Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Firewall filter's programming state is in "NOT CONSISTENT" state after executing GRES switchover

0

0

Article ID: KB34547 KB Last Updated: 17 Jun 2019Version: 1.0
Summary:

After executing GRES switchover, firewall filter's state might be "NOT CONSISTENT" and FPC core might be seen. But this is a rare condition and timing issue. Firewall filters will be impacted. Filters which are inconsistent will not function and lead to undesired effects.

Symptoms:

When inserting new FPC (sply after RMA), the FPC will generate core dumps and start rebooting.

Example:

user@hostname> show system core-dumps            
-rw-r--r--  1 root  wheel   50197111 Nov 25 01:14 /var/crash/core-NPC8.gz.core.0 
-rw-r--r--  1 root  wheel   50218531 Nov 25 01:19 /var/crash/core-NPC8.gz.core.1
-rw-r--r--  1 root  wheel   39157760 Nov 25 01:23 /var/crash/core-NPC8.gz.core.2
-rw-r--r--  1 root  wheel   50188063 Nov 27 03:27 /var/crash/core-NPC8.gz.core.3
-rw-r--r--  1 root  wheel   50095288 Nov 27 03:31 /var/crash/core-NPC8.gz.core.4 

Note: All core dump files will be generated for the FPC.
 

How to verify Firewall Filter State (CONSISTENT / NOT CONSISTENT) by logging into FPC:

user@hostname> show configuration firewall family inet6 filter VISP_TO_WSN_INET_V6 <-- This filter is in problem state (NOT CONSISTENT)
term ALLOW_NEIGHBOR_DISCOVERY {
    from {
        next-header icmpv6;
        icmp-type [ neighbor-solicit neighbor-advertisement ];
    }
    then {
        count neighbor-disc-visp-to-mx-v6;
        accept;
    }
}
term ALLOW_LOCAL_PING {
    from {
        destination-address {
            2001:4888:3b:207b:3c2:2a1::0/64;
        }
    }
    then {
        count pings-from-visp-to-mx-v6;
        accept;
    }
}
term TO_PRI_FIREWALL {
    then {
        count from-visp-to-inet-v6;   
        routing-instance WSN_INET;
    }
}
 
> start shell pfe network fpc1
..
NPC1(hostname vty)# show filter
..
      15  Classic    -         VISP_TO_WSN_MOBILE_V6 <-- consistent state
      16  Classic    -         VISP_TO_WSN_INET_V6   <-- NOT consistent state


NPC1(     vty)# sh filter index 16 program  
Filter index = 16
Optimization flag: 0xf7
Filter notify host id = 0
Filter properties: None
Filter state = NOT CONSISTENT
term ALLOW_NEIGHBOR_DISCOVERY
term priority 0
    next-header
         58
        false branch to match destination-address in rule ALLOW_LOCAL_PING
    icmp-type
         135-136
        false branch to match destination-address in rule ALLOW_LOCAL_PING

    then
        accept
        count neighbor-disc-visp-to-mx-v6
term ALLOW_LOCAL_PING
term priority 0
    destination-address
        2001:4888:3b:207b::/64
        false branch to match action in rule TO_PRI_FIREWALL

    then
        accept
        count pings-from-visp-to-mx-v6
term TO_PRI_FIREWALL
term priority 0

    then
        action next-hop, type (routing-inst)
                WSN_INET
        count from-visp-to-inet-v6


NPC1(JHTWPADPD29-L-JU-960X-02 vty)# sh filter index 15 program  
Filter index = 15
Optimization flag: 0xf7
Filter notify host id = 0
Filter properties: None
Filter state = CONSISTENT 
term ALLOW_NEIGHBOR_DISCOVERY
term priority 0
    next-header
         58
        false branch to match destination-address in rule ALLOW_LOCAL_PING
    icmp-type
         135-136
        false branch to match destination-address in rule ALLOW_LOCAL_PING

    then
        accept
        count neighbor-disc-visp-to-mx-v6
term ALLOW_LOCAL_PING
term priority 0
    destination-address
        2001:4888:3b:207a::/64
        false branch to match action in rule TO_XGWs

    then
        accept
        count pings-from-visp-to-mx-v6
term TO_XGWs
term priority 0

    then
        action next-hop, type (routing-inst)
                WSN_MOBILE
        count from-visp-to-mobiles-v6
Cause:

This issue might be seen if the following conditions are met:

  • In dual REs scenario with GRES enabled
  • Firewall filter is configured
  • Executing GRES switchover
Solution:

Restoration-Steps:

  1. Reprogram the firewall filter by deleting the filter configuration, then commit.
  2. Perform a "rollback 1", then commit to re-add the filter configuration.

OR

Upgrade to one of the following fixed versions of Junos:
  • Junos 16.1R3-S1-J3
  • Junos 16.1R7-J2
  • Junos 16.1R7-S1
  • Junos16.1R7-S5
  • Junos16.1R8
  • Junos17.1R3-S1
  • Junos17.2R2-S7
  • Junos17.2R3
  • Junos17.3R3-S2
  • Junos17.3R4
  • Junos17.4R1-S7
  • Junos17.4R2-S2
  • Junos17.4R3
  • Junos18.1R3-S2
  • Junos18.1R4
  • Junos18.2R1-S4
  • Junos18.2R1-S5
  • Junos18.2R2
  • Junos18.2X75-D30
  • Junos18.3R1-S3
  • Junos18.3R2
  • Junos18.4R1
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search