07-10-2024 03:13 AM - edited 07-10-2024 04:04 AM
Hi team,
FMCv 7.4.1 and FPR2140 running 7.2.7
We are seeing an issue with BGP failing on FTD 2140 with AWS.
Not established exactly when this has started, potentially since when we upgraded the FTD about 9 days ago.
Only one of the peers is down and others are working fine, and we can ping the destination so L2 appears to be fine.
Anyway, we didn't get any notifications and only found this by chance, and after seeing some posts at this forum etc started looking at updating the syslog setting as we've kept the syslog settings in Platform Settings pretty much default.
It seems that FTD syslog messages are somewhat limited compared to ASA syslog messages as there are only 1 BGP related syslog message (317007) available for FTD, whereas ASA has 4 (317007, 418018, 418019, 418040).
Cisco Secure Firewall Threat Defense Syslog Messages - Cisco
Cisco Secure Firewall ASA Series Syslog Messages - Cisco
In any case, upon trying to add 317007 for FTD, I get this which suggest it is not available:
And trying to add it anyway I receive "invalid syslog id" error.
How do we go about enabling alerts when BGP peer/s go down?
We've got Solorwinds NPM as a syslog server and also snmp server.
Please advise.
Thanks!
07-10-2024 04:19 AM
Is the log neighbor changes option enabled under BGP General settings?
07-10-2024 04:23 AM
07-10-2024 04:29 AM
found this entry in another syslog (XDR), it would appear that inbound traffic from the peer is dropped by the firewall??
07-10-2024 04:36 AM
Yes, that is dropping the BGP connection. Any chance at allowing it?
07-10-2024 04:44 AM
In bgp there are two peers
One use unknown port other use known port 179
So when ypu add policy did ypu use port 179 ?
MHM
07-10-2024 04:52 AM - edited 07-10-2024 04:52 AM
Adding a rule allowing the destination port tcp/179. Let's see how that goes.
Odd that we have no rules for other peers that are working.
07-10-2024 05:04 AM
To the box traffic normally does not use regular access rules, so it is strange that you are seeing this being dropped. But depending on which interface you are using to establish neighbors this opening might be needed.
07-10-2024 05:14 AM
Unfortunately, adding a rule to allow tcp179 didn't help
Will log a ticket with our support firm and come back with the findings for the resolution.
Still like to know how to enable monitoring and alerts if anyone has any ideas.
Thanks,
07-10-2024 09:57 AM
Mr @Marius Gunnerud is correct ACL dont effect to box traffic the ACL control plane only effect that.
For this peer the bgp is down can ypu check if address family is disable or enable.
MHM
07-16-2024 01:27 AM
Just returned to update the BGP issue we've had.
It would appear that FTD has somehow modified the BGP key following the upgrade from 7.2.6 to 7.2.7.
"more system:running-config" output was showing the wrong key, missing the first 2 characters, in our case "0x".
Re-applying the correct key on the FTD has resolve the issue.
07-16-2024 02:22 AM
Thanks a lot for update us
Have a nice summer
MHM
07-16-2024 06:55 AM
Noticed Soalrwinds is seeing "FTD-3-418018"
So manually added 418018 with the "error" level on the platform settings and added email set up to email me severity erros as a test, but not playing ball
I'll play around a bit more and post updates if i find anything. Leaning Solarwinds alerting on the fly!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide