Solved: eBGP Peering through an ASA problem

alanfox987 · ‎05-23-2013

Hey guys,

I'm having an issue setting up an eBGP peering through an ASA in GNS3 (implementing this on my production equipment in the near future) and can't seem to figure out the problem. If I connect these two routers through the ASA, the peering fails. If I connect the two routers directly and change the static routes to point to the new next hops, it works. So I'm inclined to think my ASA is preventing the BGP connection from establishing. There are some additional configuration items in the configs below that aren't necessarily pertinent to this problem, as the ultimate goal for this project is to setup BGP over GRE over IPsec using a 6500 & ASA on my end, and a router on their end (presumably using VTI ipsec protection profiles).. but I'm just starting off with getting the BGP peering up. And I'm not even totally sure if I'm doing that properly (or if this is possible).. Unfortunately it's been a little while since I've worked with these technologies and I'm a bit lost..

Topology: R1 -------------------- ASA -------------------------- R2

Router1#sh run

Building configuration...

Current configuration : 1788 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router1

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 critical

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

!

interface Loopback0

ip address 10.217.81.25 255.255.255.248

!

interface Tunnel1

description GRE-TUNNEL-1

ip address 192.168.101.10 255.255.255.252

tunnel source Loopback0

tunnel destination 10.174.171.12

!

interface FastEthernet0/0

ip address 10.217.81.22 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.2.2.3 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

router bgp 2

no synchronization

bgp log-neighbor-changes

network 10.2.2.0 mask 255.255.255.0

neighbor 10.174.171.12 remote-as 1

neighbor 10.174.171.12 ebgp-multihop 25

neighbor 10.174.171.12 update-source Loopback0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 10.217.81.17

ip route 10.174.171.0 255.255.255.0 10.217.81.17

!

no ip http server

no ip http secure-server

!

ip access-list standard BGP-ROUTES

permit 0.0.0.0

!

route-map BGP-ROUTES permit 10

match ip address BGP-ROUTES

!

!

end

---------------

ASA# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ASA

!

interface GigabitEthernet0

nameif inside

security-level 100

ip address 10.217.81.17 255.255.255.248

!

!

interface GigabitEthernet5

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

ftp mode passive

object network VPN-DYNAMIC-HOSTS

subnet 10.251.0.0 255.255.240.0

object network VPN-STATIC-HOSTS

subnet 10.251.4.0 255.255.255.0

object network obj-10.217.81.25-32

host 10.217.81.25

description Catalyst 6513 Loopback0

object network obj-10.174.171.12-32

host 10.174.171.12

description ISP

access-list VPN-ACL extended permit ip any 10.251.0.0 255.255.240.0

access-list VPN-ACL extended permit tcp host 10.217.81.25 host 10.174.171.13 eq bgp

access-list VPN-ACL extended permit tcp host 10.217.81.25 host 10.174.171.12 eq bgp

access-list VPN-ACL extended permit ip any 10.251.4.0 255.255.255.0

access-list inside-out extended permit tcp any host 10.174.171.12 eq bgp

access-list inside-out extended permit ip any any

access-list outside-acl extended permit ip any any

!

tcp-map OPTION-19

tcp-options range 19 19 allow

!

pager lines 24

logging enable

logging buffer-size 10240

logging buffered critical

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside-acl out interface inside

access-group inside-out out interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

route inside 10.2.2.0 255.255.255.0 10.217.81.22 1

route outside 10.174.171.0 255.255.255.0 10.1.1.2 1

route inside 10.217.80.0 255.255.248.0 10.217.81.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set VPN-TSET esp-aes-256 esp-sha-hmac

crypto map outside_map 19 match address VPN-ACL

crypto map outside_map 19 set peer 10.174.171.12

crypto map outside_map 19 set ikev1 transform-set VPN-TSET

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 10.174.171.12 type ipsec-l2l

tunnel-group 10.174.171.12 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map BGP

match port tcp eq bgp

class-map INSPECT

match any

!

policy-map INSPECT

class INSPECT

inspect icmp

class BGP

set connection random-sequence-number disable

set connection advanced-options OPTION-19

!

service-policy INSPECT global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:75f708fe7b6e1e46a7430d709c10b69a

: end

----------------------------

R2#sh run

Building configuration...

