 7 11:43:06.327: tcp0: R SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458

OPTS 24 ACK 2753436623 SYN WIN 16384

Dec 7 11:43:09.155: tcp0: I SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2753436622

OPTS 24 SYN WIN 65000

Dec 7 11:43:09.155: tcp0: O SYNRCVD I.S.P.A:8006 C.U.S.T:179 seq 2451191458

OPTS 20 ACK 2753436623 WIN 16384

Dec 7 11:43:09.155: TCP0: bad seg from I.S.P.A-- bad sequence number: port 179 seq 2753436622 ack 0 rcvnxt 2753436623 rcvwnd 16384 len 0

Removing password gets the session up and running while enabling password breaks the session. MD5 is probably only 16 bytes while the ISP confirms they have MTU of 9000 bytes. Appreciate any input

AP

smitesh kharecha · ‎12-06-2011

Hi Amar,

Though trival, but have you confirmed with your ISP, what password they are using and also whether they are deploying the encryption.

I have seen couple of time, that by mistake during upgradation or some troubleshooting, password gets changed (manual mistake).

So I suggest you to confirm with your ISP about the password and encryption at their end.

Regards,

Smitesh

amar_5664 · ‎12-07-2011

Hi Smitesh,

Yes we have confirmed with the ISP the password is certainly fine, we are not seeing any MD5 mismatch errors.

Ta

david.tran · ‎12-07-2011

could it be that your router and the ISP router are separated by a Cisco Pix/ASA or Checkpoint firewall?

If it is a Checkpoint firewall, they need to disable tcp sequence randonmization in Checkpoint SmartDefense (R65) or IPS (R70 and higher).

If this is a Cisco firewall, they need to do something similar this:

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 norandomseq nail

with Cisco newer version, you may need to implement Modular Policy Framework (MPF) to turn off tcp option 19

If there are no firewalls in between, then disregard what I said above

amar_5664 · ‎12-07-2011

Thanks for your input David, there are no firewalls within the path.

smitesh kharecha · ‎12-07-2011

Hi Amar,

Simply, ISP is lying.

Just think if password are same on both ends, why your BGP session will even come UP when you remove the password at your end.

Regards,

Smitesh