Routing

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  How to remove the connection (bgp session) FIN_WAIT_1 state

    Posted 11-02-2014 10:03

    On Juniper side:

     

    admin@mx*> show system connections extensive | match 80.x.x.61
    tcp4 0 0 198.x.x.252.179 80.x.x.61.44609 ESTABLISHED
    tcp4 0 12222 198.x.x.252.179 80.x.x.61.40318 FIN_WAIT_1

     

    On Soft-router side (80.x.x.61):

     

    tcpdump -i eth0 host 198.x.x.252 and port 40318
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    17:43:33.338265 IP 198.x.x.252.bgp > 80.x.x.61.40318: Flags [.], seq 1384753458:1384753459, ack 1423971998, win 16384, options [nop,nop,md5can't check - 9c580061498033573a6f6ca0c8e87924], length 1: BGP, length: 1
    17:43:33.338277 IP 80.x.x.61.40318 > 198.x.x.252.bgp: Flags [R], seq 1423971998, win 0, length 0
    17:44:33.336403 IP 198.x.x.252.bgp > 80.x.x.61.40318: Flags [.], seq 0:1, ack 1, win 16384, options [nop,nop,md5can't check - 9c580061498033573a6f6ca0c8e87924], length 1: BGP, length: 1
    17:44:33.336414 IP 80.x.x.61.40318 > 198.x.x.252.bgp: Flags [R], seq 1423971998, win 0, length 0
    17:45:33.321957 IP 198.x.x.252.bgp > 80.x.x.61.40318: Flags [.], seq 0:1, ack 1, win 16384, options [nop,nop,md5can't check - 9c580061498033573a6f6ca0c8e87924], length 1: BGP, length: 1
    17:45:33.321967 IP 80.x.x.61.40318 > 198.x.x.252.bgp: Flags [R], seq 1423971998, win 0, length 0

    ..

     

    In this port (40318) there is nothing. Back comes the R-flag. But Juniper not close FIN_WAIT_1 state.

     

    I'm try clear bgp hard/soft. With both sides. It does not help.

     

     

     



  • 2.  RE: How to remove the connection (bgp session) FIN_WAIT_1 state

    Posted 11-02-2014 12:20

    Hello,

     

    @A.leb wrote:
    Back comes the R-flag. But Juniper not close FIN_WAIT_1 state.

     

     

     

     

     

    Your Softrouter TCP RST does not contain MD5 signature, in direct violation of RFC 2385:

     

    Every segment sent on a TCP connection to be protected against spoofing will contain the 16-byte MD5 digest

    and

     

       The MD5 digest is always 16 bytes in length, and the option would appear in every segment of a connection.

     

     

    https://www.ietf.org/rfc/rfc2385.txt

     

    By definition, "every segment" includes TCP RST.

     

    Predictably, JUNOS drops such segment since MD5 check takes please before any other checks.

    HTH

    Thanks
    Alex

     

     



  • 3.  RE: How to remove the connection (bgp session) FIN_WAIT_1 state

    Posted 11-02-2014 13:27

    Question: Why is not closed on timeout?

    In this port (80.x.x.61:40318) there is nothing.

    And how much he will be so knock?

    Day, a week, a year?

     

    http://copilotco.com/mail-archives/beowulf.1998/msg01618.html

     

     



  • 4.  RE: How to remove the connection (bgp session) FIN_WAIT_1 state
    Best Answer

    Posted 11-02-2014 20:58

    Solution:

    1. Block on Soft-router side any reply related tcp port 40318.

    2. Wait 30 min

     

    tcpdump -n -i eth0 -M **** port 40318
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    03:20:27.894388 IP 198.x.x.252.179 > 80.x.x.61.40318: Flags [.], seq 1384753458:1384753459, ack 1423971998, win 16384, options [nop,nop,md5valid], length 1: BGP, length: 1

    ...

    03:56:27.544944 IP 198.x.x.252.179 > 80.x.x.61.40318: Flags [.], seq 0:1, ack 1, win 16384, options [nop,nop,md5valid], length 1: BGP, length: 1
    03:57:27.535886 IP 198.x.x.252.179 > 80.x.x.61.40318: Flags [R.], seq 1, ack 1, win 16384, options [nop,nop,md5valid], length 0