Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/QFX] Host reachability is lost due to ARP timeout when firewall filter is applied on L2 interface

0

0

Article ID: KB36662 KB Last Updated: 06 Jul 2021Version: 2.0
Summary:

After applying firewall filter applied on L2 interface (family ethernet-switching), the host reachability is lost due to ARP timeout.

Symptoms:

When a firewall filter is applied on a L2 interface, hosts may become unreachable. 

Topology:

INTERNET CLOUD --> access_router (L3 Gateway)--> TRUNK PORT --> Juniper_EX3200_SW --> ACCESS PORTs --> Target Device (Hosts in same VLAN )

The following sample output is from a EX3200 switch running Junos 12.3R6. Note that the firewall filter is applied on interface ge-0/0/2 outbound towards the host. 

family ethernet-switching {
        filter CLOUD_FILTER {
            term ALLOW_CLOUD {
                from {
                    source-address {
                        100.64.97.0/19;
                    }
                }
                then {
                    accept;
                    count ALLOW_CLOUD;
                }
            }
            term ALLOW_SRC_NTP {
                from {
                    protocol udp;
                    source-port ntp;
                }
                then {
                    accept;
                    count ALLOW_SRC_NTP;
                }
            }
            term ALLOW_DST_NTP {
                from {
                    protocol udp;
                    destination-port ntp;
                }
                then {
                    accept;
                    count ALLOW_DST_NTP;
                }                      
            }
            term ALLOW_SRC_DHCP {
                from {
                    protocol udp;
                    source-port [ bootpc bootps ];
                }
                then {
                    accept;
                    count ALLOW_SRC_DHCP;
                }
            }
            term ALLOW_DST_DHCP {
                from {
                    protocol udp;
                    destination-port [ bootpc bootps ];
                }
                then {
                    accept;
                    count ALLOW_DST_DHCP;
                }
            }
            term ALLOW_TRACEROUTE {
                from {
                    protocol udp;
                    destination-port 33434-33600;
                }
                then {
                    accept;
                    count ALLOW_TRACEROUTE;
                }
            }
            term DENY_ALL {            
                then {
                    discard;
                    count DENY_ALL;
                }
            }
        }
    }


interfaces {
    ge-0/0/1 {
        description host1;
        unit 0 {
            family ethernet-switching { 
                vlan {
                    members VLAN304;
                }
                filter {
                    output CLOUD_FILTER;

                }
            }
        }
    }
}


After applying firewall filter on interface ge-0/0/2 outbound towards the host, reachability to the host from network is lost after some time. 

Example:

When checking tcpdump on the host, ICMP echo messages are seen from the gateway. However, none of the hosts are able to respond due to lack of ARP response from the gateway.  

12:50:04.677101 In IP 100.64.110.202 > 192.168.60.2: ICMP echo request, id 1374, seq 4, length 64
12:50:05.678267 In IP 100.64.110.202 > 192.168.60.2: ICMP echo request, id 1374, seq 5, length 64
12:50:06.680101 In IP 100.64.110.202 > 192.168.60.2: ICMP echo request, id 1374, seq 6, length 64

12:50:07.092991 Out arp who-has 192.168.60.1 tell 192.168.60.2 <-- Host sends ARP request but not getting ARP response as it is blocked under firewall.

Cause:
This is because ARP gets blocked by the firewall filter. Once the ARP is timed out, the host becomes unreachable
Solution:

Explicitly allow ARP in the firewall filter on the interface.

Add the following term before any DENY_ALL term if it is part of the filter or before the last term (implicit deny) if the DENY_ALL is not part of your filter configuration:

term ALLOW_ARP {
from {
ether-type arp;
}
then accept;
}
Modification History:
2021-07-06: Updated sample output.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search