Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Firewall filter change leads to BGP session down

0

0

Article ID: KB35414 KB Last Updated: 11 Jan 2020Version: 1.0
Summary:

After firewall filter is added, two BGP peers go down.

Symptoms:

After firewall fiter added as below:

firewall {
    family inet {
        filter remote-access-VTY {           
            term bgp {
                from {
                    source-address {
                        10.51.24.9/32;
                        10.51.24.17/32;
                        10.51.24.21/32;
                        124.19.48.121/32;
                        124.19.98.165/32;
                    }
                    protocol tcp;
                    destination-port bgp;   
                }
                then accept;
            }


Two BGP sessions go down:

show bgp summary
Groups: 2 Peers: 5 Down peers: 2
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.51.24.9 64512 1099380 1080154 0 1 4w5d 22:26:02 Establ
MGMT.inet.0: 2/2/2/0
10.51.24.17 64513 0 0 0 4 8:05 Connect
10.51.24.21 64513 0 0 0 9 8:13 Connect
124.19.48.121 64512 39839 39099 0 0 1d 5:27:51 Establ
inet.0: 1/1/1/0
124.19.98.165 7474 3634 3870 0 1 1d 5:10:32 Establ
inet.0: 1/1/1/0
Cause:

A BGP implementation MUST connect to and listen on TCP port 179 for incoming connections in addition to trying to connect to peers.  It depends on which side initiates and establishes first.

For example:

  • Side A established BGP session with Side B,
  • Side A initiates BGP session first, source port is 179, destination port is XXX(Random). 
  • For Side B, if it replies packet, Source port is XXX(Random), and destination port is 179.
  • So, if it matches destination-port bgp, it will be discarded by the firewall filter if the port is not 179. BGP session will not be established.
Solution:

Change "destination-port bgp" to "port bgp" as below:

firewall {
    family inet {
        filter remote-access-VTY {           
            term bgp {
                from {
                    source-address {
                        10.51.24.9/32;
                        10.51.24.17/32;
                        10.51.24.21/32;
                        124.19.48.121/32;
                        124.19.98.165/32;
                    }
                    protocol tcp;
                    destination-port bgp; <-- port bgp
                }
                then accept;
            }

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search