Your company has 2 offices that are interconnected via a firewall (Cisco ASA) as shown below.
You received the task to configure a BGP session between the border routers of each office.
After performing the configuration shown below, you notice that the BGP peering does not come up.


quiz-9


Suspecting that the problem could be related to the firewall, you check the Cisco ASA configuration and confirm that BGP traffic is allowed between the border routers. To be really sure, you perform a capture on each interface of the firewall:


  • on the "office1" interface: 

    ciscoasa# sh capt test-ins
3 packets captured
   1: 00:57:13.134865 192.168.1.1.33736 > 192.168.2.1.179: S 3598735645:3598735645(0) win 16384 <mss 536,opt-19:3c8a0d9ea430ac1492a1f21cbf41220f,eol="">
   2: 00:57:15.176718 192.168.1.1.33736 > 192.168.2.1.179: S 3598735645:3598735645(0) win 16384 <mss 536,opt-19:3c8a0d9ea430ac1492a1f21cbf41220f,eol="">
   3: 00:57:19.139854 192.168.1.1.33736 > 192.168.2.1.179: S 3598735645:3598735645(0) win 16384 <mss 536,opt-19:3c8a0d9ea430ac1492a1f21cbf41220f,eol="">
3 packets shown

  • on the "office2" interface: 

    ciscoasa# sh capt test-out
3 packets captured
   1: 00:57:15.176718 192.168.1.1.33736 > 192.168.2.1.179: S 4134390026:4134390026(0) win 16384 <mss 536,opt-19:3c8a0d9ea430ac1492a1f21cbf41220f,eol="">
   2: 00:57:16.090052 192.168.2.1.52869 > 192.168.1.1.179: S 1806197614:1806197614(0) win 16384 <mss 536,opt-19:a115c6c0687490096359a370e9ea1955,eol="">
   3: 00:57:19.139854 192.168.1.1.33736 > 192.168.2.1.179: S 4134390026:4134390026(0) win 16384 <mss 536,opt-19:3c8a0d9ea430ac1492a1f21cbf41220f,eol="">
3 packets shown
ciscoasa#

As seen in the captures, TCP SYN packets for BGP (port 179) are received on "office1" interface and allowed/forwarded onto the "office2" interface... though, the BGP peering does not get established.

What is the problem ?

Post your solution in the ‘Comments’ section below and subscribe to this blog to get the solution and more interesting quizzes.