Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

How to allow BGP port over VTI

Jump to solution

Hi Team,

 

I have configured VTI tunnels with AWS and tunnels are up however we have setup BGP between peers and in log for port 179 it shows

According to the policy the packet should not have been decrypted

So do I need to set separate rule to allow TCP 179? Or is that allowed by default. Due to this my routing is not coming up.

0 Kudos
1 Solution

Accepted Solutions
Blason_R
Advisor

Yes we will have to allow it and I was using wrong peer name than configured in dashboard. Plus what I learned is - this rule should be above stealth rule.

View solution in original post

3 Replies
the_rock
Mentor
Mentor

I am pretty sure you would need to allow it, but one way to know 100% is to run this on cp firewall while testing:

 

fw ctl zdebug + drop | grep 179

 

That would tell you if anything is being dropped on the port on the kernel level.

0 Kudos
Bob_Zimmerman
Advisor

That is the VPN equivalent of antispoofing. It generally happens when you are using a route-based VPN, but also have encryption domains set on the tunnel endpoints. Is the peer's encryption domain set to an empty group?

0 Kudos
Blason_R
Advisor

Yes we will have to allow it and I was using wrong peer name than configured in dashboard. Plus what I learned is - this rule should be above stealth rule.

View solution in original post