02-16-2019 03:20 AM
Hi,
After configuring BGP on an ASA 5585-x no routes to peer are displayed with show bgp route.
Below are some configs and shows
Many thanks in advance.
Cheers
Geoff
sh run route
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
route BGP-LINK 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 2
sh route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is xx.xxx.xxx.xxx to network 0.0.0.0
sh run router bgp
router bgp xxxxx
bgp log-neighbor-changes
bgp router-id xxx.xxx.xxx.xxx
address-family ipv4 unicast
neighbor xx.xxx.xxx.xx remote-as xxxxx
neighbor xx.xxx.xxx.xx activate
network xxx.xxx.xx.x mask 255.255.254.0
network xxx.xxx.xx.x mask 255.255.255.0
aggregate-address xxx.xxx.xx.x 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
nat (public,BGP-LINK) after-auto source dynamic public-subnet interface
access-list BGP-LINK_access_in extended permit icmp any object public-subnet
access-list public_access_in extended permit icmp any object public-subnet
interface Port-channel2
no nameif
security-level 100
no ip address
!
interface Port-channel2.14
vlan 14
nameif public
security-level 100
ip address xxx.xxx.xx.x 255.255.255.128
interface TenGigabitEthernet0/8
nameif BGP-LINK
security-level 0
ip address xx.xxx.xxx.xx 255.255.255.254
ipv6 address xxxx:xxxx:x:xx::xx/127
ipv6 enable
!
Solved! Go to Solution.
02-16-2019 02:07 PM
Geoff
There are still some things about what is going on that I do not understand. But if I understand correctly in the original post your concern was that BGP seemed to be working but you did not see any BGP routes on your ASA. The responses to my request for information do show that BGP is running and that you have formed 1 BGP neighbor relationship. And it shows that your neighbor has advertised 1 route to you. Based on what I know at this point my best guess is that this BGP neighbor is advertising a default route to you. And it does not show up because you have a static default route configured. To clarify this could you post the output of show ip bgp from your ASA.
In another post you mention something about accessing the public IP from BGP interface. Am I correct to assume that both are security level 0? If so have you enabled same security level inter interface?
HTH
Rick
02-16-2019 07:34 AM
Your config shows a single BGP neighbor. As a first step in investigating this issue can you tell us whether the BGP neighbor relationship is successfully formed?
HTH
Rick
02-16-2019 11:57 AM
Hi Rick,
Many thanks for your kind response.
From what I can see I believe BGP have formed with peer, below is additional information.
Also notice when viewing logs, that we are getting lots of hits from outside on new interface to peer on our new /24 address which indicate to us that peering has been successful;
s1fw1# sh bgp sum
BGP router identifier <self ip>, local AS number <our as>
BGP table version is 40, main routing table version 40
1 network entries using 200 bytes of memory
1 path entries using 80 bytes of memory
1/1 BGP path/bestpath attribute entries using 208 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 512 total bytes of memory
BGP activity 6/5 prefixes, 15/14 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
<peer ip> 4 <peer as> 4055 3526 40 0 0 1d08h 1
sh bgp neighbors <peer ip>
BGP neighbor is <peer ip>, context single_vf, remote AS <peer as>, external link
BGP version 4, remote router ID 103.52.116.4
BGP state = Established, up for 1d08h
Last read 00:00:01, last write 00:00:33, hold time is 90, keepalive interval is 30 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Graceful Restart Capability: received
Remote Restart timer is 120 seconds
Address families advertised by peer:
none
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 20 1
Keepalives: 3517 4068
Route Refresh: 0 0
Total: 3538 4070
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Session: <peer ip>
BGP table version 40, neighbor version 40/0
Output queue size : 0
Index 1
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 1 (Consumes 80 bytes)
Prefixes Total: 14 1
Implicit Withdraw: 9 0
Explicit Withdraw: 5 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 1 n/a
Invalid Path: 5 n/a
Total: 6 0
Number of NLRIs in the update sent: max 1, min 0
Address tracking is enabled, the RIB does have a route to <peer ip>
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
Cheers
Geoff
02-16-2019 12:06 PM
Hi Rick,
Just some more background that might be helpful.
Also am successfully pinging peer IP both with IPv4 & IPv6, just not beyond.
We have a working BGP with same ISP & same AS at our other DC, but that is JunOS.
Once successful with ASA 5585-x we will setup iBGP between 2 DC's.
Cheers
Geoff
02-16-2019 12:57 PM
Hello,
--> We have a working BGP with same ISP & same AS at our other DC, but that is JunOS.
That might be the problem. What is your ISP supposed to send to the new peer ? Check with your ISP what networks or routes they are sending, if any, to the new peer...
02-16-2019 01:49 PM
02-16-2019 01:54 PM
Hello,
not sure if I read your topology correctly, but if your are dual homed to the same ISP, which router do you want to be the exit point ? Your iBGP peer is a JunOS router ? Can you post the config of that router as well ?
02-16-2019 02:06 PM
Hi Georg,
We have not configured iBGP yet, we thought it would be best to get basic eBGP working first.
