cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
5
Helpful
5
Replies

BGP ROUTING: Troubleshooting lost network packets.

DStringfield
Level 1
Level 1

Hi all,

I am currently trying to sort out (with my ISP) whether or not a particular BGP service is configured (using two ASA5506X) correctly. Currently the following is configured:

DStringfield_0-1621316827408.png

Currently, from the address 172.16.10.3 I can ping:

  • 10.252.0.9
  • 10.252.0.1

From the address 172.16.20.3 I can ping:

  • 10.252.0.1

I can't ping between the two local networks (eg 172.16.20.3 to 172.16.10.3). On ASA interface for 10.252.0.2 I can see outbound packets to 10.252.0.9 and 172.16.20.3 but no inbound ones. So I reason there are two possibilities:

  • My interface for 10.252.0.2 is dropping packets for any address outside the network 10.252.0.0/30
  • The provider has an error in their routing.

So far I have tried:

  • Ensuring there are no ACL's preventing traffic
  • Ensuring there are no NAT rules applying to the interface
  • Using Packet Tracer to see if the ACLs would allow communication in theory.
  • Ensuring ICMP is allowed in the default service class inspection.
  • Ensuring that the config on both devices is identical.
  • Ensuring the routing tables are correct and transferred.
  • Implemented suggestions from my previous thread

Is there are way for me to tell if the packets arriving at 10.252.0.2 are being dropped? Should they be viewable using Packet Capture? Is there another method for seeing if those packets are being dropped? This would be helpful either way as if I can determine the packets are in fact being dropped I can show that to the provider of evidence that my end is setup correctly. 

Happy to clarify any of these or post configs. 

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

 

Can you post - 

 

1) configs of both firewalls

 

2) routing tables for both firewalls

 

3) BGP tables for both firewalls

 

remove any sensitive info from firewall configs before posting. 

 

Jon

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @DStringfield ,

in addition to what @Jon Marshall  has asked I would like to add the following:

 

>> Should they be viewable using Packet Capture?

Yes you can use packet capture on the ASA and you can specify a filter so that only interesting packets are captured

 

The command syntax from CLI is similar to the following example:

capture VMTEST interface inside match icmp host 10.2.0.203 any

 

You need to change the interface name to match the one connected to the provider and the host IP address can be 172.16.10.X

 

you use

show capture VMTEST to show packets

and to delete a capture

you use

no capture VMTEST

 

also the capture name can be chosen .

 

This can allow you to understand if you are facing a unidirectional forwarding plane in the SP network

 

for a a working network you would see incoming imcp echo packets and outgoing echo replies.

 

Hope to help

Giuseppe

 

Hello
By default icmp inspection is denied on ASA, so have you tried allowing this?
policy-map global_policy
class inspection_default
inspect icmp
exit

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

DStringfield
Level 1
Level 1

Hi all,

 

Super frustratingly it ended up being a provider error that took a month to resolve. I really appreciate everyone's help and I learnt a lot during the process if that's at all a reward

 

Cheers,

David

Hello @DStringfield ,

nice to know that you have solved your issue and yes also service providers can make errors.

 

Best Regards

Giuseppe

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: