Hi, Upgraded from 8.1 to the latest 8.5 and it is now automatically connecting. No change in any configs. Looks like something was broken, which is now fixed. Ubuntu still installs 8.1 on 22.0.4 TLS, so I’ve updated manually via the frr repositories. Ty veryone for the assistance! 😊 -- Chris. From: Donald Sharp <donaldsharp72@gmail.com> Sent: Wednesday, 22 March 2023 13:50 To: Chris Knipe <cknipe@opticnetworks.net> Cc: ch <ch@ntrv.dk>; frog@lists.frrouting.org Subject: Re: [FROG] rpki start sharpd@janelle:~$ sudo systemctl start frr sharpd@janelle:~$ vtysh -c "show rpki cache-connection" No connection to RPKI cache server. sharpd@janelle:~$ vtysh -c "show rpki cache-connection" Connected to group 1 rpki tcp cache rpki-validator.realmv6.org<http://rpki-validator.realmv6.org> 8282 pref 1 (connected) sharpd@janelle:~$ vtysh -c "show run" | grep -A 3 "rpki" match rpki valid exit ! route-map VERIFY deny 20 match rpki invalid exit ! ip protocol bgp route-map DENY -- rpki rpki cache rpki-validator.realmv6.org<http://rpki-validator.realmv6.org> 8282 preference 1 exit ! end I'm not sure what to say, but it works for me. I am running a version of latest from the last week or so on this box. donald On Wed, Mar 22, 2023 at 7:36 AM Chris Knipe <cknipe@opticnetworks.net<mailto:cknipe@opticnetworks.net>> wrote: Hi, So modified the config: service advanced-vty service password-encryption rpki rpki polling_period 1000 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3 exit Restarted FRR za-ctn-rs01a# sh rpki cache-connection No connection to RPKI cache server. za-ctn-rs01a# wr mem Note: this version of vtysh never writes vtysh.conf Building Configuration... Integrated configuration saved to /etc/frr/frr.conf write mem removes the exit too. service password-encryption rpki rpki polling_period 1000 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3 service advanced-vty Complete config just for clarity (didn’t want to spam the list, but seems that it is needed): frr version 8.1 frr defaults traditional hostname za-ctn-rs01a log syslog informational no log unique-id service advanced-vty service password-encryption no ip forwarding no ipv6 forwarding service advanced-vty service password-encryption service advanced-vty service password-encryption service advanced-vty service password-encryption rpki rpki polling_period 300 rpki retry_interval 10 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3 exit service advanced-vty service password-encryption service integrated-vtysh-config ! ip router-id a.b.c.131 ip route 0.0.0.0/0<http://0.0.0.0/0> a.b.c.129 ip route 0.0.0.0/0<http://0.0.0.0/0> a.b.c.130 10 ip route a.b.c.0/23 Null0 tag 20 ip route a.b.c.0/24 Null0 tag 30 ip route a.b.d.0/24 Null0 tag 30 ip route e.f.g.0/24 Null0 tag 25 ipv6 route ::/0 a:b:c:6000::81 ipv6 route ::/0 a:b:c:6000::82 10 ipv6 route a:b:c::/48 Null0 tag 25 ! interface ens32 bandwidth 10000 ipv6 ospf6 area 0 exit ! router bgp 65530 bgp router-id a.b.c.131 bgp log-neighbor-changes bgp always-compare-med no bgp suppress-duplicates no bgp default ipv4-unicast bgp cluster-id a.b.c.128 bgp disable-ebgp-connected-route-check bgp graceful-shutdown bgp graceful-restart bgp route-reflector allow-outbound-policy neighbor a.b.c.132 remote-as 65530 neighbor a.b.c.132 description ZA-JNB-RS01B neighbor a.b.c.139 remote-as 65530 neighbor a.b.c.139 description ZA-CTN-RS01B neighbor a.b.c.140 remote-as 65530 neighbor a.b.c.140 description ZA-JNB-RS01A neighbor a.b.c.254 remote-as 65530 neighbor a.b.c.254 description ZA-CTN-CR01B neighbor a.b.c.255 remote-as 