Current configuration : 1843 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 critical

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

!

crypto keyring kr1

pre-shared-key address 10.217.81.17 key cisco

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

crypto isakmp profile ikp1

keyring kr1

match identity address 10.217.81.17 255.255.255.255

!

crypto ipsec transform-set ts1 esp-aes esp-sha-hmac

!

crypto ipsec profile ip1

set transform-set ts1

set isakmp-profile ikp1

!

interface Loopback0

ip address 10.174.171.12 255.255.255.0

!

interface Loopback1

no ip address

!

interface Tunnel0

ip address 192.168.101.9 255.255.255.252

tunnel source Loopback0

tunnel destination 10.217.81.25

tunnel protection ipsec profile ip1

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.3.3.4 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 192.168.1.2 255.255.255.0

duplex auto

speed auto

!

router bgp 1

no synchronization

bgp log-neighbor-changes

network 10.3.3.0 mask 255.255.255.0

neighbor 10.217.81.25 remote-as 2

neighbor 10.217.81.25 ebgp-multihop 25

neighbor 10.217.81.25 update-source Loopback0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route 10.217.81.0 255.255.255.0 10.1.1.1

!

no ip http server

no ip http secure-server

!

end

-------------

I have been fiddling with the ACLs and some other things, but a syslog message that I'm getting on both ends looks like this (with different IPs based on the router):

*Mar 2 04:50:52.556: BGP: 10.217.81.25 open failed: Connection timed out; remote host not responding, open active delayed 32705ms (35000ms max, 28% jitter)

Thanks for any assistance..

Richard Burts · ‎05-23-2013

There is a lot to look through here. But one of the things I am noticing is that the ASA is doing an inspect on BGP and I wonder if that is the issue. As a test, would you be able to remove the inspect for BGP from the ASA?

HTH

Rick

HTH

Rick

View solution in original post

blau grana · ‎05-24-2013

Hello Alan,

As Robert suggested, remove service policy from configuration ->

no service-policy INSPECT global

BGP session will imediatelly go UP.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

alanfox987 · ‎05-23-2013

By the way, I can ping the loopbacks across from R1 to R2 and it works.

Richard Burts · ‎05-23-2013

There is a lot to look through here. But one of the things I am noticing is that the ASA is doing an inspect on BGP and I wonder if that is the issue. As a test, would you be able to remove the inspect for BGP from the ASA?

HTH

Rick

HTH

Rick

milan.kulik · ‎05-23-2013

Hi,

do you want to run eBGP through the tunnel?

In that case, you should use the tunnel internal addresses (192.168.101.10 and 192.168.101.9) as the BGP neighbor addresses (and update-sources).

And you should not need

neighbor .... ebgp-multihop 25

command in that case.

Best regards,

Milan

alanfox987 · ‎05-23-2013

Thanks for the responses, guys.

@Richard: I am disabling random sequence numbers and allowing TCP Option 19 to allow BGP authentication to function through the ASA. But I'll give it a shot and have a response tomorrow.

@Milan: Thanks for the clarification. Makes a lot of sense and was confusing me. I might need to do that during the actual implementation, and your advice will definitely be helpful then.

ashirkar · ‎05-24-2013

Hello Alan,

Refer below document ,It might help you

ASA/PIX: BGP through ASA Configuration Example

Regards,

Ashish Shirkar

Community Manager-NI

blau grana · ‎05-24-2013

Hello Alan,

As Robert suggested, remove service policy from configuration ->

no service-policy INSPECT global

BGP session will imediatelly go UP.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

alanfox987 · ‎05-24-2013

Thanks for the responses, guys. Removing the service-policy worked. I enabled ICMP inspection so I wouldn't have to setup an ACL on both sides to allow pings for testing. Now I just have to figure out why that was killing the BGP session.. and to get this traffic encrypted over the tunnel.