Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Proxy ARP is unable to respond to ARP requests when it is configured on the interface VLAN

0

0

Article ID: KB20789 KB Last Updated: 05 Mar 2017Version: 3.0
Summary:

This article describes the issue of the Proxy ARP being unable to respond to ARP requests, when it is configured on the interface VLAN in SRX-branch devices.

Symptoms:
Topology:



  • SRX220 is configured in the packet mode:

    • The ge-0/0/2 interface is configured as a switching port and connects to the fe5/0 interface of ERX-1440.

    • The vlan.10 interface is configured as RVI with the IP address 177.0.2.2/30.

  • The fastEthernet5/0 interface on ERX-1440 is configured with an unnumbered IP on the loopback 1 interface, and the IP address of the loopback 1 interface is 177.0.2.1/32.

Problem:

When Proxy ARP is configured on the vlan.10 SRX interface, and when an ICMP echo request is sent from ERX-1440 177.0.2.1 to 100.0.0.2 or 1.1.1.1, the ERX-1440 device gets the ICMP request timed out. You can see the results below.


On the ERX-1440 device, it is unable to reach 100.0.0.2 and 1.1.1.1, and the ARP is not cached for 100.0.0.2 and 1.1.1.1.
1440-Juniper-lab_A:test-1#ping 100.0.0.2
Sending 5 ICMP echoes to 100.0.0.2, timeout = 2 sec.
...     
Success rate = 0% (0/5), round-trip min/avg/max = 0/0/0 ms
1440-Juniper-lab_A:test-1#ping 1.1.1.1  
Sending 5 ICMP echoes to 1.1.1.1, timeout = 2 sec.
...     
Success rate = 0% (0/5), round-trip min/avg/max = 0/0/0 ms
1440-Juniper-lab_A:test-1#
1440-Juniper-lab_A:test-1#sh arp
        Address         Age         Hardware Addr Interface
1440-Juniper-lab_A:test-1#

On the SRX220 device, it does not respond to the ARP request that is received from 177.0.2.1 (ERX).
lab# run monitor traffic interface vlan.10 no-resolve 
verbose output suppressed, use  or  for full protocol decode
Address resolution is OFF.
Listening on vlan.10, capture size 96 bytes

17:27:43.698911  In arp who-has 100.0.0.2 tell 177.0.2.1
17:27:48.165849  In arp who-has 100.0.0.2 tell 177.0.2.1
17:27:53.165904  In arp who-has 100.0.0.2 tell 177.0.2.1
17:27:58.166361  In arp who-has 100.0.0.2 tell 177.0.2.1
17:28:03.166080  In arp who-has 100.0.0.2 tell 177.0.2.1
17:28:08.167060  In arp who-has 100.0.0.2 tell 177.0.2.1
17:29:22.243175  In arp who-has 1.1.1.1 tell 177.0.2.1
17:29:23.167283  In arp who-has 1.1.1.1 tell 177.0.2.1
17:29:28.167765  In arp who-has 1.1.1.1 tell 177.0.2.1
17:29:33.173714  In arp who-has 1.1.1.1 tell 177.0.2.1
17:29:38.174017  In arp who-has 1.1.1.1 tell 177.0.2.1
17:29:43.167827  In arp who-has 1.1.1.1 tell 177.0.2.1
17:29:48.175420  In arp who-has 1.1.1.1 tell 177.0.2.1

Configuration on the SRX220 device:
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 100.0.0.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    vlan {
        unit 10 {
            proxy-arp; 
family inet { address 177.0.2.2/30; } } } } vlans { test-vlan10 { vlan-id 10; interface { ge-0/0/2.0; ge-0/0/0.0; } l3-interface vlan.10; } }
If the vlan.10 interface and VLANs are de-activated and the Proxy ARP is configured on the ge0/0/2 SRX interface, the SRX responds to the ARP request that is received from 1440 177.0.2.1 (ERX).

Configuration on the SRX220 device:
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 100.0.0.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            proxy-arp;  
            family inet {
                address 177.0.2.2/30;
            }
        }
    }
    inactive: vlan {
        unit 10 {
            proxy-arp;                  
            family inet {
                address 177.0.2.2/30;
            }
        }
    }
}
inactive: vlans {
    test-vlan10 {
        vlan-id 10;
        interface {
            ge-0/0/2.0;
            ge-0/0/0.0;
        }
        l3-interface vlan.10;
    }
}

The result is as follows:

On the ERX-1440 device, it can reach 100.0.0.2 and 1.1.1.1 and the ARP is cached for the 1.1.1.1 and 100.0.0.2 addresses.
1440-Juniper-lab_A:test-1#ping 100.0.0.2
Sending 5 ICMP echoes to 100.0.0.2, timeout = 2 sec.
!!!!!     
Success rate = 100% (5/5), round-trip min/avg/max = 1/4/18 ms
1440-Juniper-lab_A:test-1#ping 1.1.1.1  
Sending 5 ICMP echoes to 1.1.1.1, timeout = 2 sec.
!!!!!     
Success rate = 100% (5/5), round-trip min/avg/max = 2/5/19 ms
1440-Juniper-lab_A:test-1#sh arp
        Address         Age         Hardware Addr Interface
        1.1.1.1       21580        50c5.8d74.4302 FastEthernet5/0
      100.0.0.2       21570        50c5.8d74.4302 FastEthernet5/0
1440-Juniper-lab_A:test-1#

On the SRX220 device, it responds to the ARP request that is received from 1440 177.0.2.1 (ERX).
lab# run monitor traffic interface ge-0/0/2 no-resolve 
verbose output suppressed, use  or  for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/2, capture size 96 bytes

17:54:12.012458  In arp who-has 100.0.0.2 tell 177.0.2.1
17:54:12.012548 Out arp reply 100.0.0.2 is-at 50:c5:8d:74:43:02
17:54:23.055692  In arp who-has 1.1.1.1 tell 177.0.2.1
17:54:23.055797 Out arp reply 1.1.1.1 is-at 50:c5:8d:74:43:02
Cause:

Solution:
Actually, when using the proxy ARP on the VLAN.X interface, ARP requests should be answered.
Currently, this issue can be fixed in 10.3R4, 10.4R3, 11.1R1, and 11.2R1.
For more information, refer to PR576428.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search