Is it me or is BGP authentication flakey thru a PIX?

This morning I’m working on a task that requires BGP to be authenticated between 2 routers with a PIX in the middle.  I know the big thing here is to make sure that you dont strip tcp option 19 and that you disable random sequence numbering.  Well thats what I did, the neighbor is actually peered up but for some reason I’m getting “TCP-6-BADAUTH” messages on the inside router.

Take a look at the PIX config here:

access-list BGP extended permit tcp any eq bgp any


access-list BGP extended permit tcp any any eq bgp

tcp-map BGP

tcp-options range 19 19 allow

!

class-map BGP

match access-list BGP

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class BGP

set connection random-sequence-number disable

set connection advanced-options BGP

Now when I do a show conn i can see a connection:

Rack2PIX(config)# sh conn
5 in use, 7 most used
TCP out 150.2.6.6:28321 in 150.2.2.2:179 idle 0:00:02 bytes 1117 flags UIOB
Rack2PIX(config)#

if i look at the routers, both show the peer up:

Rack2R6#sh ip bgp summ
BGP router identifier 150.2.6.6, local AS number 100
BGP table version is 11, main routing table version 11
10 network entries using 1170 bytes of memory
10 path entries using 520 bytes of memory
5/4 BGP path/bestpath attribute entries using 620 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2382 total bytes of memory
BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs


Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
54.2.2.254      4    54     753     749       11    0    0 00:23:51        8
150.2.2.2       4   100      80      88       11    0    0 00:23:03        0
Rack2R6#

#

Rack2R2#sh ip bgp summ
BGP router identifier 150.2.2.2, local AS number 100
BGP table version is 9, main routing table version 9
8 network entries using 808 bytes of memory
8 path entries using 384 bytes of memory
2 BGP path attribute entries using 120 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1360 total bytes of memory
BGP activity 32/24 prefixes, 32/24 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
150.2.1.1       4   100     751     767        9    0    0 00:23:59        0
150.2.3.3       4   100     748     764        9    0    0 00:23:56        0
150.2.4.4       4   100     745     762        9    0    0 00:23:58        0
150.2.6.6       4   100      84      89        9    0    0 00:24:03        8
150.2.7.7       4   100     744     762        9    0    0 00:24:00        0
Rack2R2#

Yet with all this i still see on R2:

Rack2R2#
*Mar  1 12:18:30.356: %TCP-6-BADAUTH: No MD5 digest from 150.2.6.6(22083) to 150.2.2.2(179)
Rack2R2#
*Mar  1 12:19:11.411: %TCP-6-BADAUTH: No MD5 digest from 150.2.6.6(22083) to 150.2.2.2(179)

Anyone know whats going on here?

Related Posts:

• No Related Posts