Description
This article describes how to configure and troubleshoot password authentication.
One of the common issue, where external BGP sessions not established and stuck in ACTIVE state.
Symptoms.
BGP is configured with correct AS and neighbor address but not forming neighbor-ship.
Solution
All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in autonomous system (AS) routing updates.
By default, authentication is disabled.
Use the following commands to enable BGP md5 authentication.
FGT(bgp) # conf neighbor
FGT(neighbor) edit 10.5.23.228
FGT(10.5.23.228) set password <Type_Passw0rd> >>>
Troubleshooting.
If there is no password/miss-match password configured on the peer, we will see on both sides SYN being exchanged but there is no SYN-ACK.
From the debug, we can see that FSM (finite state machine) state is stuck in Connect/Active.
# diag ip router bgp all enable
# diag ip router bgp level info
# diag debug console timestamp enable
# diag debug enable
--Sample debug--
BGP: 10.5.23.228-Outgoing [FSM] State: Active Event: 9
BGP: 10.5.23.228-Outgoing [FSM] State: Connect Event: 9
---
# get router info bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.5.23.228 4 100 1924 1926 0 0 0 never Active >>>
From the packet capture we can see that the peer is configured with password. If password is configured it will be included in the TCP-option field.
Once identified, configure the password and check the status.
