Hi guys, Interestingly, actually the BGP packets from that particular peers are not hitting the permitted filter in my server: ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:bgp Problem is solved after I changed the filter to: ACCEPT tcp -- anywhere anywhere tcp dpt:bgp I have no clue why only this peer is having the issue with my route server. Let me know if you guys have any clue. Thanks, Jimmy On 29/3/13 11:42 PM, "Martin Kraus" <martin.kraus@wujiman.net> wrote:
On Fri, Mar 29, 2013 at 08:40:05PM +0800, Jimmy Halim wrote:
Hi guys,
We have just moved 1 of our route server from OpenBGPd to BIRD this morning. However we were having issue bringing up 1 BGP session with our peering that is running ASR. We keep getting hold timer expired error. The BGP keep flapping every 2 minutes.
From the tcpdump, I can see we are getting destination unreachable due to destination host is administratively prohibited.
Have u guys encountered this issue? All other BGP with other peering are working ok. Below is the log from ASR..
Logs from ASR -------------
RP/0/RP0/CPU0:Mar 29 07:48:19.078 UTC: bgp[1044]: %ROUTING-BGP-5-ADJCHANGE : neighbor 119.27.63.253 Up (VRF: default) RP/0/RP0/CPU0:Mar 29 07:49:53.328 UTC: tcp[355]: %IP-TCP_NSR-5-DISABLED : 119.27.63.38:28514 <-> 119.27.63.253:179:: NSR disabled for TCP connection because Retransmission threshold exceeded RP/0/RP0/CPU0:Mar 29 07:49:53.343 UTC: bgp[1044]: %ROUTING-BGP-3-NBR_NSR_DISABLED : NSR disabled on neighbor 119.27.63.253 due to TCP retransmissions RP/0/RP1/CPU0:Mar 29 07:49:53.357 UTC: bgp[1044]: %ROUTING-BGP-5-NBR_NSR_DISABLED_STANDBY : NSR disabled on neighbor 119.27.63.253 on standby due to Peer closing down the session (VRF: default)
Hi. Do your bgp tables sync between bird and ASR before the hold time expires? Or does it get stuck after it establishes and then closes down?
I'd venture a guess that the administratively prohibited is what the ASR sends to the unix machine running bird, right? That might just be an access list blocking incoming tcp to port 179. I can see from the log that the connection is established from the ASR(port 28514) to the unix(port 179). Therefore it might be unrelated to the hold time expiration.
mk