09-20-2011 02:17 AM
I’m currently trying to setup BGP between two VR hosted on one firewall without success.
I’ve successfully established a BGP session to external routers and between VRs hosted on the different firewalls.
Each VR is in a separate VSYS and visible to each other and the zones are created accordingly.
From the CLI is can do a ping with the source IP of one loopback to the other loopback interface. So I assume that everything is setup as it should. There are only one rule in the policies at the moment (any to any), so that nothing is influencing the communication.
The BGP session never gets established. When I do a packet capture, On the packet capture I see the SYN, SYN ACk but never the ACK packet.
Any ideas???
Thanks for your help
09-20-2011 02:55 AM
I've done some further test/packet captures. Please see below the summary of these:
I’ve done a ping between the bgp peers during the capture (which is working).
On the receive capture I can see the TCP SYN & SYN ACK packet but the ACK packet is missing.
On the transmit capture, nothing at all
On the firewall capture I can only see SYN packets.
On the drop capture I see the SYN ACK packets
What I don't understand why some SYN ACK packets getting dropped
09-20-2011 07:29 AM
Just wanted to confirm, so you are doing BGP between two IP addresses in which each BGP peer resides on a difference VR, each VR is in difference Vsys on the same device, correct?
For checking the session are you inside the vsys to check the session? If you are in the vsys, have you checked by going into both the vsys to check the session? I would suggest to use the CLI to check the session.
Please let us know on the above.
Thanks
09-20-2011 09:12 AM
Hello,
yes you're right. I try to setup BGP between two IP addresses in which each BGP peer resides on a difference VR, each VR is in difference vsys on the same device.
I'm not sure what you mean by "in the vsys". I've done an overall capture and as well a capture per vsys. And the result remains the same for ech vsys.
If you can tell me how I can do a more precise debug using the CLI I'll really appreciate it.
Thanks in advance
09-20-2011 09:44 AM
Double check the Peer settings under Incoming Connections and Outgoing Connections. Make sure Remote Port and Local Port are set to 0 and Allow is checked on both.
Also, doublecheck the policy in both VSYS to make sure there aren't any cleanup rules that might be blocking intra-zone traffic.
Cheers,
Kelly
09-20-2011 09:52 AM
Hi,
peer settings are OK, allow is checked on both and ports are set to 0.
At the moment there is only one rule on each vsys any to any allow, so no cleanup rule.
Cheers
Michael
09-20-2011 10:17 AM
One more thing I wanted to confirm was are you using two ports to connect the two VR on the same device? If not then you will have to use two ports to connect the VR externally or this will not work. The two VR will need a physical interface to send out the packets.Do please let us know if this helps resolve the issue.
09-21-2011 02:02 AM
Hello,
I changed the setup accordingly. I've now configured two physical ports and used them to interconnect the VRs, but the result is the same.
I'm not sure if you're right that I've to use an external port to interconnect the VRs. We're running PAN OS 4.0.5 and in the release notes is written: "VR to VR Routing – Another virtual router can now be specified as the next hop when creating
static routes."
We already use another VR as next hop and as I mentioned at the beginning, some packets already routed correct between the VRs (icmp).
I think this is maybe a bug or BGP between VRs is not supported for any reason???
Michael
09-21-2011 07:21 AM
I've done this several times using external ports with BGP and OSPF. Inter-VR OSPF will definitely not work without the external ports, but it might be possible BGP would work without the external ports. I would try a clean setup first using external ports and the external port IP addresses as the BGP peering endpoints instead of the loopbacks.
Also, since you are running BGP to the loopbacks, I wonder if you are running into a TTL issue. I believe by default the eBGP peers are setup for only two hops. If you configure it for a higher number it might work since you are actually going over 3 hops using loopbacks on either side. If you are doing iBGP then this is probably not the issue as by default the TTL should be 254.
Cheers,
Kelly
09-21-2011 07:42 AM
Hello,
Thanks for your help.
I've removed today already the loopback interfaces and was using the external ports. It was as well not working.
I've BGP running with external routers without problems
I've setup the TTL to 5 just to make sure that I don't run into troubles with this.
I'll create two other VRs and try to configure them with external interfaces for testing.
Any other ideas?
Michael
09-23-2011 08:55 AM
Hello,
I´ve tried again to get this running. When I use external interfaces it´s working.
I´ve also tried to use iBGP, but it was not working.
Any explanations why it´s not working between two loopback interfaces?
Michael
09-24-2011 09:40 PM
Check to see if you have a multi-hop option on the PAN, If you do change the multie-hop to 2 on both sides, Then you should be able to do BGP to loopback. Hope this helps.
10-31-2011 06:44 AM
Hello,
sorry for the delay. I was out of office and realy busy with other topics. So I can't follow this up.
I've setup already the multi-hop to 2 and today I've done an upgrade to 4.0.7, but it doesn't work either.
Any other ideas to get this running?
Thx
11-02-2011 06:36 AM
Hello,
I've done some futher tests.
1. I've configured a second VR in a VSYS (same firewall) and tried to setup BGP between both VR within this VSYS, neither BGP and iBGP is working.
2. Two VR in two different VSYS (same firewall), neither BGP and iBGP is working.
3 BGP between two VR on two different firewalls, either iBGP and eBGP is working.
Is there any limitation on PANOS which prevents to have dynamic routing between VR?
Maybe there is another way to have the routing table of one VR redistributed to another VR?
Any help or idea is really welcome
Thanks
11-09-2011 12:26 AM
I would suggest that you open a support case with our Tech Support team. They should be able to answer your questions and test this in the lab.
Thanks,
Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
