Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Jan 2012 09:07:56 +0200
From:      Nikolay Denev <ndenev@gmail.com>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: openbgpds not talking each other since 8.2-STABLE upgrade
Message-ID:  <8F87C898-3290-41B9-ACDF-3558D7C28D74@gmail.com>
In-Reply-To: <4F027BC0.1080101@FreeBSD.org>
References:  <99A5FFD9-8815-4CCC-9868-FB2E3D799566@gridfury.com> <4F027BC0.1080101@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Jan 3, 2012, at 5:53 AM, Doug Barton wrote:

> We have a pair of physical FreeBSD systems configured as routers
> designed to operate in an active/standby CARP configuration. =
Everything
> used to work fine, but since an upgrade to 8.2-STABLE on December 29th
> the two routers don't speak BGP to each other anymore. They both
> function fine individually, and failover works. It is only the =
openbgpd
> communication between them that's not flowing.
>=20
> They have OpenBGPd (openbgpd-4.9.20110612_1 from ports) installed.  =
The
> active router takes BGP full route feeds from our peers and *should*
> feed it to the standby router via a direct connection (crossover cable
> between physical em2 ports).
>=20
> The relative "bgpctl show" reports:
>=20
> 10.0.0.2           12345          0          0     0 Never    Active
>=20
> or
>=20
> 10.0.0.2           12345          0          0     0 Never    Connect
>=20
> The bgp daemon for the active server periodically reports:
>=20
> bgpd[6773]: neighbor 10.0.0.2: socket error: Operation timed out
>=20
> There is not a connectivity problem between the two hosts; ssh for
> example works fine.  Telnet'ing to the bgp port times out, even from =
the
> same machine.
>=20
> There is no firewall configured on that interface.
>=20
> TCP-MD5 is *not* configured on the bgpd side.  We did try enabling it
> (properly) between the two machines via /etc/ipsec.conf to see if it
> would make a difference, but that also had no effect on this problem.
>=20
> We've tried tcpdump, and both machines can clearly see the TCP SYN and
> SYN-ACK setup packets flowing in both directions, but the ACK packet
> never happens.  In netstat -an, the opening side gets:
>=20
> tcp4       0      0 10.0.0.2.16797     10.0.0.1.179      SYN_SENT
>=20
> and the receiving side gets:
>=20
> tcp4       0      0 10.0.0.1.179       10.0.0.2.16797    SYN_RCVD
>=20
> Just to make sure pf can't possibly be affecting this, right at the =
top
> of pf.conf on both machines:
>=20
> ##  Pass inter-router traffic
> pass quick on em2 from 10.0.0.2 to 10.0.0.1
> pass quick on em2 from 10.0.0.1 to 10.0.0.2
>=20
> This is sufficient because we can connect to bgpd with nc:
>=20
> $ nc -S 10.0.0.2 179
> ????????????????-??Z?^w?A??
>=20
> Produces:
>=20
> $ netstat -an | fgrep 10.0.0.2
> tcp4       0      0 10.0.0.1.25711     10.0.0.2.179      ESTABLISHED
>=20
> and
>=20
> $ netstat -an | fgrep 10.0.0.1
> tcp4       0      0 10.0.0.2.179      10.0.0.1.25711     ESTABLISHED
>=20
> So this appears to be some sort of weird problem specific to openbgpd
> and the updated kernel.
>=20
> At this point I'm at a loss as to how to proceed, so any suggestions =
on
> how to fix, or even debug this will be greatly appreciated.
>=20
>=20
> Doug
>=20

Since I've had similar problem with Quagga after updating to 8.2-STABLE =
I'd suggest
you to try setting "net.inet.tcp.signature_verify_input=3D0" and see if =
that would help.

Here is another thread about the similar (if not the same) problem :=20
=
http://groups.google.com/group/mailing.freebsd.bugs/browse_thread/thread/e=
a347a919dbc165d/eeaa2965fc4f64c9?show_docid=3Deeaa2965fc4f64c9&pli=3D1

Regards,
Nikolay=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F87C898-3290-41B9-ACDF-3558D7C28D74>