Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Solving ICMP asymmetric traffic drops by IPSec tunnels on MX routers equipped with MS-MPC

0

0

Article ID: KB33836 KB Last Updated: 01 Feb 2019Version: 1.0
Summary:

This article describes how to avoid Internet Control Message Protocol (ICMP) asymmetric traffic from being dropped by IPSec tunnels on MX routers that are equipped with MS-MPC.

 

Symptoms:

In the following setup, there are two IPSec tunnels that terminate on one router. Traffic through them is asymmetric where traffic from Destination A to Destination B moves through the R01-R03 tunnel and the reverse traffic moves through the R02-R03 tunnel. In this case, reverse traffic through the R02-R03 tunnel would be dropped. See PR1059940.

 

Cause:

The default behavior of IPSec tunnels on MX routers that are equipped with MS-MPC is to drop reply packets if they are not going through the same tunnel from which the request packets came (ICMP asymmetric traffic).

 

Solution:

To allow ICMP traffic via an asymmetric path, where for example, the ICMP echo request comes from one IPSec tunnel and the ICMP echo reply goes through another IPSec tunnel, the enable-asymmetric-traffic-processing configuration knob must be configured under service-set for all configured service-sets.

set services service-set sset-name service-set-options enable-asymmetric-traffic-processing  <<This knob allows ICMP asymmetric traffic.
set services service-set sset-name next-hop-service inside-service-interface ms-1/1/0.1
set services service-set sset-name next-hop-service outside-service-interface ms-1/1/0.2
set services service-set sset-name ipsec-vpn-options local-gateway <ip-address>
set services service-set sset-name ipsec-vpn-rules sset-rule

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search