[j-nsp] juniper-nsp Digest, Vol 54, Issue 6

Naminda Jayawardana naminda.jayawardana at dialog.lk
Fri May 4 12:34:19 EDT 2007


First remove authentication and try again

Naminda

Sent by dialog blackberry

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net <juniper-nsp-bounces at puck.nether.net>
To: juniper-nsp at puck.nether.net <juniper-nsp at puck.nether.net>
Sent: Fri May 04 21:30:08 2007
Subject: juniper-nsp Digest, Vol 54, Issue 6

Send juniper-nsp mailing list submissions to
	juniper-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
	juniper-nsp-request at puck.nether.net

You can reach the person managing the list at
	juniper-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of juniper-nsp digest..."


Today's Topics:

   1. Re: BGP over GRE (Guy Davies)
   2. Re: BGP over GRE (Scott Morris)
   3. Re: BGP over GRE (Scott Morris)
   4. Re: BGP over GRE (Guy Davies)


----------------------------------------------------------------------

Message: 1
Date: Fri, 4 May 2007 08:53:45 +0100
From: "Guy Davies" <aguydavies at gmail.com>
Subject: Re: [j-nsp] BGP over GRE
To: swm at emanon.com
Cc: juniper-nsp at puck.nether.net
Message-ID:
	<38f596590705040053q2680512flc8f9e925e34b8891 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi Scott,

This error message means that the far end is sending packets with the
source of 10.255.255.2 and the AS number 7963.  In your config, there
is no peer with that config.  I suspect that you're probably using a
different address for that peer.  If you have direct connectivity to
that peer on that address, then simply update your config to use the
correct neighbour address and it should work.

Rgds,

Guy

On 04/05/07, Scott Morris <swm at emanon.com> wrote:
> This is a very strange question, and very strange scenario...  but I'm also
> getting some very strange errors, so I'm hoping that someone here may have
> seen this before and can give me some hint of whatever I'm apparantly not
> thinking of!
>
> I have a GRE tunnel from a J2300 to a Cisco router.  The GRE is very simple,
> and it works just fine (at least as far as pinging the other end of the
> tunnel or telnetting to it goes!).  However, BGP over this tunnel does not
> work.  Again, it SHOULD be a very simple setup, directly connected ebgp
> peers, no multihop, nothing strange.
>
> It's not working.  On the Cisco side, it shows as an authentication error
> (at first we weren't doing any, but then turned it on just to see if it made
> a difference which it did not).  But on the Juniper side, the error shows up
> ONLY in the /var/log/messages file.
>
> May  4 00:31:01  Emanon-Edge rpd[2797]: bgp_pp_recv: NOTIFICATION sent to
> 10.255.255.2+34211 (proto): code 2 (Open Message Error) subcode 5
> (authentication failure), Reason: no group for 10.255.255.2+34211 (proto)
> from AS 7963 found (peer idled), dropping him
>
> This was the same message with or without authentication enabled on the BGP
> portion.  When I do a "monitor interface" to try to watch the traffic, I
> don't even SEE any outbound bgp traffic.  Same thing with traceoptions
> detail.  This "no group" message is quite vexing.
>
> Anyone seen anything like this before?  I'm hoping it's something simple and
> driven by lack of sleep, but nothing is leaping at me.
>
> TIA,
>
> Scott
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


------------------------------

Message: 2
Date: Fri, 4 May 2007 08:57:46 -0400
From: "Scott Morris" <swm at emanon.com>
Subject: Re: [j-nsp] BGP over GRE
To: "'Kristian Larsson'" <kristian at spritelink.se>
Cc: juniper-nsp at puck.nether.net
Message-ID: <02dc01c78e4b$cfbd75a0$70259ed0 at amer.cisco.com>
Content-Type: text/plain;	charset="us-ascii"

    gr-0/0/0 {
        unit 0 {
            clear-dont-fragment-bit;
            tunnel {
                source xxx.xxx.115.178;
                destination yyy.yyy.112.2;
                no-path-mtu-discovery;
            }
            family inet {
                mtu 1500;
                address 10.255.255.1/30;
            }
        }           
    } 
Protocols {
  bgp  {
        group STDIO {
            type external;
            traceoptions {
                file STDIO;
                flag packets send receive detail;
            }
            local-address 10.255.255.1;
            import No-Routes-In;
            authentication-key "$9$Opu01IcreWLxdhSs4aZq.5QF/A0IEy"; ##
SECRET-DATA
            export BadMyLinks;
            peer-as 7963;
            neighbor 10.255.255.2;
        }
    }


Yes, my autonomous-system is defined...  My other eBGP peers work perfectly
fine (one directly connected, two multihop) without issue.

I'd love to give more log details, but there aren't any!  :)

Notice the traceoptions in the config there.  Here is the ENTIRE file (yes,
the date/time on the router is accurate):
smorris at Emanon-Edge> show log STDIO 
Apr 13 15:48:53 trace_on: Tracing to "/var/log/STDIO" started
Apr 13 20:42:27.099946 bgp_peer_mgmt_clear: NOTIFICATION sent to
10.255.255.2 (External AS 7963): code 6 (Cease) subcode 4 (Administratively
Reset), Reason: Management session cleared BGP neighbor
Apr 13 20:42:27.101386 bgp_send: sending 21 bytes to 10.255.255.2 (External
AS 7963)
Apr 13 20:42:27.101410
Apr 13 20:42:27.101410 BGP SEND (null) -> 10.255.255.2
Apr 13 20:42:27.103228 BGP SEND message type 3 (Notification) length 21
Apr 13 20:42:27.103288 BGP SEND Notification code 6 (Cease) subcode 4
(Administratively Reset)
Apr 13 20:42:27.103566 bgp_send: sending 21 bytes to 10.255.255.2 (External
AS 7963) failed: Bad file descriptor
Apr 18 23:12:37.048543 bgp_peer_mgmt_clear: NOTIFICATION sent to
10.255.255.2 (External AS 7963): code 6 (Cease) subcode 4 (Administratively
Reset), Reason: Management session cleared BGP neighbor
Apr 18 23:12:37.048719 bgp_send: sending 21 bytes to 10.255.255.2 (External
AS 7963)
Apr 18 23:12:37.048742
Apr 18 23:12:37.048742 BGP SEND (null) -> 10.255.255.2
Apr 18 23:12:37.048788 BGP SEND message type 3 (Notification) length 21
Apr 18 23:12:37.048807 BGP SEND Notification code 6 (Cease) subcode 4
(Administratively Reset)
Apr 18 23:12:37.049050 bgp_send: sending 21 bytes to 10.255.255.2 (External
AS 7963) failed: Bad file descriptor

smorris at Emanon-Edge>

So something freaky is going on, just not sure what it is!

Scott

-----Original Message-----
From: Kristian Larsson [mailto:kristian at spritelink.se] 
Sent: Friday, May 04, 2007 2:18 AM
To: Scott Morris
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] BGP over GRE

Could we please have som configuration excerpts?
Right now the only similar scenario I can come up with was when I was doing
iBGP over GRE, but then I made the mistake of terminating both the GRE and
the iBGP session on the other routers loopback and so it failed. Since this
is an eBGP session it's even less complicated. But please, provide some
configurations and some more log messages wouldn't hurt.

  Kristian.

On Fri, May 04, 2007 at 12:34:37AM -0400, Scott Morris wrote:
> This is a very strange question, and very strange scenario...  but I'm 
> also getting some very strange errors, so I'm hoping that someone here 
> may have seen this before and can give me some hint of whatever I'm 
> apparantly not thinking of!
>  
> I have a GRE tunnel from a J2300 to a Cisco router.  The GRE is very 
> simple, and it works just fine (at least as far as pinging the other 
> end of the tunnel or telnetting to it goes!).  However, BGP over this 
> tunnel does not work.  Again, it SHOULD be a very simple setup, 
> directly connected ebgp peers, no multihop, nothing strange.
>  
> It's not working.  On the Cisco side, it shows as an authentication 
> error (at first we weren't doing any, but then turned it on just to 
> see if it made a difference which it did not).  But on the Juniper 
> side, the error shows up ONLY in the /var/log/messages file.
>  
> May  4 00:31:01  Emanon-Edge rpd[2797]: bgp_pp_recv: NOTIFICATION sent 
> to
> 10.255.255.2+34211 (proto): code 2 (Open Message Error) subcode 5 
> (authentication failure), Reason: no group for 10.255.255.2+34211 
> (proto) from AS 7963 found (peer idled), dropping him
> 
> This was the same message with or without authentication enabled on 
> the BGP portion.  When I do a "monitor interface" to try to watch the 
> traffic, I don't even SEE any outbound bgp traffic.  Same thing with 
> traceoptions detail.  This "no group" message is quite vexing.
>  
> Anyone seen anything like this before?  I'm hoping it's something 
> simple and driven by lack of sleep, but nothing is leaping at me.
>  
> TIA,
>  
> Scott
>  
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
Kristian Larsson                                   KLL-RIPE
Network Engineer                       SpriteLink [AS39525]
+46 704 910401			     kristian at spritelink.se



------------------------------

Message: 3
Date: Fri, 4 May 2007 08:59:40 -0400
From: "Scott Morris" <swm at emanon.com>
Subject: Re: [j-nsp] BGP over GRE
To: "'Guy Davies'" <aguydavies at gmail.com>
Cc: juniper-nsp at puck.nether.net
Message-ID: <02dd01c78e4c$141bbf90$70259ed0 at amer.cisco.com>
Content-Type: text/plain;	charset="us-ascii"

In theory, I'd agree with you, but that's not the case (I'd have to smack
myself for overlooking that one!):

        group STDIO {
            type external;
            traceoptions {
                file STDIO;
                flag packets send receive detail;
            }
            local-address 10.255.255.1;
            import No-Routes-In;
            authentication-key "$9$Opu01IcreWLxdhSs4aZq.5QF/A0IEy"; ##
SECRET-DATA
            export BadMyLinks;
            peer-as 7963;
            neighbor 10.255.255.2;
        }

Neighbor is there plain as day.  

Scott 

-----Original Message-----
From: Guy Davies [mailto:aguydavies at gmail.com] 
Sent: Friday, May 04, 2007 3:54 AM
To: swm at emanon.com
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] BGP over GRE

Hi Scott,

This error message means that the far end is sending packets with the source
of 10.255.255.2 and the AS number 7963.  In your config, there is no peer
with that config.  I suspect that you're probably using a different address
for that peer.  If you have direct connectivity to that peer on that
address, then simply update your config to use the correct neighbour address
and it should work.

Rgds,

Guy

On 04/05/07, Scott Morris <swm at emanon.com> wrote:
> This is a very strange question, and very strange scenario...  but I'm 
> also getting some very strange errors, so I'm hoping that someone here 
> may have seen this before and can give me some hint of whatever I'm 
> apparantly not thinking of!
>
> I have a GRE tunnel from a J2300 to a Cisco router.  The GRE is very 
> simple, and it works just fine (at least as far as pinging the other 
> end of the tunnel or telnetting to it goes!).  However, BGP over this 
> tunnel does not work.  Again, it SHOULD be a very simple setup, 
> directly connected ebgp peers, no multihop, nothing strange.
>
> It's not working.  On the Cisco side, it shows as an authentication 
> error (at first we weren't doing any, but then turned it on just to 
> see if it made a difference which it did not).  But on the Juniper 
> side, the error shows up ONLY in the /var/log/messages file.
>
> May  4 00:31:01  Emanon-Edge rpd[2797]: bgp_pp_recv: NOTIFICATION sent 
> to
> 10.255.255.2+34211 (proto): code 2 (Open Message Error) subcode 5 
> (authentication failure), Reason: no group for 10.255.255.2+34211 
> (proto) from AS 7963 found (peer idled), dropping him
>
> This was the same message with or without authentication enabled on 
> the BGP portion.  When I do a "monitor interface" to try to watch the 
> traffic, I don't even SEE any outbound bgp traffic.  Same thing with 
> traceoptions detail.  This "no group" message is quite vexing.
>
> Anyone seen anything like this before?  I'm hoping it's something 
> simple and driven by lack of sleep, but nothing is leaping at me.
>
> TIA,
>
> Scott
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



------------------------------

Message: 4
Date: Fri, 4 May 2007 14:10:06 +0100
From: "Guy Davies" <aguydavies at gmail.com>
Subject: Re: [j-nsp] BGP over GRE
To: swm at emanon.com
Cc: juniper-nsp at puck.nether.net
Message-ID:
	<38f596590705040610h5d8f2248h78e5662b9519cdde at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi Scott

On 04/05/07, Scott Morris <swm at emanon.com> wrote:
> Notice the traceoptions in the config there.  Here is the ENTIRE file (yes,
> the date/time on the router is accurate):
> smorris at Emanon-Edge> show log STDIO
> Apr 13 15:48:53 trace_on: Tracing to "/var/log/STDIO" started
> Apr 13 20:42:27.099946 bgp_peer_mgmt_clear: NOTIFICATION sent to
> 10.255.255.2 (External AS 7963): code 6 (Cease) subcode 4 (Administratively
> Reset), Reason: Management session cleared BGP neighbor
> Apr 13 20:42:27.101386 bgp_send: sending 21 bytes to 10.255.255.2 (External
> AS 7963)
> Apr 13 20:42:27.101410
> Apr 13 20:42:27.101410 BGP SEND (null) -> 10.255.255.2
> Apr 13 20:42:27.103228 BGP SEND message type 3 (Notification) length 21
> Apr 13 20:42:27.103288 BGP SEND Notification code 6 (Cease) subcode 4
> (Administratively Reset)
> Apr 13 20:42:27.103566 bgp_send: sending 21 bytes to 10.255.255.2 (External
> AS 7963) failed: Bad file descriptor
> Apr 18 23:12:37.048543 bgp_peer_mgmt_clear: NOTIFICATION sent to
> 10.255.255.2 (External AS 7963): code 6 (Cease) subcode 4 (Administratively
> Reset), Reason: Management session cleared BGP neighbor
> Apr 18 23:12:37.048719 bgp_send: sending 21 bytes to 10.255.255.2 (External
> AS 7963)
> Apr 18 23:12:37.048742
> Apr 18 23:12:37.048742 BGP SEND (null) -> 10.255.255.2
> Apr 18 23:12:37.048788 BGP SEND message type 3 (Notification) length 21
> Apr 18 23:12:37.048807 BGP SEND Notification code 6 (Cease) subcode 4
> (Administratively Reset)
> Apr 18 23:12:37.049050 bgp_send: sending 21 bytes to 10.255.255.2 (External
> AS 7963) failed: Bad file descriptor

Ah, this is a new error.  It's saying that the *far end* is closing
the session.  You'll need to look at the logs on the far end to see
what the problem might be :-)

Rgds,

Guy


------------------------------

_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


End of juniper-nsp Digest, Vol 54, Issue 6
******************************************



More information about the juniper-nsp mailing list