Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
1
Replies

BGP Authentication through FW-1

bjames
Level 5
Level 5

‎03-04-2005 04:11 PM - edited ‎03-02-2019 10:00 PM

Hi,

We are having an issue with BGP passign through a CheckPoint Firewall. I won't go into why it's setup like this but it's a functional design, and BGP works well. The issue is when the MD5 authentication is turned on for BGP the updates to the inside routers fail. Turn off the password, and they work fine again.

I have searched everywhere for someone with a similar issue with no luck. I will be checking the (FW) log files and putting upstream and downstream sniffers in place next week, but I thought I would ask here.

I would bet it's something to do with TCP sequencing randomization.....

Thanks

Labels:
0 Helpful
1 Reply 1

Harold Ritter
Cisco Employee
Cisco Employee

‎03-04-2005 06:28 PM

The issue is most certainly due to the CheckPoint FW randomizing the TCP initial sequence number. I know the TCP ISN randomization issue exists with the PIX as decribed in the following Q&A and can easily be taken care of by disabling the randomization for the two peers.

http://www.cisco.com/en/US/partner/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#twenty-five

I'm not sure if the Checkpoint FW allows you to disable the ISN randomization on a single session.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card