Discussion:
BGP MD5 weird behavior when connection closes
Evgeny Yurchenko
2010-02-05 22:22:20 UTC
Permalink
I think it is more FreeBSD's problem than pfSense's but decided anyway
to post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection
termination does not go properly which results in BGP password errors on
remote cisco side and thus problems with reestablishing connection/routing.

So, normal tcp connection tearing down procedure:
---FIN--->

<---ACK---
<---FIN---
----ACK--->
All these TCP packets must be MD5 signed (correct me if I am wrong). The
problem is: when pfSense initiates connection termination (you want to
clear BGP session) the last ACK is not MD5 signed. It makes cisco keep
this connection active for some time sending FINs as it attempts to
close the connection.
If somebody has a clue how to fix this I would be very grateful for
solution.
Thanks.

Evgeny.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Ermal Luçi
2010-02-05 22:43:54 UTC
Permalink
I think it is more FreeBSD's problem than pfSense's but decided anyway to
post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection termination
does not go properly which results in BGP password errors on remote cisco
side and thus problems with reestablishing connection/routing.
---FIN--->
<---ACK---
<---FIN---
----ACK--->
All these TCP packets must be MD5 signed (correct me if I am wrong). The
problem is: when pfSense initiates connection termination (you want to clear
BGP session) the last ACK is not MD5 signed. It makes cisco keep this
connection active for some time sending FINs as it attempts to close the
connection.
If somebody has a clue how to fix this I would be very grateful for
solution.
Try disabling selective acks.
should be net.inet.tcp.sack.enable=0
Thanks.
Evgeny.
---------------------------------------------------------------------
Commercial support available - https://portal.pfsense.org
--
Ermal
Evgeny Yurchenko
2010-02-05 22:47:42 UTC
Permalink
On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko
I think it is more FreeBSD's problem than pfSense's but decided
anyway to post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection
termination does not go properly which results in BGP password
errors on remote cisco side and thus problems with reestablishing
connection/routing.
---FIN--->
<---ACK---
<---FIN---
----ACK--->
All these TCP packets must be MD5 signed (correct me if I am
wrong). The problem is: when pfSense initiates connection
termination (you want to clear BGP session) the last ACK is not
MD5 signed. It makes cisco keep this connection active for some
time sending FINs as it attempts to close the connection.
If somebody has a clue how to fix this I would be very grateful
for solution.
Try disabling selective acks.
should be net.inet.tcp.sack.enable=0
--
Ermal
I will but I do not think SACK algorithm is in use here.
Thanks.
Evgeny.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Evgeny Yurchenko
2010-02-10 17:44:35 UTC
Permalink
On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko
I think it is more FreeBSD's problem than pfSense's but decided
anyway to post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection
termination does not go properly which results in BGP password
errors on remote cisco side and thus problems with reestablishing
connection/routing.
---FIN--->
<---ACK---
<---FIN---
----ACK--->
All these TCP packets must be MD5 signed (correct me if I am
wrong). The problem is: when pfSense initiates connection
termination (you want to clear BGP session) the last ACK is not
MD5 signed. It makes cisco keep this connection active for some
time sending FINs as it attempts to close the connection.
If somebody has a clue how to fix this I would be very grateful
for solution.
Try disabling selective acks.
should be net.inet.tcp.sack.enable=0
--
Ermal
No luck. The same story.

Evgeny.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org

Loading...