If the srx is not filtering BGP KAs, which would be odd if they allow the session to come up to begin with, I would look at a mtu mismatch/PMTU malfunction, especially if this is a multi-hop session.
If not already on, enabling bgp pmtu may resolve. If pmtu is on, then use ping with dnf to the bgp peer address to confirm path mtu. You can see each ends MSS with a show system, connections detail. As a quick WA, try setting the bgp peer mss to something small like 576; if the session stays up you know its mtu related. Regards -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jeroen Valcke Sent: Thursday, October 13, 2011 1:34 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] SRX drops BGP session Hello, I've setup a BGP session between an M120 and an SRX240. Session comes up but after 1m30sec the session is shut down. The BGP error is "Hold Timer Expired Error". I'm pretty sure that the SRX is blocking the BGP keepalives after the initial BGP session has been established. Indeed, when I check the session table on the SRX. I do get an entry for the BGP session, but it dissapears after only a few seconds. That seems wrong to me. Just to be sure, I've enabled OSPF on the same link and the OSPF neighbor remains adjacent The weird thing is that we have plenty of operational BGP sessions between M120s en SRX routers, but this is really the first time I see this. Has anybody seen the same behaviour? Any clues on what might be wrong? Best regards, -Jeroen- Part of the configs jer...@m120-2.test> show configuration protocols bgp ... group bsr_customers { type external; traceoptions { file bgp_trace; flag keepalive; flag state; } peer-as 65432; neighbor 10.0.10.30; } ... jer...@m120-2.test> show configuration interfaces ge-2/0/4 unit 0 { description "to srx-2"; family inet { address 10.0.10.29/30; } family inet6 { address 2001:6a8:3d00:4007::1/64; } } jer...@srx-2.test.belnet.net> show configuration interfaces ge-0/0/14 unit 0 { description "to srx-1"; family inet { address 10.0.10.34/30; } family inet6 { address 2001:6a8:3d00:4008::1/64; } } jer...@srx-2.test.belnet.net> show configuration protocols bgp group ar { type external; traceoptions { file bgp_trace; flag keepalive; flag state; } peer-as 2611; neighbor 10.0.10.29; } jer...@srx-2.test.belnet.net> show configuration security zones { security-zone lab { host-inbound-traffic { system-services { all; } protocols { bgp; ospf; ospf3; all; } } interfaces { ge-0/0/0.0; ge-0/0/11.0; ge-0/0/14.0; ge-1/0/0.0; lo0.0; } } } policies { from-zone lab to-zone lab { policy allow-all-intrazone-traffic { match { source-address any; destination-address any; application any; } then { permit; } } } } -- Jeroen Valcke _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
