1.4.0 : all bgp peers in OpenSent
Hi! Today after reboot of our route-server (running bird 1.4.0) all bgp peers didn't come up, most of them are hanging in OpenSent state: 193.25.180.92 6886 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out 193.25.180.149 6886 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out 193.25.180.125 8343 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out 193.25.180.89 8779 2014-03-25 12:31:55 0/0 Passive 193.25.180.53 12700 2014-03-25 12:31:55 0/0 Passive 193.25.180.102 12773 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out There is no problems with connectivity, I can ping any peer and I see full ARP table. Please, advice. Thanks! -- Alexander Shikov Technical Staff, Digital Telecom IX Tel.: +380 44 201 14 07 http://dtel-ix.net/
Hi. Maybe you should use: http://bird.network.cz/?get_doc&f=bird-6.html#ss6.2
start delay time number Delay in seconds between protocol startup and the first attempt to connect. Default: 5 seconds. Try to set different start delay in each peer configuration. So that after boot not all sessions start to connect at the same time. Please write if you test and it helped.
With best regards, Dmitry S. Nikolaev Moscow, Russia mail: dnikolaev@mega-net.ru On 25.03.2014 14:42, Alexander Shikov wrote:
Hi!
Today after reboot of our route-server (running bird 1.4.0) all bgp peers didn't come up, most of them are hanging in OpenSent state:
193.25.180.92 6886 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out 193.25.180.149 6886 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out 193.25.180.125 8343 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out 193.25.180.89 8779 2014-03-25 12:31:55 0/0 Passive 193.25.180.53 12700 2014-03-25 12:31:55 0/0 Passive 193.25.180.102 12773 2014-03-25 12:31:55 0/0 OpenSent Socket: Operation timed out
There is no problems with connectivity, I can ping any peer and I see full ARP table.
Please, advice. Thanks!
Hi, It is not a problem of delays etc. With great help of Ondrej Zajicek we investigated a problem. It was caused by enabling authentication just for one peer. Our route-servers are running FreeBSD 9.2 with options device crypto options IPSEC options TCP_SIGNATURE compiled in kernel. BGP authentication in bird (in case of FreeBSD) requires SA entries to be manually added to /etc/ipsec.conf. When all peers are up and I add 'password' to protocol configuration in bird and SA in /etc/ipsec.conf to one of them, other peers do not change their state, they remain in Established state. But if after that any other peer changed state due to any reason (connection problems, session clearing) then this peer is not able to establish BGP session again. My /etc/ipsec.conf file looks like: flush; add 193.25.180.255 193.25.180.17 tcp 0x1000 -A tcp-md5 "password"; Authenticated peer don't stuck. How-to-repeat: I've set up a test bed with two peers, authentication disabled for both: bird> show bgp sum Peer AS Last state change Prefixes rcvd/best State/Last error 193.25.180.17 25372 2014-03-25 15:52:27 8/8 Established 193.25.180.41 199995 2014-03-25 15:54:41 0/0 Established tcpdump of BGP session initiation for 193.25.180.41 looks like: 15:54:42.501326 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [S], seq 891952260, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 62583697 ecr 0,sackOK,eol], length 0 15:54:42.501376 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [S.], seq 4136719465, ack 891952261, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2066801157 ecr 62583697], length 0 15:54:42.501387 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [S], seq 891952260, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 62583697 ecr 0,sackOK,eol], length 0 15:54:42.501395 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [S.], seq 4136719465, ack 891952261, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2066801157 ecr 62583697], length 0 15:54:42.501860 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [.], ack 1, win 17376, options [nop,nop,TS val 62583698 ecr 2066801157], length 0 15:54:42.501955 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [.], ack 1, win 17376, options [nop,nop,TS val 62583698 ecr 2066801157], length 0 15:54:42.502092 