SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

iBGP on loopbacks in routing instance

  • 1.  iBGP on loopbacks in routing instance

    Posted 11-20-2022 14:02
    Hi all,

    I am facing the following problem: iBGP does not work from routing instance when using loopback interfaces. Without routing instance, it works perfectly.

    Details:

    1. There is SRX1 and SRX2, both connected via ge-0/0/0.0. This interface remains in the main routing instance.  SRX1 has IP 10.0.0.1/24, SRX2 has IP 10.0.0.2/24.
    2. On each SRX1 and SRX2, there is a routing instance with a loopback interface assigned to it. SRX1's loopback has IP 192.168.0.1, SRX2's loopback has IP 192.168.0.2
    3. On SRX1, there is a route for 192.168.0.2/32 in the main routing table pointing to 10.0.0.2. On SRX2, the route for 192.168.0.1/32 is pointing to 10.0.0.1
    4. The abovementioned route is imported to the routing instanses using instance-import.
    5. Security policies are set to allow all


    Issue: iBGP never gets established and is stuck in "active" phase.

    Troubleshooting so far:
     - I can ping 10.0.0.1 from 10.0.0.2 and back.
     - I can ping 192.168.0.1 from 192.168.0.2 and back, from both main routing table and the routing instance.
     - I can telnet to BGP port 179 on 192.168.0.1 from inside routing instance on SRX2. Same for telnetting to port 179 on 192.168.0.2 from SRX1.
    - There are no firewall rules and/or security policies prohibiting BGP.
     - Loopback and ge-0/0/0.0 are in different security zones due to routing-instance, but I have an "allow all" policy between them.
     - As soon as I remove the routing instance and configure iBGP in the main instance instead, the iBGP session gets established immediately.

    BGP log:

    Nov 20 19:53:58.727872 bgp_recv_open: called for peer 192.168.0.2 (Internal AS 65532)
    Nov 20 19:53:58.727911 task_process_events_internal: recv ready for BGP_65532_65532.192.168.0.2
    Nov 20 19:53:58.727923 bgp_recv_open: called for peer 192.168.0.2 (Internal AS 65532)
    Nov 20 19:53:58.727946 BGP RECV 192.168.0.2+179 -> 192.168.0.1+60966
    Nov 20 19:53:58.727963 BGP RECV message type 3 (Notification) length 21
    Nov 20 19:53:58.727976 BGP RECV Notification code 6 (Cease) subcode 5 (Connection Rejected)
    Nov 20 19:53:58.727991 BGP_UNEXPECTED_MESSAGE_TYPE: bgp_read_message: peer 192.168.0.2 (Internal AS 65532): Notification arrived, expected Open (instance INS_Transit)
    Nov 20 19:53:58.728094 bgp_read_message: received 21 byte message type 3 (Notification) from 192.168.0.2 (Internal AS 65532)
    Nov 20 19:53:58.728139 bgp_read_message:3515: NOTIFICATION received from 192.168.0.2 (Internal AS 65532): code 6 (Cease) subcode 5 (Connection Rejected)
    Nov 20 19:53:58.728154 Notify received from 192.168.0.2 (Internal AS 65532), code 6, subcode 5
    Nov 20 19:53:58.728186 task_process_events_internal: recv ready for BGP_65532_65532.192.168.0.2
    Nov 20 19:53:58.728198 bgp_recv_open: called for peer 192.168.0.2 (Internal AS 65532)
    Nov 20 19:53:58.728238 bgp_recv: peer 192.168.0.2 (Internal AS 65532): received unexpected EOF
    Nov 20 19:53:58.728253 bgp_peer_close_and_restart: peer 192.168.0.2 (Internal AS 65532), state is 4 (OpenSent) event TransportError, flags=0x0
    Nov 20 19:53:58.728265 bgp_peer_close_and_restart: closing peer 192.168.0.2 (Internal AS 65532), state is 4 (OpenSent) event TransportError
    Nov 20 19:53:58.728277 bgp_send_deactivate:3639: 192.168.0.2 (Internal AS 65532) ,flags=0x0: removed from active list

    Routing instance config:

    protocols {
    bgp {
    group ibgp-v4-test {
    type internal;
    local-address 192.168.0.1;
    import accept;
    export reject;
    neighbor 192.168.0.2;
    }
    }
    }
    interface lo0.0;
    instance-type virtual-router;
    routing-options {
    router-id 192.168.0.1;
    autonomous-system 65532;
    instance-import import-from-main-table;
    }



    Any ideas?

    ​​