24.03 FRR has flapping BGP neighbors
-
@michmoor
Indeed the other end can do whatever it wants. However, I've found that having routed on one and policy on the other is prone to config mistakes so I would not normally recommend that. -
Ha! Yup if you're looking for a bad time and confusing diagnosis try mixing route and policy based IPSec.
-
M mcury referenced this topic on
-
i'm having the same issue, 23.09 vti ipsec tunnels worked great with frr/bgp, now they keep flapping. if i want to go back to 23.09, where would i get that image? or, what is the fix if there is one?
jim
-
If you're running ZFS you can just roll back the Boot Environment.
The Net Installer can install a number of versions including 23.09.1.
But you should first just try switching the State Interface Binding back to floating:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-advanced-firewall-state-policy -
@stephenw10 thanks! i rolled back and everything working great...This is the first time i've had to do that.
jim -
@stephenw10 so, how will i know its ok to upgrade in the future? will they have a release note about frr fix possibly?
jim
-
Well that's why I suggested switching the state binding back to floating. If that allows BGP to come up correctly in 24.03 then the fix here is to add floating rules for the VTI tunnels (if you have those).
The state binding changed in 24.03 to make it more secure and that isn't likely to be changed back. The underlying issue with VTI interfaces is being looked at but until then you need floating state binding rules for it. -
@stephenw10 ok, i'll try a test on a non production firewall :) when you say add floating rules, what exactly do you mean?
jim
-
-
@stephenw10 the flapping only seems to happen when both ends are on 24.03, i'll keep testing with my dev firewalls.
jim
-
@michmoor hi mich, can you give more detail on what rules you created to allow bgp across the interfaces?
thanks
jim