At this stage we not wanting to route from DC1 to DC2 yet.
Will post JunOS shortly.
Cheers
02-16-2019 03:03 PM
Hi Georg,
JunOS Configs at other DC;
interfaces {
ethernet eth3 {
address xxx.xxx.89/31
duplex auto
firewall {
in {
}
local {
}
}
speed auto
}
ethernet eth5 {
duplex full
speed 10000
vif 14 {
address xxx.xxx.15.1/25
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth5.14
wan-interface eth3
}
protocols {
bgp nnnnnn {
neighbor xxx.xxx.xxx.88 {
remote-as nnnnn
}
network xxx.xxx.14.0/23 {
}
network xxx.xxx.15.0/24 {
}
parameters {
router-id xxx.xxx.xxx.89
}
}
static {
route 0.0.0.0/0 {
next-hop xxx.xxx.xxx.88 {
distance 250
}
}
route xxx.xxx.14.0/23 {
blackhole {
}
}
route xxx.xxx.15.0/24 {
blackhole {
}
}
}
}
02-16-2019 02:00 PM
Some more investigations;
sh bgp neighbors xxx.xxx.xxx.90 advertised-routes
BGP table version is 46, local router ID is xxx.xxx.xxx.91
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> xxx.xxx.14.0/24 0.0.0.0 0 32768 i
*> xxx.xxx.14.0/23 0.0.0.0 0 32768 i
Total number of prefixes 2
sh bgp xxx.xxx.14.0
BGP routing table entry for xxx.xxx.14.0/24, version 45
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1
Local
0.0.0.0 from 0 (xxx.xxx.xxx.91)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
02-16-2019 02:07 PM
Geoff
There are still some things about what is going on that I do not understand. But if I understand correctly in the original post your concern was that BGP seemed to be working but you did not see any BGP routes on your ASA. The responses to my request for information do show that BGP is running and that you have formed 1 BGP neighbor relationship. And it shows that your neighbor has advertised 1 route to you. Based on what I know at this point my best guess is that this BGP neighbor is advertising a default route to you. And it does not show up because you have a static default route configured. To clarify this could you post the output of show ip bgp from your ASA.
In another post you mention something about accessing the public IP from BGP interface. Am I correct to assume that both are security level 0? If so have you enabled same security level inter interface?
HTH
Rick
02-16-2019 02:24 PM
Hi Rick,
Below is sh bgp and I have changed interface to security level to 0, as we only have BGP-LINK set to 0, plus enable same security level between interfaces;
show bgp
BGP table version is 46, local router ID is xxx.xxx.xxx.91
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r> 0.0.0.0 xxx.xxx.xxx.90 0 nnnnnn i
*> xxx.xxx.14.0/24 0.0.0.0 0 32768 i
*> xxx.xxx.14.0/23 0.0.0.0 0 32768 i
interface Port-channel2
no nameif
security-level 100
no ip address
!
interface Port-channel2.14
vlan 14
nameif public
security-level 100
ip address xxx.xxx.14.1 255.255.255.128
Cheers
Geoff
02-16-2019 02:46 PM
Geoff
Was I correct in understanding that the concern in your original post was that there were no routes learned from your BGP neighbor? If so then that concern has been solved. You did indeed learn 1 route from that neighbor. It does not show up because when BGP attempted to insert that route into the routing table there was a RIB failure because there was another route with a better Administrative Distance. Perhaps there is a question about whether you want to use the BGP route instead of the configured static default route. If so then simply change the AD of the configured static default route(s) to a value higher than BGP. So it looks to me like the question about learning BGP routes is resolved. Are there other issues?
HTH
Rick
02-16-2019 02:54 PM
Hi Rick,
Yes, you are correct, initial issue is now resolved.
And yes, it looks like now that RIB-failure has resolved by changing priority's.
And now I have one last issue and that is I am unable to ping xxx.xxx.41.1 from internet.
Should I close discussion and create new discussion?
Many thanks for your kind assistance, as you have pointed us in the right direction to resolve issue.
Cheers
Geoff
02-17-2019 03:13 PM
Geoff
Thank you for the update that the original issue is solved. I am glad that my suggestions pointed you in the right direction. Thank you for marking this question as solved. This will help other participants in the community to identify discussions that have helpful information.
As far as your follow up question I have these comments:
- it is certainly valid for a discussion to begin with one issue and then to ask a follow up question about a different but related issue. On that basis you can ask the question here and not begin a new discussion.
- Once a discussion is marked as solved many participants will not look further at it or participate in it. On that basis you might be better off to begin a new discussion with your question.
- is the address really x.41.1? (I see no reference to this) or is it perhaps x.14.1? (I do see a reference to this)
- the basic security policy of ASA is to not allow traffic initiated from outside/Internet to inside resources. If you want to ping something on ASA from Internet you need an access list on outside that permits this. Do you have such an access list?
- it is certainly your choice. But if my suggestion here does not resolve your follow up question I would suggest that you begin a new discussion for it. (and if you do please let me know so I can follow it)
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: