Gaia Embedded Advanced Routing - BGP peering local-address issue

cezar_varlan1 — Wed, 27 Feb 2019 12:56:56 GMT

I have come across an odd bug and i am writing this in the hope others face the same issue.

On Gaia embedded devices it looks like you cannot have two BGP peers with the same remote-AS and different local addresses as the local-address is configured per "remote-as" statement and not per "peer" statement.

I have done a few hours of troubleshooting to find out why my 790 connected to the same ISP via two different interfaces but with the same remote-AS was having one BGP session go Idle when adding the second BGP peer.

It looks like when checking the config file /etc/routed0.conf file on the gaia embedded expert mode you can see that both peers are grouped in the same peer-group even if there is no peer-group specifically configured based on the fact that they have the same remote-as. Because in my case the connections are made via different interfaces but with the same remote-as , the fact that the whole peer group is configured with the same "local address" makes the remote router on one of the connections refuse my session with a "wrong authentication" message.

If i issue a command set bgp remote-as "AS_NUM" local-address with the correct address the Idle connection becomes Established and the former established one goes Idle with the same error.

Does anyone know of a fix for this or if this is a well known limitation?

I have opened a SR for this and i am currently waiting for feedback.

Possible workarounds i have proposed:

1. Use "LAN Network Public IP" as local-address and ask the ISP to allow multi-hop BGP and create both sessions from the same LAN interface. This would work as the local-address is the same for both sessions.

2. Use a "Transitory Private AS" number and ask the ISP to change one of the peerings to use this AS instead of their real AS.

3. Use an external router for BGP peering, and use the Check Point just as a firewall.

4. Replace the Check Point with a Security Device that supports proper BGP implementation.

5. Wait for Check Point support to provide a hotfix (that would have to be updated for each new OS version from now on).

Re: Gaia Embedded Advanced Routing - BGP peering local-address issue

G_W_Albrecht — Wed, 27 Feb 2019 15:19:51 GMT

Please change the place of this post to SMB and SMP - this is not a general question ! The only BGP limitation in sk105380 is that BGP MD5 is not supported - but SMBs are flash-based units with only a subset of GAiA features.

Re: Gaia Embedded Advanced Routing - BGP peering local-address issue

G_W_Albrecht — Fri, 01 Mar 2019 09:27:38 GMT

Did you receive any feedback from TAC yet ?

Re: Gaia Embedded Advanced Routing - BGP peering local-address issue

cezar_varlan1 — Fri, 01 Mar 2019 09:54:49 GMT

For now they have not confirmed or denied my assumptions but the engineer has noted that he has forwarded this to R&D and that has noticed my post here as well.

topic Re: Gaia Embedded Advanced Routing - BGP peering local-address issue in Spark Firewall (SMB)

Gaia Embedded Advanced Routing - BGP peering local-address issue

Re: Gaia Embedded Advanced Routing - BGP peering local-address issue

Re: Gaia Embedded Advanced Routing - BGP peering local-address issue

Re: Gaia Embedded Advanced Routing - BGP peering local-address issue