Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Packet dropped in cluster with error "Received pkt on non-active link of reth/vsd"

0

0

Article ID: KB28288 KB Last Updated: 01 Sep 2021Version: 2.0
Summary:

This article explains why packets are dropped in a cluster for some hosts.

Symptoms:

The problem is depicted in the scenario below.

SRX240, in a cluster, with the following topology:

reth0 (192.168.4.1/24) -------ae0 [EX-4200]-----Hosts (192.168.4.0/24)

reth0 contains the following member links:

  • ge-0/0/6
  • ge-0/0/7
  • ge-5/0/6
  • ge-5/0/7

There are two corresponding Aggregated Ethernet interfaces, ae0 and ae1. These contain two links each; that is, ae0 member links should be connected to ge-0/0/6 and ge-0/0/7, and ae1 member links should be connected to ge-5/0/6 and ge-5/0/7.

However, only some of the hosts can be pinged from the firewall. Apparently, some of the hosts are not working.

Cause:

The cause is revealed in the scenario below.

Enable security flow traceoptions:

security {
    flow {
        traceoptions {
            file flowtrace size 10m files 3 world-readable;
            flag all;
            packet-filter pf {
                protocol icmp;
                source-prefix 192.168.4.1/32;
            }
            packet-filter pf2 {
                protocol icmp;
                destination-prefix 192.168.4.1/32;
            }
        }
    }
}

Check the log:

root@user# run show log flowtrace | find pf2 
Oct 26 21:26:00 21:26:20.802745:CID-2:RT:<192.168.4.3/3437->192.168.4.1/0;1> matched filter pf2:
Oct 26 21:26:00 21:26:20.802745:CID-2:RT:packet [84] ipid = 19405, @0x423fb824
Oct 26 21:26:00 21:26:20.802745:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x423fb600, rtbl_idx = 0
Oct 26 21:26:00 21:26:20.802745:CID-2:RT: flow process pak fast ifl 71 in_ifp reth0.0
Oct 26 21:26:00 21:26:20.802745:CID-2:RT:pkt info: 192.168.4.3(3437) -> 192.168.4.1(0), 1, flags (0x1000)
Oct 26 21:26:00 21:26:20.802745:CID-2:RT:Received pkt on non-active link of reth/vsd (reth0.0/1)
Oct 26 21:26:00 21:26:20.802745:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Conclusion:

The error above means that the packet is received on a link that is not part of the primary node (that is, the packet is received on the secondary node child interfaces).

This happens because incorrect connections are made on the EX-series: one of the child interfaces of ae0 is connected to node1 's member link for reth0 (for example, ge-5/0/6 or ge-5/0/7), which is secondary in the RG for reth0.

A similar situation can also occur when using an unsupported configuration, as described in KB22474, "Link aggregation (LACP) supported/non-supported configurations on SRX and EX."

Solution:

To resolve this problem, perform the following:

  1. Correct the cabling.

  2. Connect all child interfaces of ae0 to node0 (which is the primary in RG for reth0).

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search