From owner-freebsd-net@FreeBSD.ORG  Tue Jan  3 07:07:52 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1D24A106564A
	for <freebsd-net@freebsd.org>; Tue,  3 Jan 2012 07:07:52 +0000 (UTC)
	(envelope-from ndenev@gmail.com)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
	by mx1.freebsd.org (Postfix) with ESMTP id A6E4A8FC0C
	for <freebsd-net@freebsd.org>; Tue,  3 Jan 2012 07:07:51 +0000 (UTC)
Received: by eekc50 with SMTP id c50so18671853eek.13
	for <multiple recipients>; Mon, 02 Jan 2012 23:07:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=subject:mime-version:content-type:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to:x-mailer;
	bh=8oKJPVGfgDAexnq5dgNySBvl3WhS/LnuroLyfcvXGwI=;
	b=YC/R3Eva6m6Zjo1PW9HWmlDXcAbjVjiLD9SBl22tSp7ajQabCTs/P2W3K00tD7hUGw
	UcoXmpxTgbKIQpQjld+CYLhV8yru/I/F4Y54qMKdmEvWWH3nU/4RxwywzH1bbgMQhdOg
	y0HrEQOz9JdTVC93gFlmjr8FPtXi2bymgNL8Q=
Received: by 10.213.28.193 with SMTP id n1mr10653377ebc.33.1325574470345;
	Mon, 02 Jan 2012 23:07:50 -0800 (PST)
Received: from imba-brutale.totalterror.net ([93.152.152.135])
	by mx.google.com with ESMTPS id a60sm201960847eeb.4.2012.01.02.23.07.48
	(version=TLSv1/SSLv3 cipher=OTHER);
	Mon, 02 Jan 2012 23:07:49 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=iso-8859-1
From: Nikolay Denev <ndenev@gmail.com>
In-Reply-To: <4F027BC0.1080101@FreeBSD.org>
Date: Tue, 3 Jan 2012 09:07:56 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8F87C898-3290-41B9-ACDF-3558D7C28D74@gmail.com>
References: <99A5FFD9-8815-4CCC-9868-FB2E3D799566@gridfury.com>
	<4F027BC0.1080101@FreeBSD.org>
To: Doug Barton <dougb@FreeBSD.org>
X-Mailer: Apple Mail (2.1251.1)
Cc: freebsd-net@freebsd.org
Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 07:07:52 -0000


On Jan 3, 2012, at 5:53 AM, Doug Barton wrote:

> We have a pair of physical FreeBSD systems configured as routers
> designed to operate in an active/standby CARP configuration. =
Everything
> used to work fine, but since an upgrade to 8.2-STABLE on December 29th
> the two routers don't speak BGP to each other anymore. They both
> function fine individually, and failover works. It is only the =
openbgpd
> communication between them that's not flowing.
>=20
> They have OpenBGPd (openbgpd-4.9.20110612_1 from ports) installed.  =
The
> active router takes BGP full route feeds from our peers and *should*
> feed it to the standby router via a direct connection (crossover cable
> between physical em2 ports).
>=20
> The relative "bgpctl show" reports:
>=20
> 10.0.0.2           12345          0          0     0 Never    Active
>=20
> or
>=20
> 10.0.0.2           12345          0          0     0 Never    Connect
>=20
> The bgp daemon for the active server periodically reports:
>=20
> bgpd[6773]: neighbor 10.0.0.2: socket error: Operation timed out
>=20
> There is not a connectivity problem between the two hosts; ssh for
> example works fine.  Telnet'ing to the bgp port times out, even from =
the
> same machine.
>=20
> There is no firewall configured on that interface.
>=20
> TCP-MD5 is *not* configured on the bgpd side.  We did try enabling it
> (properly) between the two machines via /etc/ipsec.conf to see if it
> would make a difference, but that also had no effect on this problem.
>=20
> We've tried tcpdump, and both machines can clearly see the TCP SYN and
> SYN-ACK setup packets flowing in both directions, but the ACK packet
> never happens.  In netstat -an, the opening side gets:
>=20
> tcp4       0      0 10.0.0.2.16797     10.0.0.1.179      SYN_SENT
>=20
> and the receiving side gets:
>=20
> tcp4       0      0 10.0.0.1.179       10.0.0.2.16797    SYN_RCVD
>=20
> Just to make sure pf can't possibly be affecting this, right at the =
top
> of pf.conf on both machines:
>=20
> ##  Pass inter-router traffic
> pass quick on em2 from 10.0.0.2 to 10.0.0.1
> pass quick on em2 from 10.0.0.1 to 10.0.0.2
>=20
> This is sufficient because we can connect to bgpd with nc:
>=20
> $ nc -S 10.0.0.2 179
> ????????????????-??Z?^w?A??
>=20
> Produces:
>=20
> $ netstat -an | fgrep 10.0.0.2
> tcp4       0      0 10.0.0.1.25711     10.0.0.2.179      ESTABLISHED
>=20
> and
>=20
> $ netstat -an | fgrep 10.0.0.1
> tcp4       0      0 10.0.0.2.179      10.0.0.1.25711     ESTABLISHED
>=20
> So this appears to be some sort of weird problem specific to openbgpd
> and the updated kernel.
>=20
> At this point I'm at a loss as to how to proceed, so any suggestions =
on
> how to fix, or even debug this will be greatly appreciated.
>=20
>=20
> Doug
>=20

Since I've had similar problem with Quagga after updating to 8.2-STABLE =
I'd suggest
you to try setting "net.inet.tcp.signature_verify_input=3D0" and see if =
that would help.

Here is another thread about the similar (if not the same) problem :=20
=
http://groups.google.com/group/mailing.freebsd.bugs/browse_thread/thread/e=
a347a919dbc165d/eeaa2965fc4f64c9?show_docid=3Deeaa2965fc4f64c9&pli=3D1

Regards,
Nikolay=