Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/QFX] Filter counter will not work for "decapsulate gre" action.

0

0

Article ID: KB32174 KB Last Updated: 15 Sep 2017Version: 1.0
Summary:
On EX4600 and QFX5100 switches, the GRE traffic can be de-capsulated using the firewall filter. However, the counter will not increment even though the GRE traffic is de-encapsulated. This article explains this expected behavior and explains how â€‹use the PFE command to debug or verify the packet count.
Symptoms:

This is an expected behavior or limitation. 

Solution:

Use the following PFE command to debug or verify the packet counts.

 
root@lab0001:RE:0% cprod -A fpc0 -c "show shim nh gre-tunnel-info"
 
    TDIP     Tot_grnh     GRE_NH_IDX
 ---------- ---------- ----------------------------
 --------------------------------------------------
 Total Entry Number: 0
 
 Filter based GRE tunnel info
 ----------------------------
 vrf TDIP                  TSIP                 Ref Cnt    l3_iif     pkts      bytes
 1  100.100.10.2           100.100.10.1             1       4096      10049      1266174

Lab output:
 
Topology:
 
                       10.10.10.2                   100.100.10.2                   20.20.20.2
 
+----------+      ge-0/0/46  +----------+        ge-0/1/0  +-----------+     ge+0/0/47 +----------+
| EX2200   +-----------------+ EX4200   +------------------+  QFX5100  +---------------+ EX4200-H |
+----------+ge-0/0/0         +----------+ge-0/0/47         +-----------+ge+0/1/1       +----------+
 
     10.10.10.1                       100.100.10.1                    20.20.20.1
 
 
root@EX4200# show interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 100.100.10.1;
        destination 100.100.10.2;
    }
    family inet {
        address 101.101.10.1/30;
    }
}
 
root@EX4200# run show route 20.20.20.0
 
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
20.20.20.0/30      *[Static/5] 00:32:12
                    > via gr-0/0/0.0
======================
 
root@lab0001# show firewall
family inet {
    filter DECAP-GRE {
        term 1 {
            from {
                source-address {
                    100.100.10.1/32;
                }
                destination-address {
                    100.100.10.2/32;
                }
                protocol gre;
            }
            then {
                count C1;
                decapsulate gre;
            }
        }
        term 2 {
            then accept;
        }
    }
}
{master:0}[edit]
root@lab0001# show interfaces ge-0/1/0
unit 0 {
    family inet {
        filter {
            input DECAP-GRE;
        }
        address 100.100.10.2/30;
    }
}
{master:0}[edit]
root@lab0001# run show firewall
 
Filter: DECAP-GRE
Counters:
Name                                                Bytes              Packets
C1                                                      0                    0
 

Verify

Initiate a ping from EX2200 (10.10.10.1) to EX4200-H (20.20.20.2). QFX5100 is de-encapsulating the GRE traffic as expected.
 
root@EX4200-H# run monitor traffic interface ge-0/0/47 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/47, capture size 96 bytes
 
10:06:48.694733  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 9, length 64
10:06:49.697716  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 10, length 64
10:06:50.700734  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 11, length 64
10:06:51.702519  In IP truncated-ip - 24 bytes missing! 10.10.10.1 > 20.20.20.2: ICMP echo request, id 1590, seq 12, length 64
==========================
root@lab0001:RE:0% cprod -A fpc0 -c "show shim nh gre-tunnel-info"
 
    TDIP     Tot_grnh     GRE_NH_IDX
 ---------- ---------- ----------------------------
 --------------------------------------------------
 Total Entry Number: 0
 
 Filter based GRE tunnel info
 ----------------------------
 vrf TDIP                  TSIP                 Ref Cnt    l3_iif     pkts      bytes
 1  100.100.10.2           100.100.10.1             1       4096      10049      1266174

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search