Task 6.2 - CBAC breaks bgp session randomly

It seems CBAC breaks bgp session randomly, it may relate to bgp md5 password configuration.  To stabilize it, I permitted bgp on ACL manually.  Comment?

Extended IP access list OUTSIDE_IN
    10 permit tcp any any eq bgp (1 match)
    15 permit tcp any eq bgp any
    20 deny ip any any (9469 matches)

*Dec 20 14:04:05.815: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:04:58.071: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(60704) (RST)
*Dec 20 14:07:28.567: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:08:29.015: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(22706) (RST)
*Dec 20 14:10:59.511: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:11:58.935: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(57207) (RST)
*Dec 20 14:14:29.431: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:15:30.903: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(47494) (RST)
*Dec 20 14:18:01.399: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:19:00.823: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(47416) (RST)
*Dec 20 14:21:31.319: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:22:30.743: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(50170) (RST)
*Dec 20 14:25:01.275: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes
*Dec 20 14:25:50.939: %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to 192.10.1.5(40947) (RST)
*Dec 20 14:28:20.967: %BGP-3-NOTIFICATION: sent to neighbor 192.10.1.254 4/0 (hold time expired) 0 bytes

Comments

  • I didn't even tried other way. My config was:

    ip inspect name cbac tcp
    ip inspect name cbac udp
    ip inspect name cbac icmp router-traffic

    interface FastEthernet0/0.52
     ip access-group 102 in

    access-list 102 permit tcp host 192.10.1.254 any eq bgp
    access-list 102 permit tcp host 192.10.1.254 eq bgp any
    access-list 102 deny   ip any any

    Hope that's valid as well.

     

Sign In or Register to comment.