Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader
Jump to solution

How to allow BGP port over VTI

Hi Team,

 

I have configured VTI tunnels with AWS and tunnels are up however we have setup BGP between peers and in log for port 179 it shows

According to the policy the packet should not have been decrypted

So do I need to set separate rule to allow TCP 179? Or is that allowed by default. Due to this my routing is not coming up.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Blason_R
Leader
Leader

Yes we will have to allow it and I was using wrong peer name than configured in dashboard. Plus what I learned is - this rule should be above stealth rule.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

3 Replies
the_rock
Legend
Legend

I am pretty sure you would need to allow it, but one way to know 100% is to run this on cp firewall while testing:

 

fw ctl zdebug + drop | grep 179

 

That would tell you if anything is being dropped on the port on the kernel level.

0 Kudos
Bob_Zimmerman
Authority
Authority

That is the VPN equivalent of antispoofing. It generally happens when you are using a route-based VPN, but also have encryption domains set on the tunnel endpoints. Is the peer's encryption domain set to an empty group?

0 Kudos
Blason_R
Leader
Leader

Yes we will have to allow it and I was using wrong peer name than configured in dashboard. Plus what I learned is - this rule should be above stealth rule.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events