These are chat archives for Exa-Networks/exabgp

6th
Mar 2015
sanjmonkey
@sanjmonkey
Mar 06 2015 13:18
Hi all - me again! My struggle continues, though this time I feel it is more of a kernel problem. Situation: Running Ubuntu trusty (14.04) with a neighbor configured as passive, and with md5. Session comes in from the active side and exa doesn’t see it and so no SYN ACK. Passive side listens and is bound correctly. tcpdump confirms MD5 is valid… I thought this should be native to OS? Looked at setkey tcp-md5 option, but I believe its only for FreeBSD. Other packets with tcp md5 look to be handled correctly in other applications (eg netcat etc).
Anyone have a successful passive, md5 configuration on Trusty they can share their experiences?!
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:33
ok
perform a “netstat -ntpl”
it should show ExaBGP listing on port 179
sanjmonkey
@sanjmonkey
Mar 06 2015 13:34
netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN 923/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:
LISTEN 19937/exim4
tcp 0 0 0.0.0.0:179 0.0.0.0: LISTEN 8016/python2.7
tcp6 0 0 :::22 :::
LISTEN 923/sshd
tcp6 0 0 :::25 ::: LISTEN 19937/exim4
tcp6 0 0 :::443 :::
LISTEN 12378/apache2
tcp6 0 0 :::80 :::* LISTEN 12378/apache2
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:34
ok so it is listening .
can you run :
ngrep -p ‘’ -d any port 179
sorry
ngrep -p -d any ‘’ port 179
(two single quotes)
it should show you the attempt to connect to the port 179
if nothing, then try with tcpdump
tcpdump -p -i any ‘’ port 179
if all you see are the SYN message, it is likely to be a firewall issue
tcpdump shows packets BEFORE the firewall is applied
For md5
just use in the neighbor configuration side :smile:
md5 “mysecret password"
;
the TCP session will not come if the MD5 does not match
sanjmonkey
@sanjmonkey
Mar 06 2015 13:37
ok, ngrep shows nothing:
ngrep -p -d any ‘’ port 179
interface: any
filter: (ip or ip6) and ( port 179 )
match: ‘’
#
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:38
That said we had an MD5 bug for quite some time - so I assume a recent ExaBGP
sanjmonkey
@sanjmonkey
Mar 06 2015 13:38
tcpdump shows syn only:
13:36:05.747428 IP (tos 0x0, ttl 50, id 55128, offset 0, flags [DF], proto TCP (6), length 72)
<x.x.x.x>.33323 > <y.y.y.y>.179: Flags [S], cksum 0xa664 (correct), seq 3429751382, win 14600, options [nop,nop,md5valid,mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
13:36:06.745934 IP (tos 0x0, ttl 50, id 55129, offset 0, flags [DF], proto TCP (6), length 72)
<x.x.x.x>.33323 > <y.y.y.y>.179: Flags [S], cksum 0xa664 (correct), seq 3429751382, win 14600, options [nop,nop,md5valid,mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
13:36:08.746672 IP (tos 0x0, ttl 50, id 55130, offset 0, flags [DF], proto TCP (6), length 72)
<x.x.x.x>.33323 > <y.y.y.y>.179: Flags [S], cksum 0xa664 (correct), seq 3429751382, win 14600, options [nop,nop,md5valid,mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
exa ver: 3.4.7
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:38
Ok - bug fixed in 3.4.4
looking
sanjmonkey
@sanjmonkey
Mar 06 2015 13:38
firewall:

iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Thomas Mangin
@thomas-mangin
Mar 06 2015 13:39
.. Can you show me the conf ?
private mail if you want
sanjmonkey
@sanjmonkey
Mar 06 2015 13:40
on its way!
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:42
still not here .. lost on the tinterweb ? ...
sanjmonkey
@sanjmonkey
Mar 06 2015 13:42
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:42
just got it !
sanjmonkey
@sanjmonkey
Mar 06 2015 13:42
:)
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:43
ok - your peeer is also using ExaBGP .. so I can lab on my laptop to see if I have an ExaBGP - ExaBGP issue :package:
I am on the ML :smile:
sanjmonkey
@sanjmonkey
Mar 06 2015 13:44
yes indeed they are. I thought you would like that :P they are 3.4.8
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:44
Yes spoke with J. following the issue
Let me try to see if I can have a back to back config with what you sent me on my Linux VM
sanjmonkey
@sanjmonkey
Mar 06 2015 13:45
ok. i have a 14.04 lab box i can give you access to if you send me source IP
(PM / mail me)
Thomas Mangin
@thomas-mangin
Mar 06 2015 13:46
Ok - thanks - let me try on my laptop first - give me 30 minutes - good luck I am on my lunch break :wink:
sanjmonkey
@sanjmonkey
Mar 06 2015 13:47
bon appetit !
Thomas Mangin
@thomas-mangin
Mar 06 2015 14:02
bugger found one issue and one weirdness ...
sigh !
thomas-mangin @thomas-mangin is silly ..
sanjmonkey
@sanjmonkey
Mar 06 2015 14:06
tell me more :)
i like weirdness
Thomas Mangin
@thomas-mangin
Mar 06 2015 14:06
IP setup issue in the lab ..
sanjmonkey
@sanjmonkey
Mar 06 2015 14:06
ah
Thomas Mangin
@thomas-mangin
Mar 06 2015 14:14
Ok - I can reproduce the problem
so there is indeed an issue :-(
sanjmonkey
@sanjmonkey
Mar 06 2015 14:15
ah ok…. /me feels his sanity is coming back!
do you think its OS specific? as it looked like tcp md5 packets werent making it through to the socket
Thomas Mangin
@thomas-mangin
Mar 06 2015 14:48
Yes MD5 on linux does not work as should .. not sure if it is sending, receiving or both
hopefully not both
AFAIK connecting was fine .. but I may have been mistaken
Thomas Mangin
@thomas-mangin
Mar 06 2015 16:16
back on the issue ..
sanjmonkey
@sanjmonkey
Mar 06 2015 16:24
i tried two 3.4.8 clients on 14.04 boxes with MD5 (not passive) and can see sending MD5 looks to work, but receive doesn’t - so session never establishes.
if thats any help :)
Thomas Mangin
@thomas-mangin
Mar 06 2015 16:39
found the issue - it is missing feature for MD5 listening
sanjmonkey
@sanjmonkey
Mar 06 2015 16:43
great news! thanks for looking at it Thomas.
Thomas Mangin
@thomas-mangin
Mar 06 2015 16:50
I need to add the feature .. doing it now
Thomas Mangin
@thomas-mangin
Mar 06 2015 18:09
going to be a week-end job
sanjmonkey
@sanjmonkey
Mar 06 2015 18:10
not straight forward? dont lose sleep over it (or a weekend!). Speak soon
Thomas Mangin
@thomas-mangin
Mar 06 2015 18:49
Just taking the time it takes.
Thomas Mangin
@thomas-mangin
Mar 06 2015 20:59
I have a patch working with MD5 .. but I am not happy as I am forced to read the configuration file as root to know the MD5, then needed when binding (which requires root for port < 1024)
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:11
Unless someone tells me how to avoid it ( I can not think of any way ) I am pushing the patch
sanjmonkey
@sanjmonkey
Mar 06 2015 21:13
you need something similar to setcap ?
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:29
I am not using capabilities
so I am stuck but yes it would be the long and correct way - thank you for reminding me
finishing the patch ..
should be done soon
As long the the nice pear liqueur is not too harmful to my coding :wink2:
sanjmonkey
@sanjmonkey
Mar 06 2015 21:32
:+1:
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:48
Ok - the patch is ready but it comes with a price attached :grin:
documentation for the MD5 and new per peer “listen” which allows to set per peer MD5
sanjmonkey
@sanjmonkey
Mar 06 2015 21:49
a bottle of pear liqueur ?
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:49
LOL - no - that’s ok still plenty left
@sanjmonkey can I please have your full name for the changelog ?
sanjmonkey
@sanjmonkey
Mar 06 2015 21:52
sure, Sandy Breeze
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:52
Thank - I only remembered your first name
sanjmonkey
@sanjmonkey
Mar 06 2015 21:53
np!
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:53
pushed to my tree - as soon as CI reports all fine - pushing to main repo
done
sanjmonkey
@sanjmonkey
Mar 06 2015 21:55
cloning!
Thomas Mangin
@thomas-mangin
Mar 06 2015 21:56
You should be having a relaxing evening .. but who am I to judge :tongue:
sanjmonkey
@sanjmonkey
Mar 06 2015 22:07
perhaps I cloned too early, no reply to md5 session :(
22:06:11.174545 IP <x.x.x.x>.40356 > <y.y.y.y>.179: Flags [S], seq 3786399209, win 29200, options [nop,nop,md5valid,mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:08
hum ...
on the receiving exabgp you need to add
“listen <port>"
sorry
sanjmonkey
@sanjmonkey
Mar 06 2015 22:09
oooh
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:09
“listen <port>;"
like you would do for passive
or hold-time
MD5 is a per peer setting
previously the only way to listen was via the global option exabgp.tcp.bind
it is not the case anymore
hence why the patch took a few hours
sanjmonkey
@sanjmonkey
Mar 06 2015 22:14

i see new reactor message: Listening for BGP session(s) on <y.y.y.y>:179 with MD5

but no ack to this syn:
22:12:52.454633 IP <x.x.x.x>.33553 > <y.y.y.y>.179: Flags [S], seq 2573773506, win 29200, options [nop,nop,md5valid,mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

passive side is listening as it should
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:20
passive : do not establish outgoing connection
so without using the global listening option a passive neighbour is as good as unconfigured
listen <port> accept incoming connection
so both options are orthogonals
you can have passive, passive + listen, listen
hum .. not sure why it does not work for you ...
I need to add an “active” or “port” option to set out on what port the peer will connect out ..
when I tried I only tested 1790 ( to not have to use root )
but it should make no difference
(and I am lying I did test 179 .. ) - tired
sanjmonkey
@sanjmonkey
Mar 06 2015 22:24
ok, and 179 works for you?
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:26
yes
sanjmonkey
@sanjmonkey
Mar 06 2015 22:26
me too (tired). let me look at it with a fresh pair of eyes tomorrow, perhaps I’ve missed something obvious!
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:26
ok - I should be online in the afternoon
sanjmonkey
@sanjmonkey
Mar 06 2015 22:26
dont want to waste your time
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:26
feel free to grab me here
no issue
sanjmonkey
@sanjmonkey
Mar 06 2015 22:27
1000x thankyous again
Thomas Mangin
@thomas-mangin
Mar 06 2015 22:27
you are welcome :smile: