[c-nsp] ttl-security issues

[Charles Sprickman]

So I was reading the fine "Secure BGP Template" over at Cymru, and started looking at the "neighbor x.x.x.x ttl-security hops y" setting which I had not seen before.  My understanding after looking at the cisco docs was that you determined how many hops away your peers were, then you enable the setting based on the number of hops.  For example, a directly connected bgp peer would be:

neighbor x.x.x.x ttl-security hops 1

A multihop neighbor that's three hops away would be:

neighbor x.x.x.x ttl-security hops 3

I have nothing tricky going on here - two upstream neighbors each directly connected.

I enabled this on one and about a minute later the bgp session dropped.  The drop was logged, but there was nothing in the log stating that the ttl-security mechanism was what dropped it.  I removed the ttl-security statement, session came back up.  Tried with a hop count of 2 just for giggles, session drops, and again nothing in the log regarding the ttl-security mechanism.

It's late at night, so I try with the other neighbor.  Same thing.

Am I missing something obvious here?  Is there anything other than multi-hop config that interferes with this feature?

Thanks,

Charles

ps - what are some good references these days for overall cisco best practices in an ISP environment?  I've not had to do much beyond maintenance in quite some time and most of what I know dates to the era when cisco brought out the service provider train, the 2501 was a totally reasonable CPE, and NANOG was readable.