cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
4
Helpful
12
Replies

BGP Syslog messages on FTD

atsukane
Level 1
Level 1

Hi team,

FMCv 7.4.1  and FPR2140 running 7.2.7 

We are seeing an issue with BGP failing on FTD 2140 with AWS.

Not established exactly when this has started, potentially since when we upgraded the FTD about 9 days ago.

Only one of the peers is down and others are working fine, and we can ping the destination so L2 appears to be fine.

Anyway, we didn't get any notifications and only found this by chance, and after seeing some posts at this forum etc started looking at updating the syslog setting as we've kept the syslog settings in Platform Settings pretty much default. 

It seems that FTD syslog messages are somewhat limited compared to ASA syslog messages as there are only 1 BGP related  syslog message (317007) available for FTD, whereas ASA has 4 (317007, 418018, 418019, 418040).

Cisco Secure Firewall Threat Defense Syslog Messages - Cisco

Cisco Secure Firewall ASA Series Syslog Messages - Cisco

In any case, upon trying to add 317007 for FTD, I get this which suggest it is not available:

atsukane_0-1720604983337.png

And trying to add it anyway I receive "invalid syslog id" error.

atsukane_2-1720605465546.png

How do we go about enabling alerts when BGP peer/s go down?

We've got Solorwinds NPM as a syslog server and also snmp server. 

Please advise.

Thanks!

 

 

 

 

 

12 Replies 12

Is the log neighbor changes option enabled under BGP General settings?

--
Please remember to select a correct answer and rate helpful posts

Hi @Marius Gunnerud 

Yes, it is enabled.

atsukane_0-1720610505748.png

 

atsukane
Level 1
Level 1

found this entry in another syslog  (XDR), it would appear that inbound traffic from the peer is dropped by the firewall??

atsukane_2-1720610949022.png

 

 

Yes, that is dropping the BGP connection.  Any chance at allowing it?

--
Please remember to select a correct answer and rate helpful posts

In bgp there are two peers 

One use unknown port other use known port 179

So when ypu add policy did ypu use port 179 ?

MHM

atsukane
Level 1
Level 1

Adding a rule allowing the destination port tcp/179. Let's see how that goes.

Odd that we have no rules for other peers that are working.

atsukane_0-1720612256851.png

 

To the box traffic normally does not use regular access rules, so it is strange that you are seeing this being dropped.  But depending on which interface you are using to establish neighbors this opening might be needed.

--
Please remember to select a correct answer and rate helpful posts

atsukane
Level 1
Level 1

Unfortunately, adding a rule to allow tcp179 didn't help

Will log a ticket with our support firm and come back with the findings for the resolution.

Still like to know how to enable monitoring and alerts if anyone has any ideas.

Thanks, 

Mr @Marius Gunnerud is correct ACL dont effect to box traffic the ACL control plane only effect that.

For this peer the bgp is down can ypu check if address family is disable or enable.

MHM

atsukane
Level 1
Level 1

Just returned to update the BGP issue we've had.

It would appear that FTD has somehow modified the BGP key following the upgrade from 7.2.6 to 7.2.7.

"more system:running-config" output was showing the wrong key, missing the first 2 characters, in our case "0x".

Re-applying the correct key on the FTD has resolve the issue.

Thanks a lot for update us

Have a nice summer 

MHM

atsukane
Level 1
Level 1

Noticed Soalrwinds is seeing "FTD-3-418018"

atsukane_0-1721135106535.png

So manually added 418018 with the "error" level on the platform settings and added email set up to email me severity erros as a test, but not playing ball

 

 atsukane_1-1721135256240.png

I'll play around a bit more and post updates if i find anything. Leaning Solarwinds alerting on the fly!

 

Review Cisco Networking for a $25 gift card