Re: BIRD drops specific IPv6 session for no reason

2020-02-28 Thread Tapio Haapala 
double check that your router have arp entry and route for that peer when that 
happens. Example if your router get wrong route for peer it can send response 
packets (or some cases arp requests) to wrong interface. So dump your another 
interfaces also at same time and you will see what it do. Probably watch for 
route and arp with proper grep and -n is also your friend if that happens very 
often. 

On 28/02/2020 13.41, Stavros Konstantaras wrote:
> Hi Bird community,
> 
> We are investigating a weird customer issue regarding our Bird Route Servers 
> (version 1.6.3) and a specific IPv6 session. Customer reports a sudden drop 
> of his IPv6 session and -until now- we could not relate those drops with any 
> issue or instability. Everything seems normal and no other customer 
> complained at the moment of the incident. 
> 
> 
> 
> After some packet capturing at the moment of the event, we discovered that 
> BIRD does not send a response messages to the customer’s BGP keepalive 
> messages (see attached picture), which result to the BGP hold timer to expire 
> and the sessions to be dropped. We observed this anomaly with both RSs but at 
> different time slots and the tcpdump capture was running at the Interface 
> were Bird is sending all BGP traffic for customers. At the moment of the 
> event, we didn’t do any maintenance or other RS related work.
> 
> Has any of you experienced this in the past? If yes, how did you solve this?
> Any related feedback is welcomed. 
> 
> 
> 
> 
> 
> 
> 
> Best regards,
> 
> Stavros Konstantaras | Sr. Network Engineer | AMS-IX 
> M +31 (0) 620 89 51 04 | T +31 20 305 8999
> ams-ix.net <http://ams-ix.net>
> 


-- 
F-Solutions Oy

Tapio Haapala

PL7, 90571 Oulu
GSM   +358400998371
Skype burner-
IRC   Burner@ircnet

Re: Limit on how many neighbors

2017-10-14 Thread Tapio Haapala 
Have you tested use realbroadcast flag at bird? It is not compatible 
with other softwares but usually it helps when you have wierd problems 
at unstable mobile vpn connections to get all clients initialized. By 
default ospf use multicast. As sad it is multicast implementations in 
kernels, switches etc more or less always broken. So I suggest to test 
that.


Another thing is also that I am not sure how good idea it is run over 
100 client ospf farm at one "L2". I suggest that you run multiple 
openvpn servers instances and split connections between them. That way 
you can get also reduntancy. If you limit max clients at server side and 
add multiple remote addresses to client side your client will choose 
next server if first is full. Also if you have multiple physic servers 
then it allow helps you when you want update one of them.


Naturally that splitting is just workaround for original problem and 
then we will not never know what that problem was in first place :) That 
why for curiosity I suggest first to test with that "real bloardact yes" 
flag at all routers and we will see that is that problem in bird it self 
or on openvpn bridge/kernel side.


Magnus Löfqvist kirjoitti 14.10.2017 klo 20.27:

Hi again,

Just a throught, we dont need our endpoints to know about each other, 
in fact, we do firewalling not to allow traffic between them.


Are there any better solutions, instead of ospf, where we can have 
more than 100 endpoints getting there routes from a central server, 
and where we dont need to specify evry neigboor at the system?


/ Magnus


*Från:* Magnus Löfqvist
*Sänt:* 13 okt. 2017 23:31
*Till:* Ondrej Zajicek
*Kopia:* bird-users@network.cz
*Ämne:* Re: Limit on how many neighbors

Hi,

I agree with you, it should not be the case here.
But,  we are running over mobile networks, and the openvpn adds some 
overhead.


Running some tcpdump shows that the packet lenght of the hello packet 
is just about 480, and that should be ok.


If we change to another openvpn instance/interface and change over to 
that it works directly.


I have also updated bird on our mainrouter to 1.6.3 (latest), but the 
issue still exist.


I have attached our config files (bird.conf (mainrouter), 
bird_client.conf (from one of the end router)).

My OSPF knowlege are limited, so I guess that I have made some errors :)

The main feature we need is to distribute some external routes 
(10.3.50.0/24, 10.3.60.0/24), and distribute back the endpoints IP 
networks (10.98.x.x/30)


/ Magnus


*Från:* Ondrej Zajicek 
*Sänt:* 13 okt. 2017 13:13
*Till:* Magnus Löfqvist
*Kopia:* bird-users@network.cz
*Ämne:* Re: Limit on how many neighbors

On Thu, Oct 12, 2017 at 11:43:03AM +, Magnus Löfqvist wrote:
> Hi,
>
> We are running Bird with OSPF between embedded routers (openwrt) 
(mobile routers).
> The routers are connected to our main server with openvpn, and we 
are using bird ontop on openvpn to deliver routes to the end routers.

>
> This have worked quite well, but today we notice some glitches.
> We had some routers that did not finish election (ie, stand in init 
instead of being full).
> When we count, there are exactly 100 devices that are in "full", and 
3 in init.

>
> Are there any limit on how many neighbors/routers?

Hi

There is AFAIK no hard limit, but there is an issue that if you have too
many neighbors, you end with Router-LSA that does not fit into MTU and
will be sent using fragmented IP packets. Which usually works, but may be
problematic. But that is probably not relevant, as if there were such
problem, they would stuck in later stage of exchange and not in 'init'.

