Unable to establish bgp multihop session for packets arriving in other vrf

[33Fraise33]

Describe the bug When a session is configured as multihop and passive and the connect packet is received through another vrf (transit vrf = default vrf, exchange vrf = locix) the session does not establish and is dropped in the exchange vrf.

• [X] Did you check if this is a duplicate issue?
• [X] Did you test it on the latest FRRouting/frr master branch? (9.0)

To Reproduce See below config. Peer 2604:8800:50:81:216:31:3:81 is set to connect to my host at 2a12:4946:4001::1/64 (see output of show interface below). The best route for the peer to reach my loopback is through the locix exchange (advertised as a /44) so the multihop packets are entering there. But the daemon is trying to terminate the session in that vrf while the packets should be forwarded to the vrf where the interface lives.

Expected behavior The session establishes.

Screenshots /

Versions

• OS Version: Debian GNU/Linux 12 (bookworm)
• Kernel: Linux 6.1.0-11-amd64
• FRR Version:

  FRRouting 9.0 (kingpin) on Linux(6.1.0-11-amd64).
  Copyright 1996-2005 Kunihiro Ishiguro, et al.
  configured with:
  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--with-vtysh-pager=/usr/bin/pager' '--libdir=/usr/lib/x86_64-linux-gnu/frr' '--with-moduledir=/usr/lib/x86_64-linux-gnu/frr/modules' '--disable-dependency-tracking' '--enable-rpki' '--disable-scripting' '--enable-pim6d' '--with-libpam' '--enable-doc' '--enable-doc-html' '--enable-snmp' '--enable-fpm' '--disable-protobuf' '--disable-zeromq' '--enable-ospfapi' '--enable-bgp-vnc' '--enable-multipath=256' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' 'build_alias=x86_64-linux-gnu' 'PYTHON=python3'

Additional context Loopback Interface:

Interface lo is up, line protocol is up
  Link ups:       0    last: (never)
  Link downs:     0    last: (never)
  vrf: default
  index 1 metric 0 mtu 65536 speed 0
  flags: <UP,LOOPBACK,RUNNING>
  Type: Loopback
  inet6 2a12:4946:4001::1/64
  Interface Type Other
  Interface Slave Type None
  protodown: off

Config:

