[j-nsp] ScreenOS BGP uses wrong interface

Ross Vandegrift ross at kallisti.us
Fri Feb 5 12:46:01 EST 2010 

Hey everyone,

I'm working on a lab configuration that involves three ScreenOS
6.1.0r3.0 boxes running BGP to JUNOS routers.  All BGP sessions are
between loopback interfaces, Block Intra-zone traffic is disabled for
Untrust, all boxes have default policy.  Two of the firewalls are
working normally.

On the third, ScreenOS adamantly refuses to open BGP on the correct
interface.  I've tried:
	1) Killing off all of the BGP config and recreating it.
	2) Rebooting the box.
	3) Upgrading ScreenOS to the exact version running on the two working firewalls.
Here's the relevant config bits:

set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 ip 10.2.30.2/30
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 protocol ospf area 0.0.0.0
set interface ethernet0/0 protocol ospf link-type p2p
set interface ethernet0/0 protocol ospf enable
set interface "loopback.1" zone "Untrust"
set interface loopback.1 ip 10.2.30.253/32
set interface loopback.1 route
set interface loopback.1 ip manageable
set interface loopback.1 manage ping
set interface loopback.1 protocol ospf area 0.0.0.0
set interface loopback.1 protocol ospf passive
set interface loopback.1 protocol ospf enable
set interface loopback.1 protocol bgp
set vrouter "trust-vr"
set router-id 10.2.30.253
set protocol bgp 65001
set enable
set always-compare-med
unset synchronization
set neighbor 10.2.30.254 remote-as 65001 src-interface loopback.1
set neighbor 10.2.30.254 enable
set neighbor 10.2.30.254 nhself-enable
set network 10.2.30.32/28
exit
exit



But check the output of "get vr trust-vr protocol bgp neighbor":

Peer AS Remote IP       Local IP          Wt Status   State     ConnID Up/Down
--------------------------------------------------------------------------------
  65001 10.2.30.254     0.0.0.0          100 Enabled  IDLE           0 00:27:42


"debug bgp all" gives some interesting commentary:
## 2010-02-05 07:20:21 : [bgp/socket]:    connecting to 10.2.30.254/179 via socket 21, designate local addr: 10.2.30.253
## 2010-02-05 07:20:21 : [bgp/peer]:      BGP interface: ethernet0/0 BGP disabled or interface state is not active
## 2010-02-05 07:20:21 : [bgp/event]:     vr(trust-vr)/peer(10.2.30.254) FSM: CONNECT --> ACTIVE, event TCP_FAIL


If I do "set interface eth0/0 protocol bgp" the "debug bgp all" output
changes:
## 2010-02-05 07:39:44 : [bgp/event]:     peer 10.2.30.254 connectRetry timer expire
## 2010-02-05 07:39:44 : [bgp/socket]:    connecting to 10.2.30.254/179 via socket 38, designate local addr: 10.2.30.253
## 2010-02-05 07:39:44 : [bgp/socket]:    bgp enabled on interface (ethernet0/0) flag 0x130
## 2010-02-05 07:39:44 : [bgp/socket]:    update fd_select to 38
## 2010-02-05 07:39:44 : [bgp/event]:     vr(trust-vr)/peer(10.2.30.254) FSM: ACTIVE --> CONNECT, event CONN_EXP
## 2010-02-05 07:40:06 : [bgp/socket]:    failed connect to 10.2.30.254 via socket 38
## 2010-02-05 07:40:06 : [bgp/socket]:    cannot find peer ctrl blk to invalidate: socket 38
## 2010-02-05 07:40:06 : [bgp/socket]:    set server socket 15
## 2010-02-05 07:40:06 : [bgp/socket]:    update fd_select to 15
## 2010-02-05 07:40:06 : [bgp/event]:     vr(trust-vr)/peer(10.2.30.254) FSM: CONNECT --> ACTIVE, event TCP_FAIL
## 2010-02-05 07:40:06 : [bgp/socket]:    bgpnode fail connect(-1) to peer 10.2.30.254, sock(38)


Has anyone seen this?

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20100205/f17b57f2/attachment.bin>

More information about the juniper-nsp mailing list