[rbak-nsp] CLIPS - no access to hosts from outside

Łukasz Kopiszka lukasz at alfa-system.pl
Tue Apr 23 04:13:11 EDT 2013 

More info:

sh sub act all
00:17:08:2e:76:d2
         Session state Up
         Circuit   2/2 vlan-id 1000 clips 131076
         Internal Circuit   2/2:511:63:31/7/2/4
         Interface bound  CLIENTS-IPoE
         Current port-limit 1
         Protocol Stack IPV4
         port-limit 1 (applied)
         dhcp max-addrs 1 (applied)
         context-name CLIPS (not applied)
         ip address x.y.zz.2 (applied)
         dhcp option hostname 0x0c04616c6661 (applied)
         acct-interim-interval 600 (applied)
         forward policy in CLIPS-DEFAULT (applied)
         qos rate outbound rate 102400 (applied)
         qos rate inbound rate 102400 (applied)
         qos-policing-policy customer-out (applied from sub_default)
         qos-metering-policy customer-in (applied from sub_default)
           IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
                 z.y.zz.2    00:17:08:2e:76:d2



Simple routing without NAT.
BGP <=> BRAS <=> CLIPS hosts

I can connect from BRAS to host with CLIPS (ex. ssh).
I cant connect from BGP to host with CLIPS.


I try connect from BGP to CLIPS
Tcpdump from BGP:
22:56:45.987212 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95612100 ecr 
0,nop,wscale 5], length 0
22:56:46.986325 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95612350 ecr 
0,nop,wscale 5], length 0
22:56:48.990322 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95612851 ecr 
0,nop,wscale 5], length 0
22:56:52.994327 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95613852 ecr 
0,nop,wscale 5], length 0
22:57:01.010324 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95615856 ecr 
0,nop,wscale 5], length 0
22:57:17.042333 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95619864 ecr 
0,nop,wscale 5], length 0

Tcpdump from CLIPS host:
22:56:44.692348 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95612100 ecr 
0,nop,wscale 5], length 0
22:56:44.692389 IP x.y.zz.2.22 > x.y.z.51.54353: Flags [S.], seq 
794957911, ack 2136894986, win 14480, options [mss 1460,sackOK,TS val 
5318255 ecr 95612100,nop,wscale 7], length 0
22:56:45.691415 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95612350 ecr 
0,nop,wscale 5], length 0
22:56:45.691462 IP x.y.zz.2.22 > x.y.z.51.54353: Flags [S.], seq 
794957911, ack 2136894986, win 14480, options [mss 1460,sackOK,TS val 
5318505 ecr 95612100,nop,wscale 7], length 0
22:56:46.091397 IP x.y.zz.2.22 > x.y.z.51.54353: Flags [S.], seq 
794957911, ack 2136894986, win 14480, options [mss 1460,sackOK,TS val 
5318605 ecr 95612100,nop,wscale 7], length 0
22:56:47.695362 IP x.y.z.51.54353 > x.y.zz.2.22: Flags [S], seq 
2136894985, win 14600, options [mss 1460,sackOK,TS val 95612851 ecr 
0,nop,wscale 5], length 0


Host reply with SYN,ACK but BGP did not receive packets from host.

Something on BRAS is blocking traffic from host but I dont know what....


-- 
Pozdrawiam,
Łukasz Kopiszka
www.alfa-system.pl

More information about the redback-nsp mailing list