OK trying to get a BGP session up between a pair of CISCO routers and a
NOKIA running Checkpoint. Coming across an issue I had with GateD where
the NOKIA is choking on a version indentifier sent by the CISCO and
reporting back a BGP-3 authentification failure for the OPEN message (it's
interpreting the version ID as a authentification attempt...
Any ideas?
Please respond off list...
Yeah, ok Sena.
Uh, how about calling me back about beers you slacker ass?
Noice...
There has got to be some sort of health code against you and I at the same
bug pulling off the same tap - the laws of gravity etc...
On Jul 26, 2002 Martin Hannigan spake:
This has got to be the strangest setup of BGP I have seen yet. A
firewall running an inherently insecure protocol all I can say is have
fun.
And we are off......
OK trying to get a BGP session up between a pair of CISCO routers and a
NOKIA running Checkpoint.
WOW! Nokia Checkpoint runs routing protocols (other than RIP or static
routes???)
more impressive is this appliance running BGP.
On a serious note...I imagine the Nokia is in front of one of the
Cisco's....(my assumption since the poster is as vague as a capitol hill
politician)
If this is the case, then take the stinking firewall and place it behind the
router, let the routers do their Peering, and even place some Bogon-lists on
the router, and some basic bogon filtering for your ingress traffic. (take
as much illegitimate traffic of the firewall).
But hey, does this belong in the NANOG anyway.......?
my 2 cashings!!!
mmmmm
Beer, its what's for dinner!
On Jul 26, 2002 Gerardo A. Gregory spake:
On a serious note...I imagine the Nokia is in front of one of the
Cisco's....(my assumption since the poster is as vague as a capitol hill
politician)
Yeah sorry - vagueness is an art... it's pretty much a DMZ set up we have
an outside border (CISCO 7206VXR) and an inside border/distribution border
(CISCO 6513 MSFC) The NOKIA is running a flavor of GateD that I have seen
this problem with before - I did find a work around. The problem is that
the CISCO is sedning a version identifier (4) that GateD is identifying as
an authentication string. The error that the 7206vxr is receiving is a
'BGP-3 Authentification failure' I cludged it by setting a MD5 auth
string on the NOKIA as "4" - that solved the prob on that side - but I
think I am still having an issue with the 6513. It was an upgrade that
our firewall group had rolled into production - to replace a
Solaris/Checkpoint setup that was running iBGP with Zebra. All we are
really passing is default in and accepting some routes from a secure
server farm connected to the 6513. The Farm will be dual homed to 2 of our
campuses in the near future (otherwise since it is now stub we could
static it.)
Anyway - thanks...
If this is the case, then take the stinking firewall and place it behind the
router, let the routers do their Peering, and even place some Bogon-lists on
the router, and some basic bogon filtering for your ingress traffic. (take
as much illegitimate traffic of the firewall).
Yeah it is see above..
But hey, does this belong in the NANOG anyway.......?
Prolly not - I asked for replys to me directyl and did get quite a few
helpful ones - I'm replying back to the nog cuz I got spanked a little by
Sue for the beer off-shoot to this and to provide the little bit more
detail that you were asking for... Anyway I took a mulligan on teh beer
thread and am now playing through... thanks...
my 2 cashings!!!
Kaching - thanks again...