Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] 'protocol vrrp' in Loopback filter will not work when VRRP is configured with MD5 authentication

0

0

Article ID: KB13332 KB Last Updated: 26 Feb 2020Version: 5.0
Summary:
The use of protocol vrrp in the Loopback filter will not work, when VRRP is configured with MD5 authentication. What command is required to match a VRRP packet with MD5 authentication?
Symptoms:
VRRP packets are sent on the 224.0.0.18 Multicast address and 112 IP protocol number.

From the packet capture, the fields are as follows:
length 60: (tos 0xc0, ttl 255, id 67, offset 0, flags [none], proto: VRRP (112), length: 40) 60.60.60.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=10 prio=254 authtype=none intvl=1 addrs: 60.60.60.1
When VRRP is configured with the MD5 authentication, it uses the Authentication Header; which uses the 51 IP protocol number.
user@router# show interfaces
ge-3/1/0 {
    unit 0 {
        family inet {
            address 60.60.60.4/24 {
                vrrp-group 10 {
                    virtual-address 60.60.60.1;
                    priority 100;
                    authentication-type md5;
                    authentication-key "$ABC123"; ## SECRET-DATA
                }
            }
        }
    }
}

From the packet capture, the fields with AH are as follows:
tos 0xc0, ttl 255, id 9753, offset 0, flags [none], proto: AH (51), length: 64) 60.60.60.2 > 224.0.0.18: AH(spi=2880154539,sumlen=16,seq=0x125f2): VRRPv2-advertisement 20: vrid=10 prio=200 authtype=ah intvl=1 addrs: 60.60.60.1
If you configure a loopback filter to match the VRRP packet by using the generally used method (protocol vrrp) in a filter, it will then look for the packets with the 112 IP protocol number; but the VRRP packets with MD5 arrive on the 51 IP protocol number. So, the loopback filter will not match the VRRP packet, which causes unexpected behavior in the network.
Solution:
To match a VRRP packet with MD5 authentication, add the address 224.0.0.18 statement. For example:
user@router# show firewall
filter vrrp {
    term vrrp {
        from {
            destination-address {
                224.0.0.18/32;

            }
        }
        then accept;
    }
}
Modification History:
2020-02-26: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search