Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ACX] Firewall filter applying to interface failed with policer/count as then action

0

1

Article ID: KB32413 KB Last Updated: 15 Jan 2018Version: 1.0
Summary:
The family inet filter failed to apply interface under the following conditions:
  1. The filter action is count or policer
  2. The used pfe TCAM (ternary content addressable memory) entries exceeds its limitation

This article explains how to check the maximum TCAM entries in which ACX is supported.

Symptoms:

When configuring the firewall filter and applying it on a loopback interface, the following message was logged:

Jan  3 07:52:00  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_field_entry_install :failed to install entry 2570 in unit 0
Jan  3 07:52:00  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_field_entry_install :rv -14 error "No resources for operation"
Jan  3 07:52:00  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_rule_create :Could not install entry; unit: 0, entry: 2570, group: 16
Jan  3 07:52:00  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_filter_create_exp :[-1] from acx_dfw_rule_create_exp term(1)
Jan  3 07:52:00  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_change_end :Status:-1: Tcam rule add failed(old_cnt:514 for hw instance
 0x680a04f0 at filter index: 65537 of IFP_FOR_Lo0_FILTER
Jan  3 07:52:00  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_change_end :is_filter_cleanup_done set to TRUE for dfw(re-pro-lo0.0-i)
 type(IFP_FOR_Lo0_FILTER), new: dfw(re-pro-lo0.0-i) type (IFP_FOR_Lo0_FILTER)


To simplify the sample configuration, the following only used count as action. if the action is policer, the same result occurs.

interface-specific;
term 1 {
    from {
        source-prefix-list {
            list-1;
        }
        destination-prefix-list {
            list-2;
        }
        protocol tcp;
        destination-port telnet;
    }
    then {
        count counter_1;
        accept;
    }
}
term 2 {
    then {
        accept;
    }
}
prefix-list list-1 {
    192.168.10.1/32;
    192.168.10.2/32;
    192.168.10.3/32;
    192.168.10.4/32;
    192.168.10.5/32;
    192.168.10.6/32;
    192.168.10.7/32;
    192.168.10.8/32;
    192.168.10.9/32;
    192.168.10.10/32;
    192.168.10.11/32;
    192.168.10.12/32;
    192.168.10.13/32;
    192.168.10.14/32;
    192.168.10.15/32;
    192.168.10.16/32;
}
prefix-list list-2 {
    192.168.20.1/32;
    192.168.20.2/32;
    192.168.20.3/32;
    192.168.20.4/32;
    192.168.20.5/32;
    192.168.20.6/32;
    192.168.20.7/32;
    192.168.20.8/32;
    192.168.20.9/32;
    192.168.20.10/32;
    192.168.20.11/32;
    192.168.20.12/32;
    192.168.20.13/32;
    192.168.20.14/32;
    192.168.20.15/32;
    192.168.20.16/32;
}

Cause:
It is required to have [(x * y ) + 1 default] entries per filter, where x=16 (src-ip), y=16 (dst-ip). Each hardware instance requires 513 entries(16 * 16 * 2 + 1). It cannot be accommodated, as the maximum number of counters available is only 256.
Solution:

Reduce source/destination prefix list to a lower number of TCAM entries for the filter instance.  

The following command checks TCAM entries usage:

labroot@jtac-ACX2100-r002> show pfe tcam usage all-tcam-stages           
Slot 0
Tcam Resource Stage: Pre-Ingress
--------------------------------
Free [hw-grps: 3 out of 3]
No dynamic tcam usage
Tcam Resource Stage: Ingress
----------------------------
Free [hw-grps: 6 out of 7]
Group: 8, Mode: SINGLE, Hw grps used: 1, Tcam apps: 1
               Used  Allocated  Available     Errors
Tcam-Entries     52        256        204          0
Counters        104        256        152          0
Policers          0       2048       2048          0
Tcam Resource Stage: Egress
---------------------------
Free [hw-grps: 4 out of 4]
No dynamic tcam usage
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search