FRR ver .2 BFD issues



  • I'm trying to establish BFD between a pair of pfsense firewalls running 2.4.2 to a pair of cisco 6509-e running 15.1.2SY10

    I have multiple established bfd sessions on the cisco's however the bfd sessions to the firewall are down.

    The cisco report its never receiving bfd packets

    dsr01#sh bfd neighbors ipv4 172.26.8.28 details

    IPv4 Sessions
    NeighAddr                              LD/RD        RH/RS    State    Int
    172.26.8.28                            64/0          Down      Down      Vl710
    Session Host: Software
    OurAddr: 172.26.8.26
    Handle: 8
    Local Diag: 0, Demand mode: 0, Poll bit: 0
    MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
    Received MinRxInt: 0, Received Multiplier: 0
    Holddown (hits): 0(0), Hello (hits): 1000(1324)
    Rx Count: 0, Rx Interval (ms) min/max/avg: 0/0/0 last: -1 ms ago
    Tx Count: 1324, Tx Interval (ms) min/max/avg: 756/1000/879 last: 96 ms ago
    Elapsed time watermarks: 0 0 (last: 0)
    Registered protocols: BGP CEF
    Last packet: Version: 1                  - Diagnostic: 0
                State bit: AdminDown        - Demand bit: 0
                Poll bit: 0                - Final bit: 0
                C bit: 0
                Multiplier: 0              - Length: 0
                My Discr.: 0                - Your Discr.: 0
                Min tx interval: 0          - Min rx interval: 0
                Min Echo interval: 0

    I can confirm the firewall is not responding from tcpdump

    [2.4.2-RELEASE][root@dmz01a]/root: tcpdump -i igb1.710 port 3784
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on igb1.710, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:20:28.571342 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:28.833961 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:29.387294 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:29.717941 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:30.239333 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:30.493940 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:31.039334 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:31.329987 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:31.927333 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:32.285957 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:32.855339 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:33.134001 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:33.667401 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:33.981981 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    18:20:34.431366 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
    ^C
    15 packets captured
    50 packets received by filter
    0 packets dropped by kernel

    Here is my config on firewall a
    –---------------

    router bgp 64602
    bgp log-neighbor-changes
    neighbor VRF-RFC peer-group
    neighbor VRF-RFC remote-as 64602
    neighbor VRF-RFC bfd 3 750 750
    neighbor VRF-RFC update-source 172.26.8.28
    neighbor VRF-VPN.FMN peer-group
    neighbor VRF-VPN.FMN remote-as 64602
    neighbor VRF-VPN.FMN bfd 3 750 750
    neighbor VRF-VPN.FMN update-source 10.224.132.84
    neighbor 172.26.8.26 peer-group VRF-RFC
    neighbor 172.26.8.26 description dsr01 - RFC
    neighbor 172.26.8.27 peer-group VRF-RFC
    neighbor 172.26.8.27 description dsr02 - RFC
    neighbor 10.224.132.82 peer-group VRF-VPN.FMN
    neighbor 10.224.132.82 description dsr01 - VPN.FMN
    neighbor 10.224.132.83 peer-group VRF-VPN.FMN
    neighbor 10.224.132.83 description dsr02 - VPN.FMN
    !
    address-family ipv4 unicast
      network 172.26.0.0/16
      network 172.26.8.64/26
      network 172.26.8.128/26
      neighbor VRF-RFC next-hop-self
      neighbor VRF-RFC soft-reconfiguration inbound
      neighbor VRF-RFC route-map DSR_RFC_IN in
      neighbor VRF-RFC route-map DSR_RFC_OUT out
      neighbor VRF-VPN.FMN next-hop-self
      neighbor VRF-VPN.FMN soft-reconfiguration inbound
      neighbor VRF-VPN.FMN route-map DSR_VPN_FMN_IN in
      neighbor VRF-VPN.FMN route-map DSR_VPN_FMN_OUT out
    exit-address-family
    vnc defaults
      response-lifetime 3600
      exit-vnc
    !
    ip prefix-list DSR_RFC_IN seq 5 permit 172.16.0.0/12 le 32
    ip prefix-list DSR_RFC_OUT seq 5 permit 172.26.0.0/16 ge 24
    ip prefix-list DSR_VPN_FMN_IN seq 5 permit 10.0.0.0/8 le 32
    ip prefix-list DSR_VPN_FMN_OUT seq 5 permit 172.26.0.0/16
    !
    route-map DSR_VPN_FMN_IN permit 5
    match ip address prefix-list DSR_VPN_FMN_IN
    !
    route-map DSR_VPN_FMN_OUT permit 5
    match ip address prefix-list DSR_VPN_FMN_OUT
    set ip next-hop 10.224.132.86
    !
    route-map DSR_RFC_IN permit 5
    match ip address prefix-list DSR_RFC_IN
    !
    route-map DSR_RFC_OUT permit 5
    match ip address prefix-list DSR_RFC_OUT
    set ip next-hop 172.26.8.30

    Not sure why its not sending bfd packets to the upstream routers.



  • In order for FRR to work with BFD you currently need PTMD.  This is planned to be fixed in a future release of FRR.


Log in to reply