65530 neighbor a.b.c.255 description ZA-CTN-CR01A neighbor a:b:c:6000::84 remote-as 65530 neighbor a:b:c:6000::84 description ZA-JNB-RS01B neighbor a:b:c:6000::8b remote-as 65530 neighbor a:b:c:6000::8b description ZA-CTN-RS01B neighbor a:b:c:6000::8c remote-as 65530 neighbor a:b:c:6000::8c description ZA-JNB-RS01A neighbor a:b:c:6000::fe remote-as 65530 neighbor a:b:c:6000::fe description ZA-CTN-CR01B neighbor a:b:c:6000::ff remote-as 65530 neighbor a:b:c:6000::ff description ZA-CTN-CR01A bgp fast-convergence ! address-family ipv4 unicast redistribute static bgp dampening neighbor a.b.c.132 activate neighbor a.b.c.132 addpath-tx-all-paths neighbor a.b.c.132 soft-reconfiguration inbound neighbor a.b.c.132 allowas-in origin neighbor a.b.c.132 route-map BGP-RS-OUTv4 out neighbor a.b.c.132 attribute-unchanged next-hop neighbor a.b.c.139 activate neighbor a.b.c.139 addpath-tx-all-paths neighbor a.b.c.139 soft-reconfiguration inbound neighbor a.b.c.139 allowas-in origin neighbor a.b.c.139 attribute-unchanged next-hop neighbor a.b.c.254 activate neighbor a.b.c.254 route-reflector-client neighbor a.b.c.254 soft-reconfiguration inbound neighbor a.b.c.254 allowas-in origin neighbor a.b.c.254 route-map BGP-TRANS-OUTv4 out neighbor a.b.c.255 activate neighbor a.b.c.255 route-reflector-client neighbor a.b.c.255 soft-reconfiguration inbound neighbor a.b.c.255 allowas-in origin neighbor a.b.c.255 route-map BGP-TRANS-OUTv4 out exit-address-family ! address-family ipv6 unicast redistribute static bgp dampening neighbor a:b:c:6000::8b activate neighbor a:b:c:6000::8b addpath-tx-all-paths neighbor a:b:c:6000::8b soft-reconfiguration inbound neighbor a:b:c:6000::8b allowas-in origin neighbor a:b:c:6000::8b attribute-unchanged as-path next-hop med neighbor a:b:c:6000::8c activate neighbor a:b:c:6000::8c addpath-tx-all-paths neighbor a:b:c:6000::8c soft-reconfiguration inbound neighbor a:b:c:6000::8c allowas-in origin neighbor a:b:c:6000::8c attribute-unchanged as-path next-hop neighbor a:b:c:6000::fe activate neighbor a:b:c:6000::fe route-reflector-client neighbor a:b:c:6000::fe soft-reconfiguration inbound neighbor a:b:c:6000::fe allowas-in origin neighbor a:b:c:6000::fe route-map BGP-TRANS-OUTv6 out neighbor a:b:c:6000::fe attribute-unchanged as-path next-hop med neighbor a:b:c:6000::ff activate neighbor a:b:c:6000::ff route-reflector-client neighbor a:b:c:6000::ff soft-reconfiguration inbound neighbor a:b:c:6000::ff allowas-in origin neighbor a:b:c:6000::ff route-map BGP-TRANS-OUTv6 out neighbor a:b:c:6000::ff attribute-unchanged as-path next-hop med exit-address-family exit ! router ospf ospf router-id a.b.c.131 log-adjacency-changes detail compatible rfc1583 auto-cost reference-bandwidth 10000 graceful-restart network a.b.c.128/29 area 0 capability opaque exit ! router ospf6 ospf6 router-id a.b.c.131 log-adjacency-changes detail auto-cost reference-bandwidth 10000 graceful-restart exit ! From: Donald Sharp <donaldsharp72@gmail.com<mailto:donaldsharp72@gmail.com>> Sent: Wednesday, 22 March 2023 13:24 To: Chris Knipe <cknipe@opticnetworks.net<mailto:cknipe@opticnetworks.net>> Cc: ch <ch@ntrv.dk<mailto:ch@ntrv.dk>>; frog@lists.frrouting.org<mailto:frog@lists.frrouting.org> Subject: Re: [FROG] rpki start Add a `exit` to the end of rpki configuration section rpki rpki polling_period 1000 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3 exit On Wed, Mar 22, 2023 at 5:16 AM Chris Knipe <cknipe@opticnetworks.net<mailto:cknipe@opticnetworks.net>> wrote: Hi, daemons.conf: vtysh_enable=yes zebra_options=" -A 127.0.0.1 -s 90000000" bgpd_options=" -A 127.0.0.1 -M rpki" ospfd_options=" -A 127.0.0.1" ospf6d_options=" -A ::1" za-ctn-rs01a# sh rpki cache-server host: rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> port: 8282 host: rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> port: 8283 za-ctn-rs01a# sh rpki cache-connection No connection to RPKI cache server. za-ctn-rs01a# sh ver FRRouting 8.1 (za-ctn-rs01a). Copyright 1996-2005 Kunihiro Ishiguro, et al. configured with: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--with-vtysh-pager=/usr/bin/pager' '--libdir=/usr/lib/x86_64-linux-gnu/frr' '--with-moduledir=/usr/lib/x86_64-linux-gnu/frr/modules' '--disable-dependency-tracking' '--enable-rpki' '--disable-scripting' '--with-libpam' '--enable-doc' '--enable-doc-html' '--enable-snmp' '--enable-fpm' '--disable-protobuf' '--disable-zeromq' '--enable-ospfapi' '--enable-bgp-vnc' '--enable-multipath=256' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' 'build_alias=x86_64-linux-gnu' 'PYTHON=python3' config Current configuration: ! frr version 8.1 frr defaults traditional hostname za-ctn-rs01a log syslog informational no log unique-id service advanced-vty service password-encryption no ip forwarding no ipv6 forwarding service advanced-vty service password-encryption service advanced-vty service password-encryption service advanced-vty service password-encryption rpki rpki polling_period 1000 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2 rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3 service advanced-vty service password-encryption service integrated-vtysh-config RPKI doesn’t do anything until I execute rpki start za-ctn-rs01a# rpki start za-ctn-rs01a# sh rpki cache-connection Connected to group 2 rpki tcp cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 pref 2 -- C From: Donald Sharp <donaldsharp72@gmail.com<mailto:donaldsharp72@gmail.com>> Sent: Wednesday, 22 March 2023 01:00 To: Chris Knipe <cknipe@opticnetworks.net<mailto:cknipe@opticnetworks.net>> Cc: ch <ch@ntrv.dk<mailto:ch@ntrv.dk>>; frog@lists.frrouting.org<mailto:frog@lists.frrouting.org> Subject: Re: [FROG] rpki start What does your config look like? Mine starts automatically, rpki is programmed to start it when you leave the rpki subnode donald On Tue, Mar 21, 2023 at 5:15 PM Chris Knipe via frog <frog@lists.frrouting.org<mailto:frog@lists.frrouting.org>> wrote: ---------- Forwarded message ---------- From: Chris Knipe <cknipe@opticnetworks.net<mailto:cknipe@opticnetworks.net>> To: ch <ch@ntrv.dk<mailto:ch@ntrv.dk>>, "frog@lists.frrouting.org<mailto:frog@lists.frrouting.org>" <frog@lists.frrouting.org<mailto:frog@lists.frrouting.org>> Cc: Bcc: Date: Tue, 21 Mar 2023 19:00:29 +0000 Subject: RE: [FROG] rpki start Hi,
Or are you referring to an RPKI (caching) server FRR connects to?
Correct. RPKI doesn't automatically connect to the RPKI servers unless I issue a "rpki start" command. Configuration etc. is 100%, works absolutely fine. Just doesn't automatically connect to the RPKI servers. -- Chris. ---------- Forwarded message ---------- From: Chris Knipe via frog <frog@lists.frrouting.org<mailto:frog@lists.frrouting.org>> To: ch <ch@ntrv.dk<mailto:ch@ntrv.dk>>, "frog@lists.frrouting.org<mailto:frog@lists.frrouting.org>" <frog@lists.frrouting.org<mailto:frog@lists.frrouting.org>> Cc: Bcc: Date: Tue, 21 Mar 2023 19:00:29 +0000 Subject: Re: [FROG] rpki start _______________________________________________ frog mailing list frog@lists.frrouting.org<mailto:frog@lists.frrouting.org> https://lists.frrouting.org/listinfo/frog