Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  BGP fails over IPSec VPN

    This message was posted by a user wishing to remain anonymous
    Posted 09-21-2021 12:49
    This message was posted by a user wishing to remain anonymous

    Good morning, I have a bit of a doozy.

    I am trying to establish a route-based VPN connection between an SRX 300 and an SRX 345.  They're configured almost identically, and the IPSec VPN link works great with static routing.  When I switch to external BGP, I get almost no traffic, and BGP resets every 90 seconds when the hold timer runs out.

    The BGP trace log indicates keepalive messages are being sent properly, but most do no arrive to either side, which is why the hold timer is expiring.

    I've tried setting MSS and MTU values with no effect.  I have found some error messages in the log that I am having trouble deciphering.  These errors are identical on both sides.  I feel like I'm missing something pretty basic.  Could someone point me in the right direction?

    Error 1:
    Sep 21 08:55:20.073832 bgp_rt_send_message:1826: 10.199.64.5 (External AS 1): sent 61 bytes, out updates 1
    Sep 21 08:55:20.073867 bgp_output_thrashold_reached: 10.199.64.5 (External AS 1): rtt 0x40c8000 id 0x1000000, change count 0, bgp thrashold 5000
    Sep 21 08:55:20.073903 bgp_rt_send_v4_flush:2219: 10.199.64.5 (External AS 1): Flushed, len=0, status=0x0, updates 166, updates_bnp 166, tokens=0
    Sep 21 08:55:20.073932 bgp_send_flush:1178: send proc: Flushed, type=1, status=0x0
    Sep 21 08:55:20.073961 bgp_group_send_msg_done:2635: group external-peers type External: Reset/released group send msg bld area
    Sep 21 08:55:20.073988 bgp_send_handle_error:1523: group external-peers type External: Flush type=GROUPP, status=0x0, num_tokens=0
    Sep 21 08:55:20.074014 bgp_send_handle_error:1627: group external-peers type External: Flush type=GROUPP, status=0x0, Return status=0x20, num_tokens=0 - exit
    Sep 21 08:55:20.074049 bgp_rt_send_common: 2970: send proc: Exited mrtop loop - flushed status=0x20
    Sep 21 08:55:20.074075 rt send common: END, status=0x20, visits=1, grtosdenied=0
    Sep 21 08:55:20.074098 bgp_group_send_msg_done:2635: group external-peers type External: Reset/released group send msg bld area
    ​

    Error 2 (keepalive behavior, follwed by error and reset:
    Sep 21 08:55:20.279700 bgp_handle_update:4766: 10.199.64.5 (External AS 1) received one update: 68 octets 10 routes
    Sep 21 08:55:20.279820 bgp_handle_update:4766: 10.199.64.5 (External AS 1) received one update: 4 octets 0 routes
    Sep 21 08:55:45.283039 99-220-BGP_1.10.199.64.5: BGP SEND 10.199.64.6+179 -> 10.199.64.5+50986 {bgp-io}
    Sep 21 08:55:45.283138 99-220-BGP_1.10.199.64.5: BGP SEND message type 4 (Keepalive) length 19  {bgp-io}
    Sep 21 08:56:11.307068 99-220-BGP_1.10.199.64.5: BGP SEND 10.199.64.6+179 -> 10.199.64.5+50986 {bgp-io}
    Sep 21 08:56:11.307166 99-220-BGP_1.10.199.64.5: BGP SEND message type 4 (Keepalive) length 19  {bgp-io}
    Sep 21 08:56:41.006884 99-220-BGP_1.10.199.64.5: BGP SEND 10.199.64.6+179 -> 10.199.64.5+50986 {bgp-io}
    Sep 21 08:56:41.006982 99-220-BGP_1.10.199.64.5: BGP SEND message type 4 (Keepalive) length 19  {bgp-io}
    Sep 21 08:56:50.277401 {bgp-io} th-99-220-BGP_1.10.199.64.5: Recv heartbeat timer expired @bgp-io
    Sep 21 08:56:50.277718 BGP_IO_ERROR_CLOSE_SESSION: BGP peer 10.199.64.5 (External AS 1): Error event Operation timed out(60) for I/O session - closing it (instance master)
    Sep 21 08:56:50.278189 BGP_1.10.199.64.5: send proc: send via threaded I/O
    Sep 21 08:56:50.278208 sending 21 bytes
    Sep 21 08:56:50.278239
    Sep 21 08:56:50.278239 BGP SEND 10.199.64.6+179 -> 10.199.64.5+50986
    Sep 21 08:56:50.278270 BGP SEND message type 3 (Notification) length 21
    Sep 21 08:56:50.278355  wrote 21 bytes to I/O queue
    Sep 21 08:56:50.278390 finished number of messages 1, write qidx 0 rc 1
    Sep 21 08:56:50.278423 bgp_send_deactivate:3466: 10.199.64.5 (External AS 1) ,flags=0x1: removed from active list
    Sep 21 08:56:50.281621 bgp_rt_unsync_all:409: 10.199.64.5 (External AS 1): entered v4nsync 1
    Sep 21 08:56:50.281694 bgp_oq_ready_enqueue:147: group external-peers type External: called for ribix 1, inserted node on thread
    Sep 21 08:56:50.281733 bgp_rt_unsync_all:422: 10.199.64.5 (External AS 1): end v4nsync 0
    Sep 21 08:56:52.337676 advertising graceful restart receiving-speaker-only capability to neighbor 10.199.64.5 (External AS 1)
    Sep 21 08:56:52.337767 advertising LLGR receiving-speaker-only capability to neighbor 10.199.64.5 (External AS 1)
    Sep 21 08:56:52.337814 BGP_1.10.199.64.5: send proc: sending 63 bytes​

    Relevant BGP Configuration:
    policy-options {
        policy-statement send-direct {
            term 1 {
                from protocol direct;
                then accept;
            }
        }
    }
    
    protocols {
        bgp {
            group external-peers {
                type external;
                export send-direct;
                peer-as 1;
                neighbor 10.199.64.5;
            }
        }​


    Thank you!



  • 2.  RE: BGP fails over IPSec VPN

    This message was posted by a user wishing to remain anonymous
    Posted 09-23-2021 09:13
    This message was posted by a user wishing to remain anonymous

    SOLVED!  BGP was advertising the WAN subnet on both sides, so as soon as it established, the VPN link broke until BGP reset, and the cycle would start over.

    Adding a route filter to the policy options that restricted BGP to the internal subnets fixed this right up.