Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 25 subscribers
  • Views 10263 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP routes are not propagating to XG unit

BenLange

Hello,

We have an XG unit that is BGP peering with a Cisco device.  The XG unit is able to advertise routes properly to the Cisco unit as they are showing up on the Cisco and are then being advertised to the rest of the BGP peers but the XG unit is not receiving advertised routes FROM the Cisco.

We have done the following:

  • Created firewall rule to allow all BGP traffic from all zones and networks to all zones and networks
  • Created firewall rule to allow all traffic from Cisco router to Neighbor interface on the XG
  • Deleted and recreated the BGP neighbor peering

We know that the Cisco units are peering properly because we have another Sophos UTM unit on the network and it is receiving the advertised networks from the XG unit and all the routes advertised from the UTM device show up on the Cisco.  The XG just seems to refuse to accept the advertisements from the Cisco unit.

Any ideas?



This thread was automatically locked due to age.
  • 0

    Ben,

    can you share your BGP configuration? Screenshots.

    Thanks

  • 0 in reply to lferrara

    Hello lferrar,

    The config is pretty straightforward for BGP on these units.

    There are three fields to fill out and they are all filled out.  Please see the below config:

    Outputs for the configs is as follows:

    BGP neighbor is x.x.x.x, remote AS XXXX , local AS XXXX, external link
      BGP version 4, remote router ID x.x.x.x
      BGP state = Established, up for 02w0d06h
      Last read 00:00:05, hold time is 180, keepalive interval is 60 seconds
      Neighbor capabilities:
        4 Byte AS: advertised and received
        Route refresh: advertised and received(old & new)
        Address family IPv4 Unicast: advertised and received
      Message statistics:
        Inq depth is 0
        Outq depth is 0
                             Sent       Rcvd
        Opens:                  1          1
        Notifications:          0          0
        Updates:                1          9
        Keepalives:         20517      22443
        Route Refresh:          0          0
        Capability:             0          0
        Total:              20519      22453
      Minimum time between advertisement runs is 30 seconds

     For address family: IPv4 Unicast
      Community attribute sent to this neighbor(both)
      0 accepted prefixes

      Connections established 1; dropped 0
      Last reset never
    Local host: x.x.x.x, Local port: 45883
    Foreign host: x.x.x.x, Foreign port: 179
    Nexthop: x.x.x.x
    Read thread: on  Write thread: off

    BGP table version is 0, local router ID is x.x.x.x
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, R Removed
    Origin codes: i - IGP, e - EGP, ? - incomplete

       Network          Next Hop            Metric LocPrf Weight Path
    *> x.x.x.x/24    0.0.0.0                  0         32768 i

    Total number of prefixes 1

    BGP router identifier x.x.x.x, local AS number xxxx
    RIB entries 1, using 64 bytes of memory
    Peers 1, using 2484 bytes of memory

    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    x.x.x.x       4 xxxx   22455   20521        0    0    0 02w0d06h        0

    Total number of neighbors 1

    Firewalls:

    "

    NAT Policy: MASQ
    Routing Through Gateway: Load Balance
    Accept "BGP" service going to any zone, when in any zone, and coming from any network"
    NAT Policy: MASQ
    Routing Through Gateway: Load Balance
    Accept any service going to any zone, when in any zone, and coming from "XX_XXX_MPLS" network"
    Let me know if you would like any further information.
    Thanks!
  • +1

    This ended up being a misconfiguration issue on site.  The trunked ports on the Cisco were both connected to the UTM and caused it to attempt to send the BGP information across the wrong interface. 

     

    The resolution was to remove the cable interconnecting both of the trunk ports from the Cisco to the UTM and only have one line instead of two.