Re: [quagga-dev 4328] Re: BGP troubleshooting

Wed, 23 Aug 2006 10:50:10 -0700 

Hi Bablam,

On Wed, 23 Aug 2006, bablam wrote:


Good morning,
The issues is dropped neighborships between IBGP peers every 1-2 minutes. One host is a PFsense (FC1) firewall running openbgp version 3.72 and the other a Fedora Core 5 box running Quagga 0.98.6. The configs and debugs are below, anyone seen wierdness like this before?
Yes. You get a couple of prefixes announced, then nothing and the session resets once hold-time runs out? And if you look at traffic, lots of TCP retransmits? Also, the path between the two boxes has a path-MTU less than local MTUs?
This is not a complex config, looks like an undocumented feature. Thanks all. 


neighbor 192.168.12.130: state change OpenConfirm -> Established,
reason: KEEPALIVE message received
neighbor 192.168.12.130 (AS65001) update 192.168.11.0/25/134726144
192.168.12.130
neighbor 192.168.12.130 (AS65001) update 192.168.12.128/25/134726272
192.168.12.130
neighbor 192.168.12.130 (AS65001) update 192.168.12.0/25/134726272
192.168.12.130
neighbor 192.168.12.130 (AS65001) update 192.168.11.128/25/134726272
192.168.12.130
neighbor 192.168.12.130: state change Established -> Idle, reason:
HoldTimer expired


tada.


neighbor 192.168.12.130: state change OpenConfirm -> Established,
reason: KEEPALIVE message received
neighbor 192.168.12.130 (AS65001) update 192.168.11.0/25/134726144
192.168.12.130
neighbor 192.168.12.130 (AS65001) update 192.168.12.128/25/134726272
192.168.12.130
neighbor 192.168.12.130 (AS65001) update 192.168.12.0/25/134726272
192.168.12.130
neighbor 192.168.12.130 (AS65001) update 192.168.11.128/25/134726272
192.168.12.130
neighbor 192.168.12.130: state change Established -> Idle, reason:
ConnectRetryTimer expired


That's an odd message given the state.

<etc>
Check very carefully that path MTU is working. E.g. that you are allowing ICMP Unreachable/Fragmentation-need messages through.
Also, I believe Linux now uses TCP window scaling by default, which can cause problems with firewalls which try to track and verify that packets are within window (not a workable thing for firewalls to try do). 

regards,
--
Paul Jakma      [EMAIL PROTECTED]       [EMAIL PROTECTED]       Key ID: 64A2FF6A
Fortune:
If man is only a little lower than the angels, the angels should reform.
                -- Mary Wilson Little

Reply via email to