Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] DAD timer stops after detecting duplicate address

0

0

Article ID: KB21302 KB Last Updated: 24 Aug 2011Version: 1.0
Summary:
This article describes the issue of the DAD (Duplicate Address Detection) timer stopping when it detects a duplicate address.
Symptoms:
The IPv6 DAD (Duplicate Address Detection) mechanism allows an IPv6 host to verify the uniqueness of the address before using it. It uses NS (Neighbor Solicitation) and NA (Neighbor Advertisement) ICMP packets. Specified within the NS packet are the source address of [::/128] and destination address, which is equal to the address that the host is trying to verify the uniqueness of. If the host receives NA in response, the address is not unique.

As soon as Junos platform detects the duplicate address, it will stop the DAD timer. This means that even if the duplicate address is removed from the other device, Junos platform will not be able to use this address without manual intervention.
Solution:

Test topology

J-series --- SRX

Test detail

Step 1
  • J-series is configured with 2001:07FA:0011:0001:0:1DB6:0:1/64.
  • SRX is configured with 2001:07FA:0011:1:0:1283:0:1/64.
At this stage, since the address assigned to each device is unique, address assignment is successful; both devices can ping each other.

Step 2
  • The address configured on J-series is changed to the same address assigned to SRX. Through the DAD process, it finds out that the address is not unique and therefore prevents this address from being used.

Step 3
  • The address on SRX is then changed to another unique IPv6 address. Theoretically, both devices should be able to use the configured address since they are unique; however this is not the case.

Analysis

When J-series first detects the duplicate address through the DAD process in step 2, it resets its data structure and stops the DAD timer. The interface needs to be deactivated and re-activated in order to trigger a DAD process and this is logged in the /var/log/messages file as shown below:
/kernel: DAD complete - duplicate found 2001:07fa:0011:0001:0:1283:0:0001: manual intervention required

Another solution is to disable the DAD process:
# set ge-x/x/x unit y family inet6 dad-disable
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search