Hi Rick,

Many thanks for your kind response.

From what I can see I believe BGP have formed with peer, below is additional information.

Also notice when viewing logs, that we are getting lots of hits from outside on new interface to peer on our new /24 address which indicate to us that peering has been successful;

s1fw1# sh bgp sum

BGP router identifier <self ip>, local AS number <our as>

BGP table version is 40, main routing table version 40

1 network entries using 200 bytes of memory

1 path entries using 80 bytes of memory

1/1 BGP path/bestpath attribute entries using 208 bytes of memory

1 BGP AS-PATH entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 512 total bytes of memory

BGP activity 6/5 prefixes, 15/14 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

<peer ip>   4        <peer as> 4055    3526          40    0    0 1d08h  1 

sh bgp neighbors <peer ip>

BGP neighbor is <peer ip>,  context single_vf,  remote AS <peer as>, external link

  BGP version 4, remote router ID 103.52.116.4

  BGP state = Established, up for 1d08h

  Last read 00:00:01, last write 00:00:33, hold time is 90, keepalive interval is 30 seconds

  Neighbor sessions:

    1 active, is not multisession capable (disabled)

  Neighbor capabilities:

    Route refresh: advertised and received(new)

    Four-octets ASN Capability: advertised and received

    Address family IPv4 Unicast: advertised and received

    Graceful Restart Capability: received

      Remote Restart timer is 120 seconds

      Address families advertised by peer:

        none

    Multisession Capability: 

  Message statistics:

    InQ depth is 0

    OutQ depth is 0

                   Sent       Rcvd

    Opens:         1          1         

    Notifications: 0          0         

    Updates:       20         1         

    Keepalives:    3517       4068      

    Route Refresh: 0          0         

    Total:         3538       4070      

  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast

  Session: <peer ip>

  BGP table version 40, neighbor version 40/0

  Output queue size : 0

  Index 1

  1 update-group member

                           Sent       Rcvd

  Prefix activity:         ----       ----

    Prefixes Current:      0          1          (Consumes 80 bytes)

    Prefixes Total:        14         1         

    Implicit Withdraw:     9          0         

    Explicit Withdraw:     5          0         

    Used as bestpath:      n/a        1         

    Used as multipath:     n/a        0         

                                Outbound    Inbound

  Local Policy Denied Prefixes: --------    -------

    Bestpath from this peer:     1          n/a       

    Invalid Path:                5          n/a       

    Total:                       6          0         

  Number of NLRIs in the update sent: max 1, min 0

  Address tracking is enabled, the RIB does have a route to <peer ip>

  Connections established 1; dropped 0

  Last reset never

  Transport(tcp) path-mtu-discovery is enabled

  Graceful-Restart is disabled

Cheers

Geoff

Hi Rick,

Just some more background that might be helpful.

Also am successfully pinging peer IP both with IPv4 & IPv6, just not beyond.

We have a working BGP with same ISP & same AS at our other DC, but that is JunOS.

Once successful with ASA 5585-x we will setup iBGP between 2 DC's.

Cheers

Geoff

Hello,

--> We have a working BGP with same ISP & same AS at our other DC, but that is JunOS.

That might be the problem. What is your ISP supposed to send to the new peer ? Check with your ISP what networks or routes they are sending, if any, to the new peer...

Hi Georg,

Added Null0 routes for /23 & /24 and changed priority on routes outbound on 2 gateways and now can ping out on BGP link. Still can't ping from outside to public IP.

Please find attached a diagram of what we are attempting to do.

Cheers

Geoff

Hello,

not sure if I read your topology correctly, but if your are dual homed to the same ISP, which router do you want to be the exit point ? Your iBGP peer is a JunOS router ? Can you post the config of that router as well ?

Hi Georg,

We have not configured iBGP yet, we thought it would be best to get basic eBGP working first.

At this stage we not wanting to route from DC1 to DC2 yet.

Will post JunOS shortly.

Cheers 

Hi Georg,

JunOS Configs at other DC;

interfaces {
ethernet eth3 {
address xxx.xxx.89/31
duplex auto
firewall {
in {
}
local {
}
}
speed auto
}
ethernet eth5 {
duplex full
speed 10000
vif 14 {
address xxx.xxx.15.1/25
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth5.14
wan-interface eth3
}

protocols {
bgp nnnnnn {
neighbor xxx.xxx.xxx.88 {
remote-as nnnnn
}
network xxx.xxx.14.0/23 {
}
network xxx.xxx.15.0/24 {
}
parameters {
router-id xxx.xxx.xxx.89
}
}
static {
route 0.0.0.0/0 {
next-hop xxx.xxx.xxx.88 {
distance 250
}
}
route xxx.xxx.14.0/23 {
blackhole {
}
}
route xxx.xxx.15.0/24 {
blackhole {
}
}
}
}

Some more investigations;

sh bgp neighbors xxx.xxx.xxx.90 advertised-routes

BGP table version is 46, local router ID is xxx.xxx.xxx.91
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> xxx.xxx.14.0/24 0.0.0.0 0 32768 i
*> xxx.xxx.14.0/23 0.0.0.0 0 32768 i

Total number of prefixes 2

sh bgp xxx.xxx.14.0
BGP routing table entry for xxx.xxx.14.0/24, version 45
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1
Local
0.0.0.0 from 0 (xxx.xxx.xxx.91)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best

Hi Rick,

Below is sh bgp and I have changed interface to security level to 0, as we only have BGP-LINK set to 0, plus enable same security level between interfaces;

show bgp

BGP table version is 46, local router ID is xxx.xxx.xxx.91
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
r> 0.0.0.0 xxx.xxx.xxx.90 0 nnnnnn i
*> xxx.xxx.14.0/24 0.0.0.0 0 32768 i
*> xxx.xxx.14.0/23 0.0.0.0 0 32768 i

interface Port-channel2

 no nameif

 security-level 100

 no ip address

!

interface Port-channel2.14

 vlan 14

 nameif public

 security-level 100

 ip address xxx.xxx.14.1 255.255.255.128

Cheers

Geoff

Geoff

Was I correct in understanding that the concern in your original post was that there were no routes learned from your BGP neighbor? If so then that concern has been solved. You did indeed learn 1 route from that neighbor. It does not show up because when BGP attempted to insert that route into the routing table there was a RIB failure because there was another route with a better Administrative Distance. Perhaps there is a question about whether you want to use the BGP route instead of the configured static default route. If so then simply change the AD of the configured static default route(s) to a value higher than BGP. So it looks to me like the question about learning BGP routes is resolved. Are there other issues?

HTH

Rick

Hi Rick,

Yes, you are correct, initial issue is now resolved.

And yes, it looks like now that RIB-failure has resolved by changing priority's.

And now I have one last issue and that is I am unable to ping xxx.xxx.41.1 from internet.

Should I close discussion and create new discussion?

Many thanks for your kind assistance, as you have pointed us in the right direction to resolve issue.

Cheers

Geoff

Geoff

Thank you for the update that the original issue is solved. I am glad that my suggestions pointed you in the right direction. Thank you for marking this question as solved. This will help other participants in the community to identify discussions that have helpful information.

As far as your follow up question I have these comments:

- it is certainly valid for a discussion to begin with one issue and then to ask a follow up question about a different but related issue. On that basis you can ask the question here and not begin a new discussion.

- Once a discussion is marked as solved many participants will not look further at it or participate in it. On that basis you might be better off to begin a new discussion with your question.

- is the address really x.41.1? (I see no reference to this) or is it perhaps x.14.1? (I do see a reference to this)

- the basic security policy of ASA is to not allow traffic initiated from outside/Internet to inside resources. If you want to ping something on ASA from Internet you need an access list on outside that permits this. Do you have such an access list?

- it is certainly your choice. But if my suggestion here does not resolve your follow up question I would suggest that you begin a new discussion for it. (and if you do please let me know so I can follow it)

HTH

Rick