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [P.], seq 1:46, ack 1, win 1040, options [nop,nop,TS val 2066801157 ecr 62583698], length 45: BGP, length: 45 15:54:42.502451 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [P.], seq 1:60, ack 1, win 17376, options [nop,nop,TS val 62583698 ecr 2066801157], length 59: BGP, length: 59 15:54:42.601819 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [P.], seq 60:79, ack 46, win 17331, options [nop,nop,TS val 62583798 ecr 2066801157], length 19: BGP, length: 19 15:54:42.601865 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [P.], seq 46:65, ack 79, win 1040, options [nop,nop,TS val 2066801257 ecr 62583698], length 19: BGP, length: 19 15:54:42.602759 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [P.], seq 79:98, ack 65, win 17312, options [nop,nop,TS val 62583798 ecr 2066801257], length 19: BGP, length: 19 15:54:42.602786 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [P.], seq 65:489, ack 98, win 1040, options [nop,nop,TS val 2066801258 ecr 62583798], length 424: BGP, length: 424 15:54:42.702766 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [.], ack 489, win 16888, options [nop,nop,TS val 62583899 ecr 2066801258], length 0 Then I've enabled BGP authentication for 193.25.180.17. It re-established BGP-session: BIRD 1.4.0 ready. bird> show bgp sum Peer AS Last state change Prefixes rcvd/best State/Last error 193.25.180.17 25372 2014-03-25 15:57:57 8/8 Established 193.25.180.41 199995 2014-03-25 15:54:42 0/0 Established Then I've cleared up session for 193.25.180.41: bird> show bgp sum Peer AS Last state change Prefixes rcvd/best State/Last error 193.25.180.17 25372 2014-03-25 15:57:56 8/8 Established 193.25.180.41 199995 2014-03-25 15:59:14 0/0 Passive Received: Administrative reset And after that 193.25.180.41 was not able to establish it again. tcpdump of BGP session initiation for 193.25.180.41 looks like: 15:59:50.919321 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62889119,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0 15:59:50.919702 IP 193.25.180.41.49984 > 193.25.181.254.179: Flags [S], seq 1944096937, win 17376, options [mss 1460,nop,wscale 0,nop,nop,TS val 62892119 ecr 1735781206,sackOK,eol], length 0 15:59:50.919725 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62892119,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0 15:59:53.919323 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62892119,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0 15:59:54.119646 IP 193.25.180.41.49984 > 193.25.181.254.179: Flags [S], seq 1944096937, win 17376, options [mss 1460,nop,wscale 0,nop,nop,TS val 62895319 ecr 1735781206,sackOK,eol], length 0 15:59:54.119683 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62895319,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0 The difference in dumps is noticeable with unaided eye. Ondrej mentioned: "If any BGP proto sets 'password', MD5 auth on listening socket is enabled. It seems that new socket (for accepted TCP connection) inherits the MD5 auth even when there is no appropriate SA. It may be a change of behavior in newer FreeBSDs, as the code worked on FreeBSD in the past AFAIK." Now I have a question to community: does anyone have bird installation with selective authentication of BGP peers on same interface? Does it work for Linux-like systems or it is FreeBSD-specific issue? -- Alexander Shikov Technical Staff, Digital Telecom IX Tel.: +380 44 201 14 07 http://dtel-ix.net/
On Tue, Mar 25, 2014 at 04:04:31PM +0200, Alexander Shikov wrote:
Ondrej mentioned: "If any BGP proto sets 'password', MD5 auth on listening socket is enabled. It seems that new socket (for accepted TCP connection) inherits the MD5 auth even when there is no appropriate SA. It may be a change of behavior in newer FreeBSDs, as the code worked on FreeBSD in the past AFAIK."
Now I have a question to community: does anyone have bird installation with selective authentication of BGP peers on same interface? Does it work for Linux-like systems or it is FreeBSD-specific issue?
I am sure it is a BSD-specific issue, on Linux it works fine. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (3)
-
Alexander Shikov -
Dmitry S. Nikolaev -
Ondrej Zajicek