[167003] in North American Network Operators' Group
Re: BGP neighbor/configuration testing
daemon@ATHENA.MIT.EDU (Eric A Louie)
Mon Nov 25 20:25:30 2013
Date: Mon, 25 Nov 2013 17:21:26 -0800 (PST)
From: Eric A Louie <elouie@yahoo.com>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <20131125233748.GL16082@angus.ind.WPI.EDU>
Reply-To: Eric A Louie <elouie@yahoo.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
No logged error with mismatched neighbor IP address - neither router had an=
entry.=A0 Session did not establish nor go active, I could wait forever an=
d neither would happen.=A0 Point is, an error message is not generated on t=
he downstream router so it's probably not the cause for the error message.=
=0A=0AI asked my upstream to check if the "local interface" command was bei=
ng used (that would cause the multihop, but I did put in 2 or 3 as the ebgp=
-multihop value and still didn't get the session up.=0A=0AYour last comment=
about max-prefix is probably the problem and the solution.=A0 Right now, t=
he entire configuration is in the router with a "neighbor shutdown".=A0 Whe=
n we bring it up tomorrow, the filters will all be there so that only 13 of=
my prefixes are advertised, hopefully keeping the BGP session up and closi=
ng this saga.=A0 (the router already has another upstream connected, so whe=
n I turned up the neighbor without a filter, I flooded the upstream's route=
r with routes, but it took us this long to figure that out.) =0A=0A=0A=0A=
=0AOn a Cisco to Cisco when the max-prefixes is exceeded and there's a rest=
art specified, the error (on the offender) is not quite the same as the err=
or I'm seeing:=0A*Apr=A0 9 02:41:39.827: %BGP-3-NOTIFICATION: received from=
neighbor 10.250.254.253 3/1 (update malformed) 0 bytes=0A*Apr=A0 9 02:41:3=
9.827: %BGP-5-ADJCHANGE: neighbor 10.250.254.253 Down BGP Notification rece=
ived=0A=0AOn the upstream (where the max-prefix was configured), =0A=0A*Nov=
26 04:10:02.108: %BGP-4-MAXPFX: No. of prefix received from 10.250.254.254=
(afi 0) reaches 2, max 2=0A*Nov 26 04:10:02.108: %BGP-3-MAXPFXEXCEED: No. =
of prefix received from 10.250.254.254 (afi 0): 3 exceed limit 2=0A*Nov 26 =
04:10:02.108: %BGP-5-ADJCHANGE: neighbor 10.250.254.254 Down BGP Notificati=
on sent=0A*Nov 26 04:10:02.108: %BGP-3-NOTIFICATION: sent to neighbor 10.25=
0.254.254 3/1 (update malformed) 0 bytes=A0 FFFF FFFF FFFF FFFF FFFF FFFF F=
FFF FFFF 0032 0200 0000 1940 0101 0040 0204 0201 6A39 4003 040A FAFE FE80 0=
404 0000 0000 0802=0A=0A=0A=0A=0A=0A>________________________________=0A> F=
rom: Chuck Anderson <cra@WPI.EDU>=0A>To: nanog@nanog.org =0A>Sent: Monday, =
November 25, 2013 3:37 PM=0A>Subject: Re: BGP neighbor/configuration testin=
g=0A> =0A>=0A>When you say "no logged error" with mismatched neighbor IP ad=
dress,=0A>what do you mean?=A0 Did the session just not establish at all?=
=A0 How=0A>long did you wait for it to attempt to establish?=0A>=0A>On Juni=
per, if it sees a BGP connection come from an IP address that=0A>doesn't ma=
tch a local "neighbor" statement, it will send a BGP=0A>Notification, code =
2 (Open Message Error), subcode 5 (authentication=0A>failure), which is exa=
ctly what you are seeing.=0A>=0A>If one side is using a loopback IP instead=
of a physical IP for the=0A>local-address, that would cause both a multiho=
p/TTL issue and a=0A>neighbor IP mismatch.=0A>=0A>Another possibility is if=
you have exceeded the max prefix limit for=0A>the session.=A0 One side wil=
l get stuck in Idle state which may cause=0A>the other side to send the sam=
e "authentication failure" notification.=0A>=0A>On Mon, Nov 25, 2013 at 03:=
07:28PM -0800, Eric A Louie wrote:=0A>> All Cisco/Cisco, I don't have a Jun=
iper here to test with=0A>> =0A>> mismatch AS=0A>> *Apr=A0 9 00:31:47.691: =
%BGP-3-NOTIFICATION: received from neighbor 10.250.254.253 2/2 (peer in wro=
ng AS) 2 bytes 6A39=0A>> =0A>> mismatch neighbor IP address=0A>> no logged =
error=0A>> =0A>> MTU mismatch=0A>> no logged error, session remained up=0A>=
> =0A>> Subnet mask mismatch=0A>> session remained up, no logged error=0A>>=
=0A>> I haven't created the multihop scenario to see the error messages.=
=0A>> =0A>> =0A>> None of these issues caused the (authentication failure).=
=0A>> =0A>> =0A>> =0A>> =0A>> =0A>> >________________________________=0A>> =
> From: Chuck Anderson <cra@WPI.EDU>=0A>> >To: nanog@nanog.org =0A>> >Sent:=
Monday, November 25, 2013 11:10 AM=0A>> >Subject: Re: BGP neighbor/configu=
ration testing=0A>> > =0A>> >=0A>> >Authentication failure might mean (with=
out knowing for sure which on=0A>> >Cisco):=0A>> >=0A>> >- mismatch AS numb=
ers=0A>> >- mismatch neighbor IP addresses=0A>> >- multihop/TTL issues=0A>>=
>- MTU issues=0A>=0A>=0A>=0A>
