deadlove
Маглыdeadlove's Achievements
Пролетал Мимо (1/9)
0
Репутація
-
Да побывал все та же проблема, кстати от Urana дефолт не приходит, но эту проблему реши, ситуация такая что меняю размер MTU на меньший(если поставить больше та же беда) 1460 к примеру fs.ua и gismeteo.ua работают спустя время потом обратно дроп, тестировал отправку пакета через ASA PT, пакет по http отправляется на fs или gismeteo packet-tracer input dmz tcp 10.11.29.185 http 91.226.97.14 http Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.1.10.2 using egress ifc prov1 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Traffic global access-list Traffic extended permit ip any4 any4 Additional Information: Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 5433727, packet dispatched to next module Result: output-interface: prov1 output-status: up output-line-status: up Action: allow но запись в таблице asp выглядит так TCP dmz: 10.11.29.19/63531 prov1: 91.226.97.14/80, flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0 а вот ее дропы Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 7 Invalid UDP Length (invalid-udp-length) 98 No valid adjacency (no-adjacency) 6919 No route to host (no-route) 1102 Flow is denied by configured rule (acl-drop) 1133629 First TCP packet not SYN (tcp-not-syn) 65151 Bad TCP flags (bad-tcp-flags) 89 TCP Dual open denied (tcp-dual-open) 172 TCP data send after FIN (tcp-data-past-fin) 1 TCP failed 3 way handshake (tcp-3whs-failed) 236 TCP RST/FIN out of order (tcp-rstfin-ooo) 6706 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 50 TCP SYNACK on established conn (tcp-synack-ooo) 2 TCP packet SEQ past window (tcp-seq-past-win) 492 TCP RST/SYN in window (tcp-rst-syn-in-win) 149 Slowpath security checks failed (sp-security-failed) 754 DNS Inspect invalid packet (inspect-dns-invalid-pak) 4 DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 2107 DNS Inspect packet too long (inspect-dns-pak-too-long) 3395 DNS Inspect id not matched (inspect-dns-id-not-matched) 2026 FP L2 rule drop (l2_acl) 284 Interface is down (interface-down) 4 ну так сложилось что нужно поднять аппаратный роутер а не программный)))
-
ну начнем с того что ASA и Router чуток разные устройства))) as-path prepend стоит на резервном линке Ukrcom, а весь трафик идет через Uran, основные настройки bgp брал c программного настроенного bgp-routera на Bird который до меня еще сам Uran настраивал и там это все отлично работает, там проблема мне кажется в особенностях самой ASA)
-
Добрый день столкнулся с проблемой при настройке BGP на ASA 5525-x, суть проблемы в том что спустя некоторые время она начинает дропать некоторые сайты к примеру fs.to, gismeteo.ua и перестает грузиться видео на youtube, кто сталкивался с такой проблемой? пример конфига вот: ASA Version 9.5(1) ! hostname RouterBGP domain-name domain.net names ! interface GigabitEthernet0/0 flowcontrol send on nameif prov1 security-level 0 ip address 10.1.10.3 255.255.255.248 ! interface GigabitEthernet0/1 flowcontrol send on nameif prov2 security-level 0 ip address 198.168.20.5 255.255.255.248 ! interface GigabitEthernet0/2 flowcontrol send on nameif dmz security-level 0 ip address 10.11.29.1 255.255.255.0 ! interface GigabitEthernet0/3 flowcontrol send on shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address a.b.c.d a.b.c.d ! boot config disk0:/admin.cfg ftp mode passive dns server-group DefaultDNS domain-name domain.net same-security-traffic permit inter-interface pager lines 24 logging enable logging timestamp logging trap warnings logging host management a.b.c.d mtu prov1 1500 mtu prov2 1500 mtu dmz 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! prefix-list Anons seq 5 permit 10.11.29.0/24 ! prefix-list default seq 5 permit 0.0.0.0/0 ! bgp-community new-format ! route-map Uran-output permit 100 match ip address prefix-list Anons ! route-map Ukrcom-output permit 100 match ip address prefix-list Anons set as-path prepend 197000 197000 197000 197000 197000 set community 21000:20005 21000:30005 21000:40005 ! route-map Default permit 100 match ip address prefix-list default ! router bgp 197000 bgp log-neighbor-changes bgp bestpath compare-routerid no bgp enforce-first-as bgp router-id 10.11.29.1 address-family ipv4 unicast neighbor 198.168.20.6 remote-as 21000 neighbor 198.168.20.6 description Ukrcom neighbor 198.168.20.6 activate neighbor 198.168.20.6 send-community neighbor 198.168.20.6 next-hop-self neighbor 198.168.20.6 weight 200 neighbor 198.168.20.6 route-map Default in neighbor 198.168.20.6 route-map Ukrcom-output out neighbor 10.1.10.2 remote-as 12000 neighbor 10.1.10.2 description Uran neighbor 10.1.10.2 activate neighbor 10.1.10.2 next-hop-self neighbor 10.1.10.2 weight 500 neighbor 10.1.10.2 route-map Default in neighbor 10.1.10.2 route-map Uran-output out network 10.11.29.0 no auto-summary no synchronization exit-address-family ! route prov1 0.0.0.0 0.0.0.0 10.1.10.2 1 route prov2 0.0.0.0 0.0.0.0 198.168.20.6 2 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL snmp-server group cactus v3 auth snmp-server host management a.b.c.d community ***** udp-port 161 no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh a.b.c.d a.b.c.d management ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server a.b.c.d source management dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect icmp error inspect http ! prompt hostname context no call-home reporting anonymou
