Bug #15716
open
FRR BFD echo mode is not working
0%
Description
Running pfSense 2.7.2 with everything up-to-date, including system patches, all applied.
I have two ipsec VTI tunnels between both sites, working perfectly with OSPF and BFD.
The problem happens when trying to set up BFD echo mode.
What I checked so far:
I get the error, Echo function failed.
I can see the port 3785 UDP listening in the sockets page of both sites.
Capturing packets, I can see echo packets reaching both sites, with no response.
In BFD status page, I can see, for both sites, zero echo packets input, but a lot of echo packets output.
Disabled ICMP redirect in System tunables > net.inet.ip.redirect to zero and reboot.
Created a floating firewall, selected both VTI interfaces, with quick option checked to "disable antispoof" rule for IPSec VTIs, thus allowing everything to test, this is a lab environment so no problem with that.
The problem happens
Configuration site 1:
bfd
profile passive
detect-multiplier 3
receive-interval 300
transmit-interval 2000
echo receive-interval 50
echo transmit-interval 50
echo-mode
passive-mode
no shutdown
!
peer 192.168.200.1 local-address 192.168.200.2 interface ipsec1
profile passive
!
peer 192.168.200.9 local-address 192.168.200.10 interface ipsec2
profile passive
!
!
Configuration site 2:
bfd
peer 192.168.200.2 local-address 192.168.200.1 interface ipsec1
detect multiplier 3
receive-interval 300
transmit-interval 2000
echo receive-interval 50
echo transmit-interval 50
no shutdown
echo-mode
!
peer 192.168.200.10 local-address 192.168.200.9 interface ipsec3
detect-multiplier 3
receive-interval 300
transmit-interval 2000
echo receive-interval 50
echo transmit-interval 50
no shutdown
echo-mode
!
!
So, it seems that despite of the socket show listening for that port, the packet never reaches the daemon bfdd.
Updated by 
Updated by