frr defaults traditional

log syslog informational
debug bgp neighbor-events
debug bgp updates

hostname kingpin
domainname vormir.frai.se
service integrated-vtysh-config
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!! VRF: default
!!!!!!!!!!!!!!!!!!!!!!!!!!!
ip route ::/0 2a0c:9a40:1::1 10
ip route 192.0.0.1/32 blackhole
router bgp 211184
 bgp router-id 193.148.249.106
 bgp log-neighbor-changes
 bgp graceful-restart
 no bgp client-to-client reflection
 no bgp default ipv4-unicast
 no bgp network import-check
 neighbor default peer-group
 neighbor default timers 20 60
 neighbor cymru-bogons peer-group
 neighbor cymru-bogons remote-as 65332
 neighbor cymru-bogons ebgp-multihop
 neighbor cymru-bogons passive
 neighbor 2a0c:9a40:1::1 peer-group default
 neighbor 2a0c:9a40:1::1 description IFOG PEERING
 neighbor 2a0c:9a40:1::1 remote-as 34927
 neighbor 2604:8800:50:81:216:31:3:81 peer-group cymru-bogons
 neighbor 2604:8800:50:81:216:31:3:81 description NOMONITOR Cymru Fullgons #1
 neighbor 2604:8800:60:81:216:31:7:81 peer-group cymru-bogons
 neighbor 2604:8800:60:81:216:31:7:81 description NOMONITOR Cymru Fullgons #2
 address-family ipv4 unicast
  import vrf remotesites
  neighbor default route-map rm-DEFAULT_ONLY_PUBLIC in
  neighbor default route-map rm-AS211184-exact out
  neighbor default soft-reconfiguration inbound
  neighbor cymru-bogons route-map rm-deny in
  neighbor cymru-bogons route-map rm-deny out
  neighbor cymru-bogons soft-reconfiguration inbound
 exit-address-family
 address-family ipv6 unicast
  network 2a12:4946:4000::/44
  import vrf locix
  import vrf kleyrex
  import vrf remotesites
  neighbor default route-map rm-DEFAULT_ONLY_PUBLIC in
  neighbor default route-map rm-AS211184-exact out
  neighbor default soft-reconfiguration inbound
  neighbor default activate
  neighbor cymru-bogons route-map rm-deny in
  neighbor cymru-bogons route-map rm-deny out
  neighbor cymru-bogons soft-reconfiguration inbound
  neighbor cymru-bogons activate
 exit-address-family
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!! VRF: locix
!!!!!!!!!!!!!!!!!!!!!!!!!!!
router bgp 211184 vrf locix
 bgp router-id 185.1.167.89
 bgp log-neighbor-changes
 bgp graceful-restart
 no bgp client-to-client reflection
 no bgp default ipv4-unicast
 no bgp network import-check
 neighbor locix peer-group
 neighbor locix timers 20 60
 neighbor 2001:7f8:f2:e1::babe:1 peer-group locix
 neighbor 2001:7f8:f2:e1::babe:1 description Locix RS1
 neighbor 2001:7f8:f2:e1::babe:1 remote-as 202409
 neighbor 2001:7f8:f2:e1::dead:1 peer-group locix
 neighbor 2001:7f8:f2:e1::dead:1 description Locix RS2
 neighbor 2001:7f8:f2:e1::dead:1 remote-as 202409
 neighbor 2001:7f8:f2:e1::be5a peer-group locix
 neighbor 2001:7f8:f2:e1::be5a description Locix RS3
 neighbor 2001:7f8:f2:e1::be5a remote-as 202409
 neighbor 2001:7f8:f2:e1::6939:1 peer-group locix
 neighbor 2001:7f8:f2:e1::6939:1 description Hurricane Electric
 neighbor 2001:7f8:f2:e1::6939:1 remote-as 6939
 address-family ipv4 unicast
  neighbor locix route-map rm-DEFAULT_ONLY_PUBLIC in
  neighbor locix route-map rm-AS211184-exact out
  neighbor locix soft-reconfiguration inbound
 exit-address-family
 address-family ipv6 unicast
  network 2a12:4946:4000::/44
  import vrf default
  import vrf route-map rm-AS211184
  neighbor locix route-map rm-DEFAULT_ONLY_PUBLIC in
  neighbor locix route-map rm-AS211184-exact out
  neighbor locix soft-reconfiguration inbound
  neighbor locix activate
 exit-address-family
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!! ROUTE FILTERING
!!!!!!!!!!!!!!!!!!!!!!!!!!!
! PREFIX LISTS
!!!!! pl-default-public
ip prefix-list pl-default-public permit 0.0.0.0/0 le 24 ge 0
ip prefix-list pl-default-public permit ::/0 le 48 ge 0
!!!!! pl-default
ip prefix-list pl-default permit 0.0.0.0/0
ip prefix-list pl-default permit ::/0
!!!!! pl-default-bogons
ip prefix-list pl-default-bogons permit 0.0.0.0/0 ge 25
ip prefix-list pl-default-bogons permit ::/0 ge 49
!!!!! pl-AS211184-exact
ip prefix-list pl-AS211184-exact permit 2a12:4946:4000::/44
!!!!! pl-AS211184
ip prefix-list pl-AS211184 permit 2a12:4946:4000::/44 ge 44
!!!!! pl-RFC1918
ip prefix-list pl-RFC1918 permit 10.0.0.0/8 ge 8
ip prefix-list pl-RFC1918 permit 172.16.0.0/12 ge 12
ip prefix-list pl-RFC1918 permit 192.168.0.0/16 ge 16
! COMMUNITIES
!!!!! bogons
bgp community-list standard bogons permit 64496:0
!
! ROUTE MAPS
!!!!! rm-DEFAULT_ONLY_PUBLIC
route-map rm-DEFAULT_ONLY_PUBLIC permit 10
 match ip address prefix-list pl-default-public
route-map rm-DEFAULT_ONLY_PUBLIC permit 20
 match ipv6 address prefix-list pl-default-public
!!!!! rm-fullbogons-in
route-map rm-fullbogons-in permit 10
 match ipv6 address prefix-list pl-default-bogons
 on-match next
route-map rm-fullbogons-in permit 20
 match community bogons
 set ip next-hop 192.0.0.1
!!!!! rm-AS211184-exact
route-map rm-AS211184-exact permit 10
 match ipv6 address prefix-list pl-AS211184-exact
!!!!! rm-AS211184
route-map rm-AS211184 permit 10
 match ipv6 address prefix-list pl-AS211184
!!!!! rm-default
route-map rm-default permit 10
 match ipv6 address prefix-list pl-default
route-map rm-default permit 20
 match ip address prefix-list pl-default
!!!!! rm-deny
route-map rm-deny deny 10
!
line vty
!

[33Fraise33]

I forgot to add the following log: Event] 2604:8800:50:81:216:31:3:81 connection rejected(VRF locix:211184:locix) - not configured and not valid for dynamic

[donaldsharp]

What's the output of show bgp peerhash?

[33Fraise33]

What's the output of show bgp peerhash?

kingpin# show bgp peerhash
BGP: (null)
    Peer: 2a0c:9a40:1::1 2a0c:9a40:1::1
    Peer: 2604:8800:60:81:216:31:7:81 2604:8800:60:81:216:31:7:81
    Peer: 2604:8800:50:81:216:31:3:81 2604:8800:50:81:216:31:3:81
BGP: remotesites
    Peer: 10.10.34.14 10.10.34.14
    Peer: 10.10.34.2 10.10.34.2
    Peer: 10.10.34.18 10.10.34.18
    Peer: 10.10.34.6 10.10.34.6
    Peer: 10.10.34.22 10.10.34.22
    Peer: 2a12:4946:4001:34::1:2 2a12:4946:4001:34::1:2
BGP: locix
    Peer: 2001:7f8:f2:e1::6939:1 2001:7f8:f2:e1::6939:1
    Peer: 2001:7f8:f2:e1::babe:1 2001:7f8:f2:e1::babe:1
    Peer: 2001:7f8:f2:e1::be5a 2001:7f8:f2:e1::be5a
    Peer: 2001:7f8:f2:e1::dead:1 2001:7f8:f2:e1::dead:1
BGP: kleyrex
    Peer: 2001:7f8:33::a103:1142:3 2001:7f8:33::a103:1142:3
    Peer: 2001:7f8:33::a103:1142:1 2001:7f8:33::a103:1142:1
    Peer: 2001:7f8:33::a103:1142:2 2001:7f8:33::a103:1142:2
BGP: fogixp
    Peer: 2001:7f8:ca:1::111 2001:7f8:ca:1::111
    Peer: 2001:7f8:ca:1::77 2001:7f8:ca:1::77

[33Fraise33]

Hello @donaldsharp do you require any more input from me? Is this a bug or do I have a misconfiguration?

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.

[frrbot[bot]]

This issue will be automatically closed in the specified period unless there is further activity.