Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] Packet with ttl as 0 or 1 that is encapsulated within VXLAN are dropped in transit device when loopback filter is applied

0

0

Article ID: KB32995 KB Last Updated: 10 Aug 2018Version: 1.0
Summary:

In a VXLAN EVPN scenario, a transit VXLAN packet that has ttl of 0 or 1 in the inner payload is dropped when a loopback filter is applied on the transit device. This behavior is seen in QFX5100 platforms

Symptoms:

Routing protocols will not establish neighborship and will be stuck in intermediate states.

Cause:

In QFX5100, the transit VXLAN packets are processed by a register setting. When the loopback filter is applied, the payload of the inner packet with a ttl value of 0 or 1 is sent to the RE for further processing. Since the ttl is 0 or 1, the packet gets dropped. The firewall filter also parses the inner packet payload based on the L4-L7 fields, then the source IP or destination IP addresses.  Even if the filter has explicit terms that matches source and/or destination IP address, the rule will not be met. A default deny term at the end of the filter would be met. This affects only the transit VXLAN traffic.

Solution:

To avoid such drop, an explicit rule should be added in the loopback filter to allow the inner payload packet with ttl as 0 or 1.  The rule can be framed based on the L4- L7 headers. For example, if it is an ebgp session which comes in with ttl of 1, an explicit rule can be added to allow the packet with port as bgp (179) port.
 

set firewall family inet filter Loopback_filter term bgp179 from destination-port bgp

set firewall family inet filter Loopback_filter term bgp179 then accept
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search