Issues establishing more than 2 BGP sessions
Hello there- I’m hoping to get guidance/feedback from you all on whether or not what I’m trying to do it possible, and if it is possible, what am I doing incorrectly. My goal is to make this a transit VPC for handling routes between multiple remote regions (and clouds). I’m testing with 4 VPCs (A, B, C, and D), each with a different ASN. VPC B is acting as my transit VPC, which is where bird and strongswan are running. VPCs A, C, and D are acting as the remote regions, and each has a VPN connection back to B. IPSec is up and working as expected, but routing is giving me some trouble. Each VPN has 2 tunnels, so I’m currently trying to establish 6 BGP sessions, however, only 2 sessions will establish at a time. The other sessions are in a “Start” state. Eventually, one of the established connections will drop and may reestablish, or, one of the other tunnels will establish a BGP connection. I have tried multiple bird configurations, but all roads lead back only 2 established BGP sessions. I thought this example might be what I need, but it also did not work: https://gitlab.labs.nic.cz/labs/bird/wikis/Simple_route_server Individually, bird is able to establish a session on both tunnels at every remote VPC, so I know that works. Occasionally, I have noticed that established connections will disconnect with a “Hold timer expired”. There’s something I’m missing/overlooking in the config to allow all sessions to be active. Below is the most basic config I have used. Thanks in advance for your help. log "/var/log/bird.log" all; debug protocols all; router id 172.41.1.117; protocol kernel { scan time 10; export all; import all; } protocol device { scan time 10; } template bgp aws { local as 65000; hold time 30; export all; import all; direct; } protocol bgp ATUN0 from aws { neighbor 169.254.xxx.xxx as 7224; } protocol bgp ATUN1 from aws { neighbor 169.254.xxx.xxx as 7224; } protocol bgp CTUN0 from aws { neighbor 169.254.xxx.xxx as 65100; } protocol bgp CTUN1 from aws { neighbor 169.254.xxx.xxx as 65100; } protocol bgp DTUN0 from aws { neighbor 169.254.xxx.xxx as 65200; } protocol bgp DTUN1 from aws { neighbor 169.254.xxx.xxx as 65200; }
❦ 11 novembre 2017 23:44 -0600, Chris Stein <bksteiny@gmail.com> :
Individually, bird is able to establish a session on both tunnels at every remote VPC, so I know that works. Occasionally, I have noticed that established connections will disconnect with a “Hold timer expired”. There’s something I’m missing/overlooking in the config to allow all sessions to be active.
I think BIRD is receiving a remote route that would replace the route used to reach the neighbor. Are you using route-based tunnels (with VTI interfaces)? If yes, "ip route show" output would help to understand. Otherwise, "ip xfrm policy" would help. If you want a working setup similar to yours (a tad more complex since it involves multiple routing tables), here is one: https://vincent.bernat.im/en/blog/2017-route-based-vpn -- Use self-identifying input. Allow defaults. Echo both on output. - The Elements of Programming Style (Kernighan & Plauger)
Thanks for the suggestion, Vincent. I am using VTI interfaces for this, similar to what’s documented on the strongswan page. After reading your blog, I gave each tunnel a different mark value, which seemed to do the trick. I’m going to monitor the status of this throughout the day, but after making that change, all of my tunnels have been able to establish a BGP session. Thanks again for the help. Nice blog post, by the way. On Sun, Nov 12, 2017 at 03:52 Vincent Bernat <bernat@luffy.cx> wrote:
❦ 11 novembre 2017 23:44 -0600, Chris Stein <bksteiny@gmail.com> :
Individually, bird is able to establish a session on both tunnels at every remote VPC, so I know that works. Occasionally, I have noticed that established connections will disconnect with a “Hold timer expired”. There’s something I’m missing/overlooking in the config to allow all sessions to be active.
I think BIRD is receiving a remote route that would replace the route used to reach the neighbor. Are you using route-based tunnels (with VTI interfaces)? If yes, "ip route show" output would help to understand. Otherwise, "ip xfrm policy" would help.
If you want a working setup similar to yours (a tad more complex since it involves multiple routing tables), here is one:
https://vincent.bernat.im/en/blog/2017-route-based-vpn -- Use self-identifying input. Allow defaults. Echo both on output. - The Elements of Programming Style (Kernighan & Plauger)
participants (2)
-
Chris Stein -
Vincent Bernat