FRR ver .2 BFD issues

rhwendt

I'm trying to establish BFD between a pair of pfsense firewalls running 2.4.2 to a pair of cisco 6509-e running 15.1.2SY10

I have multiple established bfd sessions on the cisco's however the bfd sessions to the firewall are down.

The cisco report its never receiving bfd packets

dsr01#sh bfd neighbors ipv4 172.26.8.28 details

IPv4 Sessions
NeighAddr                              LD/RD        RH/RS    State    Int
172.26.8.28                            64/0          Down      Down      Vl710
Session Host: Software
OurAddr: 172.26.8.26
Handle: 8
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 0, Received Multiplier: 0
Holddown (hits): 0(0), Hello (hits): 1000(1324)
Rx Count: 0, Rx Interval (ms) min/max/avg: 0/0/0 last: -1 ms ago
Tx Count: 1324, Tx Interval (ms) min/max/avg: 756/1000/879 last: 96 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: BGP CEF
Last packet: Version: 1                  - Diagnostic: 0
            State bit: AdminDown        - Demand bit: 0
            Poll bit: 0                - Final bit: 0
            C bit: 0
            Multiplier: 0              - Length: 0
            My Discr.: 0                - Your Discr.: 0
            Min tx interval: 0          - Min rx interval: 0
            Min Echo interval: 0

I can confirm the firewall is not responding from tcpdump

[2.4.2-RELEASE][root@dmz01a]/root: tcpdump -i igb1.710 port 3784
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1.710, link-type EN10MB (Ethernet), capture size 262144 bytes
18:20:28.571342 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:28.833961 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:29.387294 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:29.717941 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:30.239333 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:30.493940 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:31.039334 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:31.329987 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:31.927333 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:32.285957 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:32.855339 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:33.134001 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:33.667401 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:33.981981 IP 172.26.8.27.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:20:34.431366 IP 172.26.8.26.49152 > 172.26.8.28.3784: BFDv1, Control, State Down, Flags: [none], length: 24
^C
15 packets captured
50 packets received by filter
0 packets dropped by kernel

Here is my config on firewall a
–---------------

router bgp 64602
bgp log-neighbor-changes
neighbor VRF-RFC peer-group
neighbor VRF-RFC remote-as 64602
neighbor VRF-RFC bfd 3 750 750
neighbor VRF-RFC update-source 172.26.8.28
neighbor VRF-VPN.FMN peer-group
neighbor VRF-VPN.FMN remote-as 64602
neighbor VRF-VPN.FMN bfd 3 750 750
neighbor VRF-VPN.FMN update-source 10.224.132.84
neighbor 172.26.8.26 peer-group VRF-RFC
neighbor 172.26.8.26 description dsr01 - RFC
neighbor 172.26.8.27 peer-group VRF-RFC
neighbor 172.26.8.27 description dsr02 - RFC
neighbor 10.224.132.82 peer-group VRF-VPN.FMN
neighbor 10.224.132.82 description dsr01 - VPN.FMN
neighbor 10.224.132.83 peer-group VRF-VPN.FMN
neighbor 10.224.132.83 description dsr02 - VPN.FMN
!
address-family ipv4 unicast
  network 172.26.0.0/16
  network 172.26.8.64/26
  network 172.26.8.128/26
  neighbor VRF-RFC next-hop-self
  neighbor VRF-RFC soft-reconfiguration inbound
  neighbor VRF-RFC route-map DSR_RFC_IN in
  neighbor VRF-RFC route-map DSR_RFC_OUT out
  neighbor VRF-VPN.FMN next-hop-self
  neighbor VRF-VPN.FMN soft-reconfiguration inbound
  neighbor VRF-VPN.FMN route-map DSR_VPN_FMN_IN in
  neighbor VRF-VPN.FMN route-map DSR_VPN_FMN_OUT out
exit-address-family
vnc defaults
  response-lifetime 3600
  exit-vnc
!
ip prefix-list DSR_RFC_IN seq 5 permit 172.16.0.0/12 le 32
ip prefix-list DSR_RFC_OUT seq 5 permit 172.26.0.0/16 ge 24
ip prefix-list DSR_VPN_FMN_IN seq 5 permit 10.0.0.0/8 le 32
ip prefix-list DSR_VPN_FMN_OUT seq 5 permit 172.26.0.0/16
!
route-map DSR_VPN_FMN_IN permit 5
match ip address prefix-list DSR_VPN_FMN_IN
!
route-map DSR_VPN_FMN_OUT permit 5
match ip address prefix-list DSR_VPN_FMN_OUT
set ip next-hop 10.224.132.86
!
route-map DSR_RFC_IN permit 5
match ip address prefix-list DSR_RFC_IN
!
route-map DSR_RFC_OUT permit 5
match ip address prefix-list DSR_RFC_OUT
set ip next-hop 172.26.8.30

Not sure why its not sending bfd packets to the upstream routers.

donaldsharp

In order for FRR to work with BFD you currently need PTMD.  This is planned to be fixed in a future release of FRR.