Issue Description:
AR create BGP session from Loopback IP instead of physical IP.
Handling Process:
After discuss with CSE colleague , we need to one
remote session for troubleshooting .
Below is our remote session summary .
check configuration is ok .
acl name NAT_Gi0/0/8_0 3080
rule 10 deny ip source x.x.152.0 0.0.0.255
rule 15 deny ip source x.x.156.8 0.0.0.3
rule 20 deny ip source x.x.24.0 0.0.1.255
rule 30 permit ip
acl name NAT_Gi0/0/8_1 3081
rule 10 permit ip source x.x.24.0 0.0.1.255
acl name NAT_Gi0/0/9_0 3090
rule 10 deny ip source x.x.152.0 0.0.0.255
rule 20 deny ip source x.x.24.0 0.0.1.255
rule 30 permit ip
acl name NAT_Gi0/0/9_1 3091
rule 10 permit ip source x.x.24.0 0.0.1.255
interface GigabitEthernet0/0/8
description --ISP1-NTK--
ip address x.x.156.10 255.255.255.252
traffic-filter inbound acl name Internet_In
nat server protocol tcp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 500 inside x.x.25.241 500
nat server protocol udp global interface LoopBack 1 4500 inside x.x.25.241 500
nat outbound 3081 interface LoopBack 1
nat outbound 3080 interface LoopBack 0
zone Internet
#
interface GigabitEthernet0/0/9
description --ISP2-RosTK--
ip address x.x.78.154 255.255.255.252
traffic-filter inbound acl name Internet_In
nat server protocol tcp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 500 inside x.x.25.241 500
nat server protocol udp global interface LoopBack 1 4500 inside x.x.25.241 500
nat outbound 3091 interface LoopBack 1
nat outbound 3090 interface LoopBack 0
zone Internet
interface LoopBack0
description nat
ip address x.x.152.29 255.255.255.255
#
interface LoopBack1
description nat
ip address x.x.152.28 255.255.255.255
bgp 203xxx
router-id x.x.152.0
peer x.x.78.153 as-number 12389
peer x.x.78.153 description RosTK
peer x.x.78.153 connect-interface GigabitEthernet0/0/9
peer x.x.156.9 as-number 31200
peer x.x.156.9 description NTK
peer x.x.156.9 connect-interface GigabitEthernet0/0/8
#
check tcp status , so that we can confirm AR use which IP create BGP session .
===============display tcp
status===============
======================================================
TCPCB Tid/Soid Local
Add:port Foreign
Add:port VPNID State
37e672f4 7 /1
0.0.0.0:22
0.0.0.0:0
23553 Listening
37e66fec 51 /1 0.0.0.0:80
0.0.0.0:0
23553 Listening
37e663cc 204/1
0.0.0.0:179 x.x.78.153:0
0 Listening
37e669dc 204/4
0.0.0.0:179
x.x.156.9:0
0 Listening
37e67904 51 /2
0.0.0.0:443 0.0.0.0:0
23553 Listening
37e66ce4 204/198 x.x.78.154:179
x.x.78.153:51180 0 Established
37e666d4 7 /34
172.16.98.5:22
172.16.130.2:1901 0
Established
34e64f40 204/209 x.x.156.10:179
x.x.156.9:58097 0 Established
until now we confirmed NTK ISP if we remove rule 15 on acl 3080 , it will use loopback ip create bgp peer . at the same time RTK and NTK have the same configuration , but RTK will use physical ip create BGP session , but NTK will use loopback ip create BGP session .
Root Cause:
After analyzed the log and discussed with VRP expert , below is this issue root cause .
1. The behavior of port G0/0/8 is correct. If the
router start bgp first and the packet will be translated in the out
direction, so BGP will be established using the loopback interface.
Deny the physical address in the ACL, whatever local side and peer side start
bgp session, AR will be used physical address.
2. The reason why G0/0/9 did not add deny rule AR also
use physical address create BGP session, because bgp is initiated by the peer
device. If the local first initiated, will be
Use the loopback IP address after NAT conversion.
Solution:
If the customer want to use the physical port to establish bgp session, please deny the local address in the NAT outbound related ACL.
If you have any problems, please post them in our Community. We are happy to solve them for you!
