Refer to the exhibit. The administrator is troubleshooting a BGP peering between PE1 and PE3 that is unable to establish. Which action resolves the issue?
A.
Disable sending ICMP unreachables on P2 to allow PE1 to establish a session with PE3.
B.
P2 must have a route to PE3 to establish a BGP session to PE1.
C.
Remove the traffic filtering rules on P2 blocking the BGP communication between PE1 and PE3.
D.
Ensure that the PE3 loopback address is used as a source for BGP peering to PE1.
PE1 is trying to use PE3 loopback address for peering, so "D" is really important in this case.
"C" is unrelated to BGP. "debug ip icmp" shows administratively prohibited message for ICMP from R2. Only for ICMP and not for TCP. ICMP is unrelated to the BGP TCP process.
One more thing, they are not directly connected, so may need to enable multihop.
Answer is C
Tested in LAB each line is exactly the same and it was logical.
In the question, the "rcv from is the P2 interface", not any of the PE3 ip
*Jul 25 19:26:42.589: TCP: sending SYN, seq 956756274, ack 0
*Jul 25 19:26:42.589: TCP0: Connection to 1.1.1.1:179, advertising MSS 1460
*Jul 25 19:26:42.589: TCP0: state was CLOSED -> SYNSENT [54184 -> 1.1.1.1(179)]
*Jul 25 19:26:42.590: ICMP: dst (8.8.8.8) administratively prohibited unreachable rcv from 50.50.50.2
*Jul 25 19:26:42.590: TCP0: ICMP destination unreachable received
*Jul 25 19:26:42.590: Released port 54184 in Transport Port Agent for TCP IP type 1 delay 240000
*Jul 25 19:26:42.590: TCP0: state was SYNSENT -> CLOSED [54184 -> 1.1.1.1(179)]
*Jul 25 19:26:42.590: TCB 0xF6773FC0 destroyed
I added an ACL inbound on P2 (link between PE1 and P2) denying bgp port 179
Answer is C tested in lab. We don't need update source loopback 0 on both routers when peering with loopback addresses, and only one router, this depends on who is the passive and active neighbors.
The debug output shows ICMP messages indicating that packets are being administratively prohibited, which suggests that there might be filtering rules blocking the BGP communication.
Therefore, the action that would resolve the issue is:
C. Remove the traffic filtering rules on P2 blocking the BGP communication between PE1 and PE3.
The answer is C
. Why? If PE1 is LISTEN state, PE2 establishes adjacecny with no loopback:
PE1 debug:
*Jul 29 02:29:56.979: %BGP-5-ADJCHANGE: neighbor 10.255.255.3 Up
l 29 02:30:54.499: TCP0: ACK timeout timer expired
*Jul 29 02:30:55.258: Reserved port 0 in Transport Port Agent for TCP IP type 0
*Jul 29 02:30:55.258: TCP: connection attempt to port 179
*Jul 29 02:30:55.258: TCP: sending RST, seq 0, ack 3901546674
*Jul 29 02:30:55.258: TCP: sent RST to 10.0.12.2:35886 from 10.255.255.1:179
*Jul 29 02:30:55.258: Released port 0 in Transport Port Agent for TCP IP type 0 delay 240000
*Jul 29 02:30:55.258: TCP0: state was LISTEN -> CLOSED [0 -> UNKNOWN(0)]
*Jul 29 02:30:55.276: TCB 0xF6CD1488 destroyed
On P:
ip access-list extended test
deny tcp 10.255.255.0 0.0.0.255 any eq bgp
deny tcp 10.255.255.0 0.0.0.255 eq bgp any
deny tcp any eq bgp any
deny tcp any any eq bgp
permit ip any any
int e0/0
ip access-class TEST in
on PE1
do clear ip bgp *
*Jul 29 02:40:52.387: TCP0: Connection to 10.255.255.3:179, advertising MSS 1460
*Jul 29 02:40:52.387: TCP0: state was CLOSED -> SYNSENT [22789 -> 10.255.255.3(179)]
PE1(config-router)#
*Jul 29 02:40:52.387: TCP0: ICMP destination unreachable received
*Jul 29 02:40:52.387: Released port 22789 in Transport Port Agent for TCP IP type 1 delay 240000
*Jul 29 02:40:52.387: TCP0: state was SYNSENT -> CLOSED [22789 -> 10.255.255.3(179)]
*Jul 29 02:40:52.387: TCB 0xF6CD1798 destroyed
PE1(config-router)#do sh ip bgp summ
BGP router identifier 10.255.255.1, local AS number 100
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.255.3 4 100 0 0 1 0 0 00:01:16 Idle
PE1(config-router)#
on P2
no ip access-group test in
I believe its D.
Debug ICMP is turned on and is confusing the messages..but the TCP error messages just show the TCP session timing out indicating a routing issue.
Should be C. neighborship still comes up without update-source loopback command on PE3. "Administratively prohibited unreachable" message is generated when acl is applied.
I labed it. I placed an ACL on PE2 blocking tcp port 179, and the logs obtains were the same, including the "ICMP destination unreachable" log, even if the ACL is not blocking the ICMP protocol itself.
Ans:C
lab test
P2#sh access-list
Extended IP access list 100
10 deny tcp host 10.255.255.1 host 10.255.255.3 eq bgp log
11 deny tcp any any eq bgp log
20 permit ip any any
I'll go with C, the important thing to note in the logs is that it is "Administratively prohibited" meaning that an ACL is somehow blocking the TCP session from reaching P3 from P1
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
HungarianDish_111
Highly Voted 1 year, 8 months agoSolidSnake74
Highly Voted 1 year, 5 months agomajdlarbi
Most Recent 3 weeks, 6 days agowwwwaaaa
1 month agoValkyrie17
1 month, 2 weeks agobk989
4 months, 2 weeks agotubirubs
4 months, 3 weeks agobk989
5 months, 3 weeks agobk989
5 months, 3 weeks agobk989
5 months, 3 weeks agobk989
5 months, 3 weeks agobk989
5 months, 3 weeks agobk989
5 months, 3 weeks ago[Removed]
5 months, 3 weeks agoNot_That_Guy
1 year ago[Removed]
1 year agosayed_2908
1 year agoZamanR
1 year, 1 month ago[Removed]
1 year, 1 month agoGhauri777
1 year, 2 months agoyefrimart
1 year, 3 months agochaocheng
1 year, 5 months ago[Removed]
1 year, 5 months ago