Knowledge Search


×
 

[EX/QFX] Filter counter will not work for "decapsulate gre" action.

  [KB32174] Show Article Properties


Summary:
On EX4600 and QFX5100 switches, the GRE traffic can be de-capsulated using the firewall filter. However, the counter will not increment even though the GRE traffic is de-encapsulated. This article explains this expected behavior and explains how â€‹use the PFE command to debug or verify the packet count.
Symptoms:

This is an expected behavior or limitation. 

Solution:

Use the following PFE command to debug or verify the packet counts.

 
root@lab0001:RE:0% cprod -A fpc0 -c "show shim nh gre-tunnel-info"
 
    TDIP     Tot_grnh     GRE_NH_IDX
 ---------- ---------- ----------------------------
 --------------------------------------------------
 Total Entry Number: 0
 
 Filter based GRE tunnel info
 ----------------------------
 vrf TDIP                  TSIP                 Ref Cnt    l3_iif     pkts      bytes
 1  100.100.10.2           100.100.10.1             1       4096      10049      1266174

Lab output:
 
Topology:
 
                       10.10.10.2                   100.100.10.2                   20.20.20.2
 
+----------+      ge-0/0/46  +----------+        ge-0/1/0  +-----------+     ge+0/0/47 +----------+
| EX2200   +-----------------+ EX4200   +------------------+  QFX5100  +---------------+ EX4200-H |
+----------+ge-0/0/0         +----------+ge-0/0/47         +-----------+ge+0/1/1       +----------+
 
     10.10.10.1                       100.100.10.1                    20.20.20.1
 
 
root@EX4200# show interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 100.100.10.1;
        destination 100.100.10.2;
    }
    family inet {
        address 101.101.10.1/30;
    }
}
 
root@EX4200# run show route 20.20.20.0
 
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
20.20.20.0/30      *[Static/5] 00:32:12
                    > via gr-0/0/0.0
======================
 
root@lab0001# show firewall
family inet {
    filter DECAP-GRE {
        term 1 {
            from {
                source-address {
                    100.100.10.1/32;
                }
                destination-address {
                    100.100.10.2/32;
                }
                protocol gre;
            }
            then {
                count C1;
                decapsulate gre;
            }
        }
        term 2 {
            then accept;
        }
    }
}
{master:0}[edit]
root@lab0001# show interfaces ge-0/1/0
unit 0 {
    family inet {
        filter {
            input DECAP-GRE;
        }
        address 100.100.10.2/30;
    }
}
{master:0}[edit]
root@lab0001# run show firewall
 
Filter: DECAP-GRE
Counters:
Name                                                Bytes              Packets
C1                                                      0                    0
 

Verify

Initiate a ping from EX2200 (10.10.10.1) to EX4200-H (20.20.20.2). QFX5100 is de-encapsulating the GRE traffic as expected.
 
root@EX4200-H# run monitor traffic interface ge-0/0/47 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/47, capture size 96 bytes
 
10:06:48.694733  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 9, length 64
10:06:49.697716  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 10, length 64
10:06:50.700734  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 11, length 64
10:06:51.702519  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 12, length 64
==========================
root@lab0001:RE:0% cprod -A fpc0 -c "show shim nh gre-tunnel-info"
 
    TDIP     Tot_grnh     GRE_NH_IDX
 ---------- ---------- ----------------------------
 --------------------------------------------------
 Total Entry Number: 0
 
 Filter based GRE tunnel info
 ----------------------------
 vrf TDIP                  TSIP                 Ref Cnt    l3_iif     pkts      bytes
 1  100.100.10.2           100.100.10.1             1       4096      10049      1266174

Related Links: