Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1023 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP via IPsec between Cisco and XG

Tomas Tyser1

We have route based VPN between Cisco firewall and XG firewall. Behind the Cisco firewall where the VPN is terminated, there is a Cisco router doing BGP peering with the XG firewall. The BGP peering is succesfull, the Cisco can see the routes sent from XG in its routing table, but the XG cant see the routes from Cisco in its routing table. When we did the tcpdump on the XG, we can the BGP messages are comming to XG, inside are the networks which we should see in our routing table. Can someone with superior knowledge of BGP protocol  see some problem why the networks arent injected into the routing table on XG? I know here is similiar case, where some missconfiguration in trunk ports was problem, but I didnt find out if they were able to see the update message with the networks as we do on the XG side.

Did created case for it 03751203

15:04:03.870083 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19562, offset 0, flags [DF], proto TCP (6), length 40)
10.20.30.1.52220 > 192.168.41.2.179: Flags [.], cksum 0x93ec (correct), seq 1, ack 1, win 27200, length 0
15:04:03.870192 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19563, offset 0, flags [DF], proto TCP (6), length 93)
10.20.30.1.52220 > 192.168.41.2.179: Flags [P.], cksum 0x4bf6 (correct), seq 1:54, ack 1, win 27200, length 53: BGP
Open Message (1), length: 53
Version 4, my AS 65004, Holdtime 180s, ID 10.20.30.1
Optional parameters, length: 24
Option Capabilities Advertisement (2), length: 6
Multiprotocol Extensions (1), length: 4
AFI IPv4 (1), SAFI Unicast (1)
0x0000: 0001 0001
Option Capabilities Advertisement (2), length: 2
Route Refresh (Cisco) (128), length: 0
Option Capabilities Advertisement (2), length: 2
Route Refresh (2), length: 0
Option Capabilities Advertisement (2), length: 6
32-Bit AS Number (65), length: 4
4 Byte AS 65004
0x0000: 0000 fdec
15:04:03.881444 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28417, offset 0, flags [DF], proto TCP (6), length 40)
192.168.41.2.179 > 10.20.30.1.52220: Flags [.], cksum 0xbe2c (correct), seq 1, ack 54, win 16331, length 0
15:04:03.883826 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28418, offset 0, flags [DF], proto TCP (6), length 97)
192.168.41.2.179 > 10.20.30.1.52220: Flags [P.], cksum 0xb254 (correct), seq 1:58, ack 54, win 16331, length 57: BGP
Open Message (1), length: 57
Version 4, my AS 65000, Holdtime 180s, ID 192.168.41.2
Optional parameters, length: 28
Option Capabilities Advertisement (2), length: 6
Multiprotocol Extensions (1), length: 4
AFI IPv4 (1), SAFI Unicast (1)
0x0000: 0001 0001
Option Capabilities Advertisement (2), length: 2
Route Refresh (Cisco) (128), length: 0
Option Capabilities Advertisement (2), length: 2
Route Refresh (2), length: 0
Option Capabilities Advertisement (2), length: 2
Enhanced Route Refresh (70), length: 0
no decoder for Capability 70
Option Capabilities Advertisement (2), length: 6
32-Bit AS Number (65), length: 4
4 Byte AS 65000
0x0000: 0000 fde8
15:04:03.883857 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19564, offset 0, flags [DF], proto TCP (6), length 40)
10.20.30.1.52220 > 192.168.41.2.179: Flags [.], cksum 0x937e (correct), seq 54, ack 58, win 27200, length 0
15:04:03.883928 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28419, offset 0, flags [DF], proto TCP (6), length 59)
192.168.41.2.179 > 10.20.30.1.52220: Flags [P.], cksum 0xb9c5 (correct), seq 58:77, ack 54, win 16331, length 19: BGP
Keepalive Message (4), length: 19
15:04:03.883942 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19565, offset 0, flags [DF], proto TCP (6), length 40)
10.20.30.1.52220 > 192.168.41.2.179: Flags [.], cksum 0x936b (correct), seq 54, ack 77, win 27200, length 0
15:04:03.884200 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19566, offset 0, flags [DF], proto TCP (6), length 78)
10.20.30.1.52220 > 192.168.41.2.179: Flags [P.], cksum 0x7c26 (correct), seq 54:92, ack 77, win 27200, length 38: BGP
Keepalive Message (4), length: 19
Keepalive Message (4), length: 19
15:04:03.906614 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28420, offset 0, flags [DF], proto TCP (6), length 59)
192.168.41.2.179 > 10.20.30.1.52220: Flags [P.], cksum 0xb9b2 (correct), seq 77:96, ack 92, win 16293, length 19: BGP
Keepalive Message (4), length: 19
15:04:03.906930 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28421, offset 0, flags [DF], proto TCP (6), length 176)
192.168.41.2.179 > 10.20.30.1.52220: Flags [P.], cksum 0xd8f7 (correct), seq 96:232, ack 92, win 16293, length 136: BGP
Update Message (2), length: 59
Origin (1), length: 1, Flags [T]: IGP
0x0000: 00
AS Path (2), length: 6, Flags [T]: 65000
0x0000: 0201 0000 fde8
Next Hop (3), length: 4, Flags [T]: 192.168.41.2
0x0000: c0a8 2902
Updated routes:
192.168.2.0/24
192.168.100.0/24
10.25.68.0/24
172.10.10.0/24
Update Message (2), length: 54
Origin (1), length: 1, Flags [T]: IGP
0x0000: 00
AS Path (2), length: 6, Flags [T]: 65000
0x0000: 0201 0000 fde8
Next Hop (3), length: 4, Flags [T]: 192.168.41.2
0x0000: c0a8 2902
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
0x0000: 0000 0000
Updated routes:
192.168.0.0/24
Update Message (2), length: 23
End-of-Rib Marker (empty NLRI)
15:04:03.907122 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19567, offset 0, flags [DF], proto TCP (6), length 40)
10.20.30.1.52220 > 192.168.41.2.179: Flags [.], cksum 0x900a (correct), seq 92, ack 232, win 27872, length 0
15:04:04.884759 xfrm1, OUT: IP (tos 0xc0, ttl 1, id 19568, offset 0, flags [DF], proto TCP (6), length 95)
10.20.30.1.52220 > 192.168.41.2.179: Flags [P.], cksum 0x0e7d (correct), seq 92:147, ack 232, win 27872, length 55: BGP
Update Message (2), length: 55
Origin (1), length: 1, Flags [T]: IGP
0x0000: 00
AS Path (2), length: 6, Flags [TE]: 65004
0x0000: 0201 0000 fdec
Next Hop (3), length: 4, Flags [T]: 10.20.30.1
0x0000: 0a14 1e01
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
0x0000: 0000 0000
Updated routes:
172.16.16.0/24
15:04:05.095839 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28422, offset 0, flags [DF], proto TCP (6), length 40)
192.168.41.2.179 > 10.20.30.1.52220: Flags [.], cksum 0xbd45 (correct), seq 232, ack 147, win 16238, length 0
15:05:01.853081 xfrm1, IN: IP (tos 0xc0, ttl 3, id 28423, offset 0, flags [DF], proto TCP (6), length 59)
192.168.41.2.179 > 10.20.30.1.52220: Flags [P.], cksum 0xb917 (correct), seq 232:251, ack 147, win 16238, length 19: BGP
Keepalive Message (4), length: 19

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

BGP neighbor is 192.168.41.2, remote AS 65000, local AS 65004, external link
  BGP version 4, remote router ID 192.168.41.2
  BGP state = Established, up for 00:00:32
  Last read 00:00:32, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    4 Byte AS: advertised and received
    Route refresh: advertised and received(old & new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  2          2
    Notifications:          1          0
    Updates:                2          6
    Keepalives:          4167       4581
    Route Refresh:          0          0
    Capability:             0          0
    Total:               4172       4589
  Minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Community attribute sent to this neighbor(both)
  0 accepted prefixes

  Connections established 2; dropped 1
  Last reset 00:00:44, due to BGP Notification send
Local host: 10.20.30.1, Local port: 58864
Foreign host: 192.168.41.2, Foreign port: 179
Nexthop: 10.20.30.1
Read thread: on  Write thread: off

-------------------------------------------------------------------------------------
BGP table version is 0, local router ID is 10.20.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.16.0/24   0.0.0.0                  0         32768 i

Total number of prefixes 1
-------------------------------------------------------------------------------------
BGP router identifier 10.20.30.1, local AS number 65004
RIB entries 1, using 64 bytes of memory
Peers 1, using 2484 bytes of memory

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.41.2    4 65000    4590    4173        0    0    0 00:01:14        0

Total number of neighbors 1


This thread was automatically locked due to age.
Parents
  • 0

    Hello Tomas,

    Thank you for contacting the Sophos Community.

    How are you configuring your VTI/Tunnel interfaces? Are both ends of the tunnel configured in the same Network?

    BGP won't insert anything into the routing table if an existing route involving the IPs is available.

    Regards,

  • 0 in reply to emmosophos

    There is IPsec via xfrm interfaces:

    10.20.x.x XG - 10.20.x.x cisco vpn concentrator

    Peering is between Cisco router behind the vpn concentrator and XG. In routing table of XG arent any network ranges Cisco is sending. Both device are able to do BGP peering with same vendor. We tried to do peering between XG and XG and check the dump and looks like the only difference in dump from Cisco to XG is mesage End-of-Rib Marker (empty NLRI) inside the update message, but I didnt find any info if this could cause problem or not. On same time, you can clearly see the networks from the Cisco reaching the Sophos in the tcpdump from Cisco to XG.

Reply
  • 0 in reply to emmosophos

    There is IPsec via xfrm interfaces:

    10.20.x.x XG - 10.20.x.x cisco vpn concentrator

    Peering is between Cisco router behind the vpn concentrator and XG. In routing table of XG arent any network ranges Cisco is sending. Both device are able to do BGP peering with same vendor. We tried to do peering between XG and XG and check the dump and looks like the only difference in dump from Cisco to XG is mesage End-of-Rib Marker (empty NLRI) inside the update message, but I didnt find any info if this could cause problem or not. On same time, you can clearly see the networks from the Cisco reaching the Sophos in the tcpdump from Cisco to XG.

Children
  • 0 in reply to Tomas Tyser1

    Hello Tomas,

    I think you have a static route added for 192.168.41.2 , you would need to remove this.

    The engineer assigned to the case mentioned he will be reaching out to a Senior engineer for feedback, take a look at your ticket.

    Regards,

  • 0 in reply to emmosophos

    Hey emmosophos,

    I need the static route to reach the cisco router via the IPsec tunnel from XG. The infrastructure looks like this:

    Cisco router(doing  BGP with XG via IPsec tunnel) -> Cisco firewall (doing IPsec tunnel with XG) < ---- > Sophos XG(doing IPsec with Cisco firewall and BGP peering with Ciscou router via the IPsec tunnel)