search

FRRouting / frr

The FRRouting Protocol Suite
https://frrouting.org/
Other
3.39k stars 1.26k forks source link

BFD: source port #4202

Closed lucize closed 5 years ago

lucize commented 5 years ago

Describe the bug

BFD OSPF is not working with fortigate firewall

(put "x" in "[ ]" if you already tried following) [x] Did you check if this is a duplicate issue? [x] Did you test it on the latest FRRouting/frr master branch?

To Reproduce Steps to reproduce the behavior:

!
bfd
 peer 192.168.200.1 interface vti-vti0
   label vti0-peer
   no shutdown
 !
 peer 192.168.201.1 interface vti-vti1
   label vti1-peer
   no shutdown
 !

Expected behavior

show bfd peers
BFD Peers:
        peer 192.168.201.1 interface vti-vti1
                label: vti1-peer
                ID: 1703094444
                Remote ID: 12
                Status: up
[..]

Additional context

bfdd logging 

2019/04/25 00:52:52 BFD: state-change: [mhop:no peer:192.168.200.1 local:0.0.0.0 ifname:vti-vti0] init -> down reason:control-expired
2019/04/25 00:52:52 BFD: state-change: [mhop:no peer:192.168.201.1 local:0.0.0.0 ifname:vti-vti1] init -> down reason:control-expired

fortigate logging

id=20301 logdesc="Routing log" msg="NSM: PACKET: packet is ready to be send. scheduling delivery"
id=20301 logdesc="Routing log" msg="NSM: EVENT: packet sender thread called"
id=20301 logdesc="Routing log" msg="NSM: RECV: received packet from invalid source port 49143"
id=20301 logdesc="Routing log" msg="NSM: RECV: BFD packet processing failed."
id=20301 logdesc="Routing log" msg="NSM: PACKET: packet is ready to be send. scheduling delivery"
id=20301 logdesc="Routing log" msg="NSM: EVENT: packet sender thread called"

 tcpdump -i vti-vti1 "ip[9] &255==17 and ((udp[8] &0x1f)=0) and ((udp[8] &0xe0)>>5)==1" -vvv -s 0 -XX
tcpdump: listening on vti-vti1, link-type RAW (Raw IP), capture size 262144 bytes
20:02:14.602904 IP (tos 0x0, ttl 255, id 63094, offset 0, flags [none], proto UDP (17), length 52)
    192.168.201.1.49194 > 192.168.201.2.3784: [udp sum ok] BFDv1, length: 24
        Control, State Down, Flags: [none], Diagnostic: No Diagnostic (0x00)
        Detection Timer Multiplier: 3 (750 ms Detection time), BFD Length: 24
        My Discriminator: 0x0000002b, Your Discriminator: 0x00000000
          Desired min Tx Interval:     250 ms
          Required min Rx Interval:    250 ms
          Required min Echo Interval:    0 ms
        0x0000:  4500 0034 f676 0000 ff11 b1ec c0a8 c901  E..4.v..........
        0x0010:  c0a8 c902 c02a 0ec8 0020 58bb 2040 0318  .....*....X..@..
        0x0020:  0000 002b 0000 0000 0003 d090 0003 d090  ...+............
        0x0030:  0000 0000                                ....

20:06:19.235111 IP (tos 0xc0, ttl 255, id 40932, offset 0, flags [DF], proto UDP (17), length 52)
    192.168.201.2.49143 > 192.168.201.1.3784: [udp sum ok] BFDv1, length: 24
        Control, State Down, Flags: [none], Diagnostic: Control Detection Time Expired (0x01)
        Detection Timer Multiplier: 3 (3000 ms Detection time), BFD Length: 24
        My Discriminator: 0x0fe67e0c, Your Discriminator: 0x00000000
          Desired min Tx Interval:    1000 ms
          Required min Rx Interval:   1000 ms
          Required min Echo Interval:   50 ms
        0x0000:  45c0 0034 9fe4 4000 ff11 c7be c0a8 c902  E..4..@.........
        0x0010:  c0a8 c901 bff7 0ec8 0020 235f 2140 0318  ..........#_!@..
        0x0020:  0fe6 7e0c 0000 0000 000f 4240 000f 4240  ..~.......B@..B@
        0x0030:  0000 c350                                ...P

RFC5881

BFD Control packets MUST be transmitted in UDP packets with destination port 3784, within an IPv4 or IPv6 packet. The source port MUST be in the range 49152 through 65535.

qlyoung commented 5 years ago

https://github.com/FRRouting/frr/blob/bbd8da796b1ad74ca5ad2e6e0ff22178dcb63f0b/bfdd/bfd.h#L311

@rzalamena This looks like the problem line, any insight into why this port is used? Typo from 5 to 4 perhaps?

Edit: Too fast! Fixed by #4203