Project

General

Profile

Actions

Bug #15716

open

FRR BFD echo mode is not working

Added by Marcelo Cury 2 months ago. Updated 14 days ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
FRR
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.7.2
Affected Plus Version:
Affected Architecture:
amd64

Description

Running pfSense 2.7.2 with everything up-to-date, including system patches, all applied.
I have two ipsec VTI tunnels between both sites, working perfectly with OSPF and BFD.

The problem happens when trying to set up BFD echo mode.

What I checked so far:
I get the error, Echo function failed.
I can see the port 3785 UDP listening in the sockets page of both sites.
Capturing packets, I can see echo packets reaching both sites, with no response.
In BFD status page, I can see, for both sites, zero echo packets input, but a lot of echo packets output.
Disabled ICMP redirect in System tunables > net.inet.ip.redirect to zero and reboot.
Created a floating firewall, selected both VTI interfaces, with quick option checked to "disable antispoof" rule for IPSec VTIs, thus allowing everything to test, this is a lab environment so no problem with that.

The problem happens

Configuration site 1:

bfd
 profile passive
  detect-multiplier 3
  receive-interval 300
  transmit-interval 2000
  echo receive-interval 50
  echo transmit-interval 50
  echo-mode
  passive-mode
  no shutdown
 !
 peer 192.168.200.1 local-address 192.168.200.2 interface ipsec1
  profile passive
 !
 peer 192.168.200.9 local-address 192.168.200.10 interface ipsec2
  profile passive
 !
!

Configuration site 2:

bfd
 peer 192.168.200.2 local-address 192.168.200.1 interface ipsec1
  detect multiplier 3
  receive-interval 300
  transmit-interval 2000
  echo receive-interval 50
  echo transmit-interval 50
  no shutdown
  echo-mode
 !
 peer 192.168.200.10 local-address 192.168.200.9 interface ipsec3
  detect-multiplier 3
  receive-interval 300
  transmit-interval 2000
  echo receive-interval 50
  echo transmit-interval 50
  no shutdown
  echo-mode
 !
!

So, it seems that despite of the socket show listening for that port, the packet never reaches the daemon bfdd.

Actions #1

Updated by Jim Pingle 2 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Routing to FRR
  • Release Notes deleted (Default)
Actions #2

Updated by Lev Prokofev 14 days ago

  • Status changed from New to Confirmed

I can confirm this behavior, tested on 24.03 and 24.11Beta FRR 2.0.2_6 and 2.0.2_5

Peer1

bfd
 peer 10.120.0.1 local-address 10.120.0.2 interface igb0.555
  detect-multiplier 3
  receive-interval 300
  transmit-interval 2000
  echo-interval 50
  no shutdown
  echo-mode
 !
!
line vty
!

Peer2

!
bfd
 peer 10.120.0.2 local-address 10.120.0.1 interface ix2.555
  detect-multiplier 3
  receive-interval 300
  transmit-interval 2000
  echo-interval 50
  no shutdown
  echo-mode
 !
!
line vty
!
BFD Peers:
    peer 10.120.0.1 local-address 10.120.0.2 vrf default interface igb0.555
        ID: 3801325006
        Remote ID: 1571467565
        Active mode
        Status: init
        Diagnostics: echo function failed   <=================================================
        Remote diagnostics: echo function failed
        Peer Type: configured
        RTT min/avg/max: 0/0/0 usec
        Local timers:
            Detect-multiplier: 3
            Receive interval: 300ms
            Transmission interval: 2000ms
            Echo receive interval: 50ms
            Echo transmission interval: 50ms
        Remote timers:
            Detect-multiplier: 3
            Receive interval: 300ms
            Transmission interval: 2000ms
            Echo receive interval: 50ms
Actions

Also available in: Atom PDF