Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
New User
Posts: 1
Registered: ‎01-02-2017
0 Kudos

BGP Newbie - IGP sending wrong next-hop?

Hello Forum members!

I've been reading up on routing protocols and trying to learn BGP. Right now the setup described is my own private network and devices across the states (kind relatives that let me experiment with thier internet sprinkled across the US)

The BGP configuration in question has an issue that seems more complex that my newbie skills allow me to resolve, but my gut tells me its somethign sinple and silly - likely a face->palm oversight, so I'll start by explaining the topology to the best that I can.

There are two Juniper SRX 220's, at remote sites, with IPSEC tunnels configured and working between the two - lets call them A and B sites.

(A)-(DSL/PPPoE - over GE-0/0/0 interface to a bonded DSL concentrator provided by the service provider)
(B)-(Cable, bridging mode, again over GE-0/0/0)

(LocalNets: 192.168.0.0/16)(A)->st0.1(10.0.0.10/32) <--INTERNET--> st0.0(10.0.0.11/32)<-(B)(LocalNets: 172.16.0.0/16)

BGP is configured in a simple manor with a policy with route prefix's for the local networks:

BGP config for (A):
root@A# show protocols bgp
local-address 172.16.254.1;
local-as 65000;
group ipsec-peers {
type internal;
description "From Here to IPSEC sites";
export localnets_policy;
peer-as 65000;
neighbor 10.0.0.11 {
local-address 10.0.0.10;
}
}

root@A# show policy-options policy-statement localnets_policy
term term1 {
from {
prefix-list localnets;
}
then accept;
}

root@A# show policy-options prefix-list localnets
172.16.0.0/24;
172.16.1.0/24;
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.100.0/24;
172.16.110.0/24;
172.16.254.0/30;

BGP Configuration for (B):
root@B# show protocols bgp
local-address 192.168.1.1;
local-as 65000;
group ipsec-peers {
type internal;
description "From Here to IPSEC sites";
export localnets_policy;
peer-as 65000;
neighbor 10.0.0.10 {
local-address 10.0.0.11;
}
}

root@B# show policy-options policy-statement localnets_policy
term term1 {
from {
prefix-list localnets;
}
then accept;
}


root@B# show policy-options prefix-list localnets
192.168.0.0/24;
192.168.1.0/24;

 


Now to the issue:
BGP seems to advertize routes from B to A just fine(Notice the via st0.1):

root@A# run show route protocol bgp

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24 *[BGP/170] 00:28:19, localpref 100, from 10.0.0.11
AS path: I
> via st0.1


The problem is where A advertises to B(look at the same location :/ )
root@B# run show route protocol bgp

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/24 *[BGP/170] 00:28:05, localpref 100, from 10.0.0.10
AS path: I
> to 73.88.X.X via ge-0/0/0.0
172.16.1.0/24 *[BGP/170] 00:28:05, localpref 100, from 10.0.0.10
AS path: I
> to 73.88.X.X via ge-0/0/0.0
172.16.2.0/24 *[BGP/170] 00:28:05, localpref 100, from 10.0.0.10
AS path: I
> to 73.88.X.X via ge-0/0/0.0
172.16.3.0/24 *[BGP/170] 00:28:05, localpref 100, from 10.0.0.10
AS path: I
> to 73.88.X.X via ge-0/0/0.0
172.16.100.0/24 *[BGP/170] 00:28:05, localpref 100, from 10.0.0.10
AS path: I
> to 73.88.X.X via ge-0/0/0.0
172.16.110.0/24 *[BGP/170] 00:28:05, localpref 100, from 10.0.0.10
AS path: I
> to 73.88.X.X via ge-0/0/0.0

its worth noting of course, that the 73.88.X.X address is the GATEWAY of my external IP on B:
root@B# run show interfaces ge-0/0/0.0
Logical interface ge-0/0/0.0 (Index 72) (SNMP ifIndex 512)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 55788948
Output packets: 36048776
Security: Zone: untrust
Allowed host-inbound traffic : dhcp tftp https ike ping ssh
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 73.88.X/23, Local: 73.88.X.X,
Broadcast: 73.88.X.255


An un-educated guess would be this has something to do with having a default route being defined on A (because of the ppp interface) and not on B:
root@B# show routing-options static
route 10.0.0.10/32 next-hop st0.0;
route 192.168.0.1/32 next-hop 192.168.1.5;
route 0.0.0.0/32 next-hop ge-0/0/0.0;

 

root@A# show routing-options static
route 172.16.1.0/24 {
next-hop 172.16.254.2;
install;
}
route 172.16.2.0/24 {
next-hop 172.16.254.2;
install;
}
route 172.16.0.0/24 {
next-hop 172.16.254.2;
install;
}
route 172.16.100.0/24 next-hop 172.16.254.2;
route 172.16.3.0/24 next-hop 172.16.254.2;
route 172.16.4.0/30 next-hop 172.16.254.2;
route 172.16.110.0/24 next-hop 172.16.254.2;
route 10.0.0.11/32 next-hop st0.1;
route 0.0.0.0/0 next-hop pp0.0;

 

 

Any hints etc are welcome, as I said this is more or less a lab of my own making and if im making any assumptions here or if you have suggestions please dont be shy.

 

-Joel

Distinguished Expert
Posts: 4,762
Registered: ‎03-30-2009
0 Kudos

Re: BGP Newbie - IGP sending wrong next-hop?

I suspect the issue has to do with your VPN interface ip addressing.  These virtual tunnel interfaces should be setup as if they were a routed link pair instead of as independent /32 addresses.

 

st0.1(10.0.0.10/32) <--INTERNET--> st0.0(10.0.0.11/32)

 

should be

 

st0.1(10.0.0.10/31) <--INTERNET--> st0.0(10.0.0.11/31)

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Super Contributor
Posts: 162
Registered: ‎07-18-2012
0 Kudos

Re: BGP Newbie - IGP sending wrong next-hop?

Hi Folks,

Can you please share this piece of information from both sides of the box,

show route 10.0.0.10 extensive 

show route 10.0.0.11 extensive 

show route receive-protocol bgp 10.0.0.10 extensive  | no-more

show route advertising-protocol bgp 10.0.0.10 extensive | no-more

+

show route <Nexthop taken from receive-protocol cmd as above> extensive

 

I could find this difference in default route configuration on both the boxes, can you also fix this, if it is not intended to be?

 

root@B# show routing-options static

route 0.0.0.0/32 next-hop ge-0/0/0.0; <<<<< This is not a default route

 

root@A# show routing-options static

route 0.0.0.0/0 next-hop pp0.0; <<<<<  is the default route

 

Also please share the ipsec configuration in the box.

 

-Python

-Python
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.