So i have no idea why they stuck in 'init'. Isn't there any
misconfiguration? Is there anything in logs? Did they corrected after
restart?

--
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

Re: Monitoring routes from Nagios

2016-03-29 Thread Tapio Haapala 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

We use this kind script
http://pastebin.com/6kuQSPC1

It check ospf neighbors and diff it to know good state. If neighbor is
lost it give critical error and provide diff as message. If there is
new neigbors it give warning.
Probably not most beautiful way to do it but it serve our needs well.


29.3.2016, 16:07, Stanislaw Datskevich kirjoitti:
> Hi Michael, Apparently the only way is parsing birdc or bird.ctl 
> socket output. Its not a complicated task, perl with a few regexps 
> should do the trick.
> 
> В Вт, 29/03/2016 в 10:56 +1300, Michael Ludvig пишет:
>> Hi
>> 
>> What approach do you have for monitoring routing status in your 
>> environments? We've got OSPF set up between our sites (offices 
>> and data centres) and BGP for uplinks from some sites. I want to 
>> monitor by Nagios that everything is as expected.
>> 
>> For example: - BGP feeds from ISPs look sane (e.g. include 
>> 0.0.0.0/0 - as that's what we are interested in) - configured 
>> OSPF peers are all connected - ... what else?
>> 
>> I can write some scripts to parse "birdc show ..." output and 
>> feed that into Nagios but perhaps someone has a better way to do 
>> that?
>> 
>> Thanks!
>> 
>> Michael
>> 
>> 
>> 


- -- 
F-Solutions Oy

Tapio Haapala

PL7, 90571 Oulu
GSM   0400 998371
Skype burner-
IRC   Burner@ircnet
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJW+xWZAAoJECSUPJ4T/HZPlccIAIT+rMnW4OsFpFczNIO7xFVZ
JOj4vtJvNmMtQP8N7PAc5QU31A0leGVghl9Pqt4ZHq4ObolfQXaGIiB2qV/Fozqm
pbXdswXEYv/Wlfix6EGEPcdH/6w8eQ+kjT9CV7LDoEdRfhNVz/dGJkq42CR0XaFL
zmxPGIWL3CdVA7M7eM6liU21fHFWxwQswWDMzevWHqrec9hmMTEHGqOfpqyNVLXb
EvRr0rtGQjdUfYhWUiVx1UPUfutjhdfF7KF+FgHAV+7vLypjBAG1zvkmts6dv9Wc
NuZYSFbRYOrYRySOdp0iGlIz+GlmkC94hbz93ff4BFjLZJnNJrj8CrS6Z4sFinA=
=9pbb
-END PGP SIGNATURE-

Re: Advertise prefix without static

2015-11-22 Thread Tapio Haapala 
Well yes an no. Depending of case. But lets say that way that if your 
use case is that you have /20 network and then you have smaller (more 
spesific) netoworks inside your own infra you can do example that way


protocol static announce {

route x.x.x.x/20 unreachable;
}
That will generate advertise. Then your more spesific routes will handle 
real traffic. If you want you can filter these routes so that they will 
not go to kernel, but as far you have more spesific routes they will not 
harm you. If you do not have them then you need anyways static routes or 
some other route source for them and you can use them for advertisement.


Most of other softwares allow you to generate fake bgp advertisements in 
bgp protocol (and in most cases it is even standard way to do it) But I 
think that bird way is quite logical after you get used to it.


22.11.2015, 14:05, David S. kirjoitti:

Hi All,

My name is David, I'm from Indonesia. I'm new on BGP and especially 
Bird. I configure FreeBSD 10.2 with Bird 1.5. I just want to know 
there is any way to advertise a network prefix without protocol 
static, please tell how if is it possible. I have read the 
documentation and I can't find any article that point me to my question.


Thanks in advance.

Best regards,
David S.

e. da...@zeromail.us <mailto:da...@zeromail.us>
w. http://blog.pnyet.web.id



--
Tapio Haapala
F-Solutions Oy
mobile +358400998371
irc Burner@ircnet
skype burner-

Re: High CPU load

2015-04-08 Thread Tapio Haapala 
I had same kind problem some years a go. Problem was that I accidentaly 
miscofigure bgp session so that one of peers was connected to ip what 
was announced via other hop. That caused route flapping and full 
internet table flapping at that router - 100% cpu load and 10-100Mbps 
bgp traffic.


8.4.2015, 13:18, Simone Morandini kirjoitti:

Hello list,

we are running BIRD on our IXP peering platform with no problems since 
quite a while now.
We need to activate a new peer which is expected to announce a 
considerable amount of prefixes (~100k), and the first try resulted in 
having nearly 100% cpu load, ~60-70% for BIRD and the remaining for 
syslog. The machine was hardly manageable, so after a few minutes we 
had to disable the peer and restart the deamon.


The current settings actually make BIRD log everything:
log /var/log/bird.log all;
log syslog all;

so I guess we could start by modifying it: any advice on this?
Would you suggest something more, in order to avoid having again a 
high cpu load?


Thanks in advance,
Simone.



--
Tapio Haapala
F-Solutions Oy
mobile +358400998371
irc Burner@ircnet
skype burner-