cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1843
Views
35
Helpful
15
Replies

Can't establish connection between BGP neighbours

DStringfield
Level 1
Level 1

I have two geographically distinct sites, each with an ASA5506, that I am trying to connect via BGP. Please see the attached diagram below

bgp_diagram_1.png

My work so far has been succesful. Both ASA's have BGP enabled, and have Established connections to the common AS (the details of which were given to me by our provider). I next thing I did was advertise the network 192.168.170.0/24 from 64513. When I login to the other ASA (under 64514) and I can view the routes, I can see the following entry in the table: 

Protocol | Type | Destination IP | Netmask       | Gateway    | Interface
BGP | | 192.168.170.0 | 255.255.255.0 | 10.252.0.9 |

When I view the BGP IPv4 Routes I see the following entry:

Status Code | Network       | Next Hop   | Metric | Local Pref | Weight | Path
*> | 192.168.170.0 | 10.252.0.9 | | 0 | 2764 64513 i

Despite this, when I try and send ping or tracert requests from 192.168.36.XXX addresses to 192.168.170.0/24, I don't get any response. I'm trying to understand why, as I have the right routes in place, so I can't see why traffic isn't going through. 

So far my thoughts are:

  • A misconfiguration for iBGP to eBGP. As we can see in the diagram this is an eBGP connection, but the route in the BGP Routes has an i for the origin code. 
    • I've ensured that Allow connections with neighbour that is not directly connected is checked in the BGP Neighbour settings
    • I've tried at various points to add a second neighbour connection to each AS (directly across to the other AS) but I can't get that configured properly, and when I spoke to the provider about it they suggested this shouldn't be necessary (and I have the routes, so seems unecessary).
  • A security issue. On both ASA's the traffic is going between two interfaces (the inside interface, and an interface dedicated to BGP connections). Both interfaces have the same security level and the Enable traffic between two or more interfaces... is checked. 
    • An access rule is in place for both ASAs enabling all IP traffic on both interfaces. 

I've tried everything I can think of. I can provide more configuration as needed, happy to answer more questions or take further reading recommendations to increase my knowledge on this topic. 

Thanks!

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

may be  i start with basic test, is the peer able to reach each other ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco