[j-nsp] ScreenOS BGP uses wrong interface

Mark Kamichoff prox at prolixium.com
Sat Feb 6 14:48:37 EST 2010


Hi Ross - 

On Fri, Feb 05, 2010 at 12:46:01PM -0500, Ross Vandegrift wrote:
> I'm working on a lab configuration that involves three ScreenOS
> 6.1.0r3.0 boxes running BGP to JUNOS routers.  All BGP sessions are
> between loopback interfaces, Block Intra-zone traffic is disabled for
> Untrust, all boxes have default policy.  Two of the firewalls are
> working normally.
> 
> On the third, ScreenOS adamantly refuses to open BGP on the correct
> interface.  I've tried:
> 	1) Killing off all of the BGP config and recreating it.
> 	2) Rebooting the box.
> 	3) Upgrading ScreenOS to the exact version running on the two
> 	working firewalls.  Here's the relevant config bits:
>
> [...]
> 
> Has anyone seen this?

Can you try adding the "outgoing-interface loopback.1" to your neighbor
statement?

set neighbor 10.2.30.254 remote-as 65001 src-interface loopback.1 outgoing-interface loopback.1

That being said, I did see something like this (debug messages looked
similar, at least) a few years back when trying to get ScreenOS to
connect to a Quagga box of mine.  I never got ScreenOS to initiate the
connection successfully - I had to set BGP to passive and let the Quagga
box initiate the connection, which ended up working, strangely enough.
It's not a great solution, but got things working at the time.

On the other two firewalls that /are/ working, do you know who initiated
the BGP connection?  I'm wondering if JUNOS happened to initiate the
connection first, which is why they're working.

Also, I ran into some other problems with ScreenOS BGP (somehow, upon
connection failure, ScreenOS would take 40+ minutes to reconnect to the
neighbor) that were resolved with an upgrade to 6.1.0r6.0.  I'd
recommend grabbing the latest 6.1.0 just in case.

Good luck!

- Mark

-- 
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20100206/304c3a4d/attachment.bin>


More information about the juniper-nsp mailing list