topic Re: BGP Syslog messages on FTD in Network Security

BGP Syslog messages on FTD

atsukane — Wed, 10 Jul 2024 11:04:44 GMT

Hi team,

FMCv 7.4.1 and FPR2140 running 7.2.7

We are seeing an issue with BGP failing on FTD 2140 with AWS.

Not established exactly when this has started, potentially since when we upgraded the FTD about 9 days ago.

Only one of the peers is down and others are working fine, and we can ping the destination so L2 appears to be fine.

Anyway, we didn't get any notifications and only found this by chance, and after seeing some posts at this forum etc started looking at updating the syslog setting as we've kept the syslog settings in Platform Settings pretty much default.

It seems that FTD syslog messages are somewhat limited compared to ASA syslog messages as there are only 1 BGP related syslog message (317007) available for FTD, whereas ASA has 4 (317007, 418018, 418019, 418040).

Cisco Secure Firewall Threat Defense Syslog Messages - Cisco

Cisco Secure Firewall ASA Series Syslog Messages - Cisco

In any case, upon trying to add 317007 for FTD, I get this which suggest it is not available:

And trying to add it anyway I receive "invalid syslog id" error.

How do we go about enabling alerts when BGP peer/s go down?

We've got Solorwinds NPM as a syslog server and also snmp server.

Please advise.

Thanks!

Re: BGP Syslog messages on FTD

Marius Gunnerud — Wed, 10 Jul 2024 11:19:40 GMT

Is the log neighbor changes option enabled under BGP General settings?

Re: BGP Syslog messages on FTD

atsukane — Wed, 10 Jul 2024 11:23:10 GMT

Hi @Marius Gunnerud

Yes, it is enabled.

Re: BGP Syslog messages on FTD

atsukane — Wed, 10 Jul 2024 11:29:35 GMT

found this entry in another syslog (XDR), it would appear that inbound traffic from the peer is dropped by the firewall??

Re: BGP Syslog messages on FTD

Marius Gunnerud — Wed, 10 Jul 2024 11:36:57 GMT

Yes, that is dropping the BGP connection. Any chance at allowing it?

Re: BGP Syslog messages on FTD

MHM Cisco World — Wed, 10 Jul 2024 11:44:57 GMT

In bgp there are two peers

One use unknown port other use known port 179

So when ypu add policy did ypu use port 179 ?

MHM

Re: BGP Syslog messages on FTD

atsukane — Wed, 10 Jul 2024 11:52:36 GMT

Adding a rule allowing the destination port tcp/179. Let's see how that goes.

Odd that we have no rules for other peers that are working.

Re: BGP Syslog messages on FTD

Marius Gunnerud — Wed, 10 Jul 2024 12:04:28 GMT

To the box traffic normally does not use regular access rules, so it is strange that you are seeing this being dropped. But depending on which interface you are using to establish neighbors this opening might be needed.

Re: BGP Syslog messages on FTD

atsukane — Wed, 10 Jul 2024 12:14:40 GMT

Unfortunately, adding a rule to allow tcp179 didn't help 😞

Will log a ticket with our support firm and come back with the findings for the resolution.

Still like to know how to enable monitoring and alerts if anyone has any ideas.

Thanks,

Re: BGP Syslog messages on FTD

MHM Cisco World — Wed, 10 Jul 2024 16:57:10 GMT

Mr @Marius Gunnerud is correct ACL dont effect to box traffic the ACL control plane only effect that.

For this peer the bgp is down can ypu check if address family is disable or enable.

MHM

Re: BGP Syslog messages on FTD

atsukane — Tue, 16 Jul 2024 08:27:44 GMT

Just returned to update the BGP issue we've had.

It would appear that FTD has somehow modified the BGP key following the upgrade from 7.2.6 to 7.2.7.

"more system:running-config" output was showing the wrong key, missing the first 2 characters, in our case "0x".

Re-applying the correct key on the FTD has resolve the issue.

Re: BGP Syslog messages on FTD

MHM Cisco World — Tue, 16 Jul 2024 09:22:54 GMT

Thanks a lot for update us

Have a nice summer

MHM

Re: BGP Syslog messages on FTD

atsukane — Tue, 16 Jul 2024 13:55:38 GMT

Noticed Soalrwinds is seeing "FTD-3-418018"

So manually added 418018 with the "error" level on the platform settings and added email set up to email me severity erros as a test, but not playing ball 😞

I'll play around a bit more and post updates if i find anything. Leaning Solarwinds alerting on the fly!