[j-nsp] ScreenOS BGP uses wrong interface
Mark Kamichoff
prox at prolixium.com
Sat Feb 6 14:48:37 EST 2010
Hi Ross -
On Fri, Feb 05, 2010 at 12:46:01PM -0500, Ross Vandegrift wrote:
> I'm working on a lab configuration that involves three ScreenOS
> 6.1.0r3.0 boxes running BGP to JUNOS routers. All BGP sessions are
> between loopback interfaces, Block Intra-zone traffic is disabled for
> Untrust, all boxes have default policy. Two of the firewalls are
> working normally.
>
> On the third, ScreenOS adamantly refuses to open BGP on the correct
> interface. I've tried:
> 1) Killing off all of the BGP config and recreating it.
> 2) Rebooting the box.
> 3) Upgrading ScreenOS to the exact version running on the two
> working firewalls. Here's the relevant config bits:
>
> [...]
>
> Has anyone seen this?
Can you try adding the "outgoing-interface loopback.1" to your neighbor
statement?
set neighbor 10.2.30.254 remote-as 65001 src-interface loopback.1 outgoing-interface loopback.1
That being said, I did see something like this (debug messages looked
similar, at least) a few years back when trying to get ScreenOS to
connect to a Quagga box of mine. I never got ScreenOS to initiate the
connection successfully - I had to set BGP to passive and let the Quagga
box initiate the connection, which ended up working, strangely enough.
It's not a great solution, but got things working at the time.
On the other two firewalls that /are/ working, do you know who initiated
the BGP connection? I'm wondering if JUNOS happened to initiate the
connection first, which is why they're working.
Also, I ran into some other problems with ScreenOS BGP (somehow, upon
connection failure, ScreenOS would take 40+ minutes to reconnect to the
neighbor) that were resolved with an upgrade to 6.1.0r6.0. I'd
recommend grabbing the latest 6.1.0 just in case.
Good luck!
- Mark
--
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20100206/304c3a4d/attachment.bin>
More information about the juniper-nsp
mailing list