Date: Fri, 19 Nov 2021 17:54:18 UTC
Hi! > > > There's one small diff between the two that I do not understand: > > > - 18040 times no signature provided by segment > > > + 18045 times no signature provided by segment > > > > This means, that received TCP segment has not TCP-MD5 signature, but > > listen socket expects it. Such SYN segment will be dropped by syncache > > code. Probably your BGP daemon configured to use TCP-MD5 for connection, > > but remote side does not. > > Thanks, that might be another possible cause. Thanks to your pointer, analysis done by KlaraSystems shows that the problem seems to be like this: frr has this open socket where it listens on incoming tcp/179: tcp4 0 0 *.179 *.* LISTEN tcp6 0 0 *.179 *.* LISTEN The problem starts sometime after FreeBSD 12.1p8, when some of the bgp peers have tcp-md5 set and others have not. If any bgp peer has tcp-md5, it seems, some (all?) non-tcp-md5 secured bgp peers will fail to connect, until a tcp-md5 secret is configured. Therefore, we can use this workaround for now and investigate frr and/or FreeBSD for a proper fix without too much hurry. -- pi@FreeBSD.org +49 171 3101372 Now what ?