Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IPv6 forwarding mode in Junos 15.1X49-D70 changed from 'drop' to 'flow based' in some SRX models

0

0
Article ID: KB31594 KB Last Updated: 13 May 2019Version: 2.0 Summary:

In Junos 15.1X49-D70, the default behavior of the IPv6 forwarding mode is changed from 'drop' to 'flow based' on the following SRX models:

  • SRX1500
  • SRX4100 / 4200,
  • SRX5400 / 5600 / 5800
  • vSRX
Symptoms:

In Junos 9.6 or later​ (but before 15.1X49-D70), the default IPv6 forwarding mode is 'drop.'

root@vsrx> show security flow status

Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop <---
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

In order to enable the use of IPv6 and change the forwarding mode to "flow based" the following command is used, followed by a reboot. Refer to KB25697- How to enable the IPv6 flow (or packet) mode on SRX​

set security forwarding-options family inet6 mode flow-based​

However, starting with Junps 15.1X49-D70, IPv6 forwarding mode is set to "flow based", by default. It can be checked using the command "show security flow status" .

root@vsrx> show security flow status

Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based <---
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

In order to disable IPv6 and change the forwarding mode to "drop" use the following command:

set security forwarding-options family inet6 mode drop​
Solution:

This change in default behavior also enables the device to work without any requirement of a reboot when switching between the different flow modes for IPv6, namely packet based, flow based, and drop

For IPv4, the default mode on SRX1500, SRX 4100/4200, SRX 5400/5600/5800, and vSRX will remain as "flow based". A reboot is not required to change between the different flow modes for IPv4 namely, packet based, flow based and drop.

Note: Packet based is NOT supported on SRX5000 devices.

The SRX3000 Series devices maintain existing behavior for IPv4 (default mode: flow based) and for IPv6 (default mode: drop), due to memory constraints. Also, a reboot will be required to change between the different flow modes (flow based/drop) for IPv4 and/or IPv6 on the SRX3k Series devices.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search