Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Packets get forwarded without the route in the routing table

0

0

Article ID: KB35367 KB Last Updated: 11 Feb 2020Version: 1.0
Summary:

In Filter-Based Forwarding (FBF), IP packets are getting forwarded even though there is no route present for the destination in the respective routing table.

Topology:

EX 1 Configuration:

set routing-options interface-routes rib-group inet route-divert
set routing-options rib-groups route-divert import-rib inet.0
set routing-options rib-groups route-divert import-rib TESTING.inet.0
set routing-options static route 10.167.0.0/16 next-hop 1.1.1.2
set interfaces xe-0/0/20 unit 0 family inet address 1.1.1.1/24
set interfaces xe-0/0/21 unit 0 family inet address 174.23.189.117/24
set interfaces xe-0/0/22 unit 0 family inet filter input test
set interfaces xe-0/0/22 unit 0 family inet address 192.168.1.2/30

set firewall family inet filter test term 1 from interface xe-0/0/22.0
set firewall family inet filter test term 1 then count forward
set firewall family inet filter test term 1 then routing-instance TESTING
set firewall family inet filter test term 2 then count discard
set firewall family inet filter test term 2 then discard

set routing-instances TESTING instance-type virtual-router
set routing-instances TESTING interface xe-0/0/21.0
set routing-instances TESTING routing-options static route 2.2.2.2/32 next-hop 174.23.189.118
set routing-instances TESTING routing-options static route 2.2.2.2/32 resolve

EX2 Configuration:

set interfaces xe-0/0/20 unit 0 family inet address 1.1.1.2/24
set interfaces lo0 unit 0 family inet address 10.167.0.1/32
set routing-options static route 192.168.1.1/32 next-hop 1.1.1.1

EX3 Configuration:

set interfaces xe-0/0/21 unit 0 family inet address 174.23.189.118/24
set interfaces lo0 unit 0 family inet address 10.167.0.1/32
set routing-options static route 192.168.1.1/32 next-hop 174.23.189.117
Symptoms:

Test scenario: 

Ping is initiated from Source VIP - 192.168.1.1 to destination VIP - 10.167.0.1
When the packet is received at interface xe-0/0/22 on EX 1, it hits the firewall filter applied to the interface and diverts the packets to TESTING routing-instance. (FF)
However, there is no route for the destination VIP 10.167.0.1 in the TESTING.inet.0 routing table as shown in Snippet-1 below.

Snippet-1:

root# run show route table TESTING.inet.0 

TESTING.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[Direct/0] 2w0d 23:48:52
                    > via xe-0/0/20.0
1.1.1.1/32         *[Local/0] 2w0d 23:48:52
                      Local via xe-0/0/20.0
2.2.2.2/32         *[Static/5] 2w0d 23:49:24
                    > to 174.23.189.118 via xe-0/0/21.0
174.23.189.0/24    *[Direct/0] 2w0d 23:48:57
                    > via xe-0/0/21.0
174.23.189.117/32  *[Local/0] 2w0d 23:49:13
                      Local via xe-0/0/21.0
192.168.1.0/30     *[Direct/0] 2w0d 23:48:48
                    > via xe-0/0/22.0
192.168.1.2/32     *[Local/0] 2w0d 23:48:48
                      Local via xe-0/0/22.0

Packets are still getting forwarded despite the missing route. 

Cause:

There is a route for the destination VIP 10.167.0.1 in the master routing table inet.0 as shown in Snippet-2 below. Though there is no route in the TESTING routing table, VIP packet still gets forwarded to the destination through the master routing table.

Snippet-2:

root# run show route table inet.0            

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[Direct/0] 2w0d 23:51:50
                    > via xe-0/0/20.0
1.1.1.1/32         *[Local/0] 2w0d 23:52:11
                      Local via xe-0/0/20.0
10.92.0.1/32       *[Static/5] 2w0d 23:51:50
                    > to 1.1.1.2 via xe-0/0/20.0
10.167.0.0/16      *[Static/5] 2w0d 23:51:50 . 
                    > to 1.1.1.2 via xe-0/0/20.0
10.219.20.64/26    *[Direct/0] 2w0d 23:52:22
                    > via me0.0
10.219.20.93/32    *[Local/0] 2w0d 23:52:22
                      Local via me0.0
192.168.1.0/30     *[Direct/0] 2w0d 23:51:46
                    > via xe-0/0/22.0
192.168.1.2/32     *[Local/0] 2w0d 23:52:11
                      Local via xe-0/0/22.0
224.0.0.22/32      *[IGMP/0] 2w0d 23:52:22
                      MultiRecv
Solution:

Since there is no route for the destination in the routing-instance, the traffic will be rejected (There is an implicit reject). A rejected packet needs to be sent to the kernel to create the "Destination Unreachable" message.
Note that the xe-0/0/22 in this case belongs to the default/Master routing instance. So when this rejected packet reaches the kernel, there will be a route lookup in the kernel (default instance), which will forward the packet to the destination VIP. 

This behavior is expected as the source interface is part of the default routing instance. In the scenario above, if the ingress interface would also be in the routing-instance TESTING, the packet will be dropped at the kernel as well. 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search