BGP routing issues, configs between firewalls and Cloud
Configured VPN using BGP to cloud provider at site A and everything worked as expected, then configure VPN using BGP to cloud provider at site B and traffic from site A to site B broke.
Looking at logs, saw traffic from site A reaching site B then getting routed by BGP through the cloud provider back to site A because BGP is advertising that route as the shortest path.
for logs, look at your BGP summary and the BGP routing table to see where subnets are being routed to
site A subnets are on the left and the VPN subnets are on the right in example below;
get router info routing-table
allpath=router, objname=info, tablename=(null), size=0Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
B 10.11.7.1/24 [20/100] via 128.112.2.214, vpn-cloudprovider-1, 00:01:11
B 10.11.8.0/26 [20/100] via 128.112.2.214, vpn-cloudprovider-1, 00:01:11
B 10.12.1.0/28 [20/100] via 128.112.2.214, vpn-cloudprovider-1, 00:01:11
Solution:
Create a BGP community, then define a no export rule to prevent routes being advertised to cloud provider do not get propagated to external networks. Assign the new rule to the BGP neighbors and perform this task on both site A and B, this will solve the routing issue and all your traffic will flow as designed.
Here is an example of what i did on site A;
-
Create community
config router community-list
edit "no-export"
config rule
edit 1
set action permit
set match "no-export"
next
end
next
end -
Create route-map that matches the community
config router route-map
edit "outbound to cloudprovider"
config rule
edit 1
set match-community "no-export"
next
end
next
end -
Apply route-map to BGP cloudprovider neighbor
config router bgp
config neighbor
edit "128.112.2.214"
set route-map-out "outbound to cloudprovider"
next
end -
Clear bgp router to take new configs
exec router clear bgp all