BGP doesn't work with Azure VPN gateway

ciciban · October 31, 2023, 2:48pm

I’m trying to do a site to site VPN from my VyOS router to Azure VPN Gateway. VPN works fine with static routes configured, but with BGP it seems like routes are not properly exchanged.

vyos@vyos# show interfaces
 ethernet eth0 {
     address 10.177.10.1/16
     description "VM - outside"
     hw-id 00:50:56:a1:0c:27
 }
 ethernet eth1 {
     address 10.65.139.1/24
     hw-id 00:50:56:a1:6a:67
 }
 ethernet eth2 {
     address 10.65.149.1/24
     hw-id 00:50:56:a1:05:c4
 }
 ethernet eth3 {
     address 10.65.150.1/24
     description "Needs to access Azure"
     hw-id 00:50:56:a1:72:d3
 }
 loopback lo {
 }
 vti vti1 {
     address 10.65.1.5/32
     description "Azure Tunnel"
 }

vyos@vyos# show protocols
 bgp 65001 {
     neighbor 10.96.0.254 {
         address-family {
             ipv4-unicast {
                 soft-reconfiguration {
                     inbound
                 }
             }
         }
         disable-connected-check
         remote-as 65002
         timers {
             holdtime 30
             keepalive 10
         }
     }
 }
 static {
     interface-route 10.96.0.254/32 {
         next-hop-interface vti1 {
         }
     }
     route 0.0.0.0/0 {
         next-hop 10.177.0.1 {
             distance 1
         }
     }
 }

vyos@vyos:~$ show ip bgp
BGP table version is 5, local router ID is 10.177.10.1, vrf id 0
Default local pref 100, local AS 65001
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.96.0.0/16     10.96.0.254                            0 65002 i

Displayed  1 routes and 1 total paths

vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [1/0] via 10.177.0.1, eth0, weight 1, 01:05:51
C>* 10.65.1.5/32 is directly connected, vti1, 01:05:49
C>* 10.65.139.0/24 is directly connected, eth1, 03:25:51
C>* 10.65.149.0/24 is directly connected, eth2, 03:25:51
C>* 10.65.150.0/24 is directly connected, eth3, 03:25:51
B>  10.96.0.0/16 [20/0] via 10.96.0.254 (recursive), weight 1, 00:56:48
  *                       via 10.96.0.254, vti1 onlink, weight 1, 00:56:48
S>* 10.96.0.254/32 [1/0] is directly connected, vti1, weight 1, 00:56:53
C>* 10.177.0.0/16 is directly connected, eth0, 03:25:50

When trying to do a traceroute from local VM to Azure VM it seems like packets are looping.

C:\Users\administrator>tracert 10.96.10.4

Tracing route to 10.96.10.4 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.65.150.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
...
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:\Users\administrator>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::61a5:e3db:3236:abe0%12
   IPv4 Address. . . . . . . . . . . : 10.65.150.21
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.65.150.1

Rely strange part to me is output of advertised-routes command. Shouldn’t be here the router local networks ?

vyos@vyos:~$ show ip bgp neighbors 10.96.0.254 received-routes
BGP table version is 5, local router ID is 10.177.10.1, vrf id 0
Default local pref 100, local AS 65001
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.96.0.0/16     10.96.0.254                            0 65002 i

Total number of prefixes 1
vyos@vyos:~$
vyos@vyos:~$ show ip bgp neighbors 10.96.0.254 advertised-routes
BGP table version is 5, local router ID is 10.177.10.1, vrf id 0
Default local pref 100, local AS 65001
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.96.0.0/16     0.0.0.0                                0 65002 i

Total number of prefixes 1

I’m running VyOS version 1.3.

Any help much appreciated.

ciciban · October 31, 2023, 6:09pm

Issue was resolved. The original configuration was from VyOS 1.1.8 and in 1.3 the things changed so I needed to add the following lines of configuration:

set protocols bgp 65001 neighbor 10.96.0.254 solo
set protocols bgp 65001 address-family ipv4-unicast redistribute connected

@Viacheslav thank you very much!

system · November 30, 2023, 6:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.