Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1334
Views
0
Helpful
1
Replies

BFD throught ASA in transparent mode

S.Girutskiy1
Level 1
Level 1

‎12-07-2015 06:07 AM - edited ‎03-12-2019 12:00 AM

Hi,

There is a problem with my ASA and BFD through it. BGP sessions are constantly breaking:

*Dec 7 05:47:34.476: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Up
*Dec 7 05:47:34.992: %BGP-5-NBR_RESET: Neighbor 192.168.0.2 reset (BFD adjacency down)
*Dec 7 05:47:34.993: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Down BFD adjacency down
*Dec 7 05:47:34.993: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session BFD adjacency down
*Dec 7 05:47:48.813: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Up
*Dec 7 05:47:49.327: %BGP-5-NBR_RESET: Neighbor 192.168.0.2 reset (Peer closed the session)
*Dec 7 05:47:49.328: %BGP-5-ADJCHANGE: neighbor 192.168.0.2 Down Peer closed the session
*Dec 7 05:47:49.328: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session Peer closed the session

without ASA everything is ok. BFD neighbors are up, BGP is established.

Here is my config on ASA:

access-list ALLOW-ANY_IN ethertype permit any

access-list ALLOW-ANY_OUT ethertype permit any

access-list capt ethertype permit any

access-list ALLOW-ANY-IP_IN extended permit tcp any eq 3784 any
access-list ALLOW-ANY-IP_IN extended permit tcp any eq 3785 any
access-list ALLOW-ANY-IP_IN extended permit udp any eq 3784 any
access-list ALLOW-ANY-IP_IN extended permit udp any eq 3785 any
access-list ALLOW-ANY-IP_IN extended permit ip any any
access-list ALLOW-ANY-IP_OUT extended permit tcp any eq 3784 any
access-list ALLOW-ANY-IP_OUT extended permit tcp any eq 3785 any
access-list ALLOW-ANY-IP_OUT extended permit udp any eq 3785 any
access-list ALLOW-ANY-IP_OUT extended permit udp any eq 3784 any
access-list ALLOW-ANY-IP_OUT extended permit ip any any
!

access-group ALLOW-ANY_IN in interface inside
access-group ALLOW-ANY-IP_IN in interface inside
access-group ALLOW-ANY_OUT in interface outside
access-group ALLOW-ANY-IP_OUT in interface outside

but these lists didn't catch anything with bfd ports.

P.S.

 ASA5585-SSP-60, Cisco Adaptive Security Appliance Software Version 9.1(5)21.

Labels:
0 Helpful
1 Reply 1

a271755880
Level 1
Level 1

‎05-18-2016 06:12 AM

you must disable bfd echo under the routers' interfaces.

because bfd echo packets have the same source and the destination IP address.

In asa , this type of packet will be drop. you can use show asp drop to check the drop packets:

Slowpath security checks failed:

    This counter is incremented and packet is dropped when the security appliance is:

    1) In routed mode receives a through-the-box:

       - L2 broadcast packet

       - IPv4 packet with destination IP address equal to 0.0.0.0

       - IPv4 packet with source IP address equal to 0.0.0.0

    2) In routed or transparent mode and receives a through-the-box IPv4 packet with:

       - first octet of the source IP address equal to zero

       - source IP address equal to the loopback IP address

       - network part of source IP address equal to all 0's

       - network part of the source IP address equal to all 1's

       - source IP address host part equal to all 0's or all 1's

    3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source
and destination IP addresses

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card