BFD throught ASA in transparent mode

S.Girutskiy1 — Tue, 12 Mar 2019 07:00:27 GMT

Hi,

There is a problem with my ASA and BFD through it. BGP sessions are constantly breaking:

*Dec 7 05:47:34.476: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Up
*Dec 7 05:47:34.992: %BGP-5-NBR_RESET: Neighbor 192.168.0.2 reset (BFD adjacency down)
*Dec 7 05:47:34.993: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Down BFD adjacency down
*Dec 7 05:47:34.993: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session BFD adjacency down
*Dec 7 05:47:48.813: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Up
*Dec 7 05:47:49.327: %BGP-5-NBR_RESET: Neighbor 192.168.0.2 reset (Peer closed the session)
*Dec 7 05:47:49.328: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Down Peer closed the session
*Dec 7 05:47:49.328: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session Peer closed the session

without ASA everything is ok. BFD neighbors are up, BGP is established.

Here is my config on ASA:

access-list ALLOW-ANY_IN ethertype permit any

access-list ALLOW-ANY_OUT ethertype permit any

access-list capt ethertype permit any

access-list ALLOW-ANY-IP_IN extended permit tcp any eq 3784 any
access-list ALLOW-ANY-IP_IN extended permit tcp any eq 3785 any
access-list ALLOW-ANY-IP_IN extended permit udp any eq 3784 any
access-list ALLOW-ANY-IP_IN extended permit udp any eq 3785 any
access-list ALLOW-ANY-IP_IN extended permit ip any any
access-list ALLOW-ANY-IP_OUT extended permit tcp any eq 3784 any
access-list ALLOW-ANY-IP_OUT extended permit tcp any eq 3785 any
access-list ALLOW-ANY-IP_OUT extended permit udp any eq 3785 any
access-list ALLOW-ANY-IP_OUT extended permit udp any eq 3784 any
access-list ALLOW-ANY-IP_OUT extended permit ip any any
!

access-group ALLOW-ANY_IN in interface inside
access-group ALLOW-ANY-IP_IN in interface inside
access-group ALLOW-ANY_OUT in interface outside
access-group ALLOW-ANY-IP_OUT in interface outside

but these lists didn't catch anything with bfd ports.

P.S.

ASA5585-SSP-60, Cisco Adaptive Security Appliance Software Version 9.1(5)21.

you must disable bfd echo

a271755880 — Wed, 18 May 2016 13:12:45 GMT

topic you must disable bfd echo in Network Security

BFD throught ASA in transparent mode

you must disable bfd echo

you must disable bfd echo under the routers' interfaces.

because bfd echo packets have the same source and the destination IP address.

In asa , this type of packet will be drop. you can use show asp drop to check the drop packets:

Slowpath security checks failed:

This counter is incremented and packet is dropped when the security appliance is:

1) In routed mode receives a through-the-box:

- L2 broadcast packet

- IPv4 packet with destination IP address equal to 0.0.0.0

- IPv4 packet with source IP address equal to 0.0.0.0

2) In routed or transparent mode and receives a through-the-box IPv4 packet with:

- first octet of the source IP address equal to zero

- source IP address equal to the loopback IP address

- network part of source IP address equal to all 0's

- network part of the source IP address equal to all 1's

- source IP address host part equal to all 0's or all 1's

3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source
and destination IP addresses

topic you must disable bfd echo in Network Security

BFD throught ASA in transparent mode

you must disable bfd echo

you must disable bfd echo under the routers' interfaces.

because bfd echo packets have the same source and the destination IP address.

In asa , this type of packet will be drop. you can use show asp drop to check the drop packets:

Slowpath security checks failed:

This counter is incremented and packet is dropped when the security appliance is:

1) In routed mode receives a through-the-box:

- L2 broadcast packet

- IPv4 packet with destination IP address equal to 0.0.0.0

- IPv4 packet with source IP address equal to 0.0.0.0

2) In routed or transparent mode and receives a through-the-box IPv4 packet with:

- first octet of the source IP address equal to zero

- source IP address equal to the loopback IP address

- network part of source IP address equal to all 0's

- network part of the source IP address equal to all 1's

- source IP address host part equal to all 0's or all 1's

3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source and destination IP addresses

3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source
and destination IP addresses