On EX4600 and QFX5100 switches, the GRE traffic can be de-capsulated using the firewall filter. However, the counter will not increment even though the GRE traffic is de-encapsulated. This article explains this expected behavior and explains how ​use the PFE command to debug or verify the packet count.
This is an expected behavior or limitation.
Use the following PFE command to debug or verify the packet counts.
root@lab0001:RE:0% cprod -A fpc0 -c "show shim nh gre-tunnel-info"
TDIP Tot_grnh GRE_NH_IDX
---------- ---------- ----------------------------
--------------------------------------------------
Total Entry Number: 0
Filter based GRE tunnel info
----------------------------
vrf TDIP TSIP Ref Cnt l3_iif pkts bytes
1 100.100.10.2 100.100.10.1 1 4096 10049 1266174
Lab output:
Topology:
10.10.10.2 100.100.10.2 20.20.20.2
+----------+ ge-0/0/46 +----------+ ge-0/1/0 +-----------+ ge+0/0/47 +----------+
| EX2200 +-----------------+ EX4200 +------------------+ QFX5100 +---------------+ EX4200-H |
+----------+ge-0/0/0 +----------+ge-0/0/47 +-----------+ge+0/1/1 +----------+
10.10.10.1 100.100.10.1 20.20.20.1
root@EX4200# show interfaces gr-0/0/0
unit 0 {
tunnel {
source 100.100.10.1;
destination 100.100.10.2;
}
family inet {
address 101.101.10.1/30;
}
}
root@EX4200# run show route 20.20.20.0
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
20.20.20.0/30 *[Static/5] 00:32:12
> via gr-0/0/0.0
======================
root@lab0001# show firewall
family inet {
filter DECAP-GRE {
term 1 {
from {
source-address {
100.100.10.1/32;
}
destination-address {
100.100.10.2/32;
}
protocol gre;
}
then {
count C1;
decapsulate gre;
}
}
term 2 {
then accept;
}
}
}
{master:0}[edit]
root@lab0001# show interfaces ge-0/1/0
unit 0 {
family inet {
filter {
input DECAP-GRE;
}
address 100.100.10.2/30;
}
}
{master:0}[edit]
root@lab0001# run show firewall
Filter: DECAP-GRE
Counters:
Name Bytes Packets
C1 0 0
Verify
Initiate a ping from EX2200 (10.10.10.1) to EX4200-H (20.20.20.2). QFX5100 is de-encapsulating the GRE traffic as expected.
root@EX4200-H# run monitor traffic interface ge-0/0/47 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/47, capture size 96 bytes
10:06:48.694733 In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 9, length 64
10:06:49.697716 In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 10, length 64
10:06:50.700734 In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 11, length 64
10:06:51.702519 In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 12, length 64
==========================
root@lab0001:RE:0% cprod -A fpc0 -c "show shim nh gre-tunnel-info"
TDIP Tot_grnh GRE_NH_IDX
---------- ---------- ----------------------------
--------------------------------------------------
Total Entry Number: 0
Filter based GRE tunnel info
----------------------------
vrf TDIP TSIP Ref Cnt l3_iif pkts bytes
1 100.100.10.2 100.100.10.1 1 4096 10049 1266174