10-15-2013 09:14 PM - edited 02-21-2020 07:14 PM
Hello All,
An interesting issue, could be silly but I don't get it.. pretty simple configuration ..
Building configuration...
Current configuration : 1020 bytes
ip vrf CIT
rd 65500:100
!
!
interface Tunnel731
bandwidth 500000
ip vrf forwarding CIT
ip address 10.192.1.1 255.255.255.252
ip access-group cit-tunnel-protect in
ip mtu 1400
ip tcp adjust-mss 1360
load-interval 30
tunnel source Loopback0
tunnel destination 123.45.6.7
tunnel protection ipsec profile cit
crypto engine slot 1/0 inside
router bgp 65004
!
address-family ipv4 vrf CIT
no synchronization
neighbor 10.192.1.2 remote-as 65522
neighbor 10.192.1.2 activate
exit-address-family
!
end
int lo0
ip add 98.76.54.32 255.255.255.255
Extended IP access list cit-tunnel-protect
10 permit tcp 10.192.1.0 0.0.0.3 10.192.1.0 0.0.0.3 eq bgp
20 permit icmp 10.192.1.0 0.0.0.3 10.192.1.0 0.0.0.3
65000 deny ip any any
----------------------------------------------------------
ping no problem, routing no problem but the problem is
when IKE1 session is intiated by the remote peer , bgp comes up no problem but if session is initiated by the local peer bgp won't come up ..
show cyrpto isakmp sa :
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
98.76.54.32 123.45.6.7 QM_IDLE 68011 ACTIVE ----- bgp comes up fine
--------------------------------------------------------------------------------------------------------------------------------------
123.45.6.7 98.76.54.32 QM_IDLE 68011 ACTIVE ---- bgp won't come up
I tried to remove the access-list , but I think same results were observed...
What am I missing here ?
Thanks,
Josh
10-16-2013 11:56 AM
Could it be the ACL; try adding the following:
15 permit tcp 10.192.1.0 0.0.0.3 eq bgp 10.192.1.0 0.0.0.3
BGP runs on TCP so it's kind of a client/server connection. One side uses random port >1024 to TCP/179 on the other side. You ACL matches depending on which BGP neighbor initiated the connection but does not match both cases...
Patrick
10-16-2013 02:05 PM
Thansk Patrick, I am seeing the same behaviour even with out the access-list. I am waiting to see how the remote router is configured . I don't see phase2 coming up when the local peer ( 98.76.54.32 ) initiated the session.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide