Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IGMPv2 packets dropped if IP header doesn't have "Router-Alert" option

0

0

Article ID: KB13808 KB Last Updated: 07 Apr 2009Version: 1.0
Summary:

ScreenOS devices are dropping incoming IGMPv2 packets if they are not containing IP header "Router-Alert" option. This can be an issue when communicating with other equipment, such as third party routers, because other equipment might not set this option within the IP header.

Symptoms:

When the IGMPv2 protocol is configured and started between ScreenOS and Cisco, by default all Cisco IGMPv2 packets will be dropped with the following error in the "debug igmp all":

## 1998-07-21 22:41:22 : IGMP: igmp packet received on ethernet1/3 from 192.168.100.20 not set router alert IP option, dropped

This issue also can be determined by checking the IGMP Interfaces:

For example, If interface ethernet1/3 is in igmp router mode:

> get igmp interface
Interface ethernet1/3 support IGMP version 2 router. It is enabled.
IGMP proxy is disabled.

Querier IP is 192.168.100.254
, it has up 617 seconds. I am the querier.
There are 0 multicast groups active.
Inbound Router access list number: not set
Inbound Host access list number: not set
Inbound Group access list number: not set
query-interval: 125 seconds
query-max-response-time 10 seconds
leave-interval 1 seconds
last-member-query-interval 1 seconds
general_group_query_timer expire time: 101s

As displayed in this example, this interface has the highest IP in the 192.168.100.0/24 network, but still the firewaal is the querier (instead of the Cisco device which has lower a IP than us). IGMP querier is the router with the lowest IP address on the network.


If interface ethernet1/3 is in igmp host mode, the output may look like this:
> get igmp interface
Interface ethernet1/3 support IGMP version 2 host. It is enabled.
IGMP proxy is enabled. IGMP non-querier proxy is disabled.
Querier has not been found yet.
There are 1 multicast groups active.
As displayed in this example, ethernet1/3 is in host mode, but it can't detect any queriers in the network.

Solution:

By default, ScreenOS devices are expecting the "router-alert" option to be set in the IP header of the incoming IGMPv2 packet. This option is suggested by RFC#2113, and Cisco devices (and some other equipment) are not using this option.

In order to solve this problem, the ScreenOS Firewall needs to be configured to not expect and check for the IP header option "Router-Alert".

To disable router-alert checking, enter the following command

set interface ethernet0/0 protocol igmp no-check-router-alert

IGMP Querier should be determined correctly now and packets from the Cisco side should be processed.  Below is the output of a solved issue: interface in igmp host mode with no-check-router-alert option set:

Interface ethernet1/3 support IGMP version 2 host. It is enabled.
IGMP proxy is enabled. IGMP non-querier proxy is disabled.
IGMP packets without router alert IP option will not be dropped.
Querier IP is 192.168.100.20, it has up 91681 seconds.
There are 1 multicast groups active.
v2_present_timer expire time: 399s

*** Now the querier is properly determined, and IGMPv2 communication is in place ***

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search