Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Egress filter syslog action when ingress and egress interfaces are on different PFE

0

0

Article ID: KB36951 KB Last Updated: 12 May 2021Version: 1.0
Summary:

This article explains that the egress firewall filter syslog will display valid incoming L2 header information on MX platforms only if the ingress and egress interfaces are on the same Packet Forwarding Engine (PFE) and that this is as per design.

Symptoms:

The following log messages are seen in a customer's remote syslog server:

fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D XXXX 00:00:ff:06:61:8c -> 45:00:00:6a:17:dd  tcp 22.22.22.2 11.11.11.2  1024  1024 (1 packets)

The above log is reported when the following firewall filter is applied on the egress interface with the "syslog & discard" actions:

firewall {
    family inet {
        filter test {                  
            term 1 {
                then {
                    log;
                    syslog;  <<<
                    discard; <<<
                }
            }

The ingress FPC here is FPC5 and the egress FPC is FPC0. The above filter is applied on the egress FPC0.

Cause:

"XXXX" in the above log message indicates that the L2 header information and Ethernet type of the packet are invalid.

This happens because the ingress and egress interfaces are on different FPC/PFE. On MX platforms, the egress filter does not display valid incoming L2 header information if the ingress and egress interfaces are on different FPC/PFE. In this case, you will only see "XXXX" output in the filter syslog.

Lab Test

jtac-mx104-r2007  (xe-0/1/0) ---- (xe-0/0/0) jtac-mx480-r2001(xe-5/0/0)  -----jtac-spirent-spt-n11u-part2-r2001:2/9
  1. Traffic passes from the tester to mx104. The filter is applied on the egress interface xe-0/0/0.0 of mx480.

Apr 24 10:34:00.926  jtac-mx480-r2001-re0 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D XXXX 00:00:ff:06:61:b3 -> 45:00:00:6a:17:b6  tcp 22.22.22.2 11.11.11.2  1024  1024 (2 packets) <<< Since the filter is not applied to the xe-5/0/0.0 interface, we see the "XXXX" output.
  1. Traffic passes from the tester to mx104. The filter is applied on the ingress interface xe-5/0/0.0 of mx480:

Apr 24 11:11:12.369  jtac-mx480-r2001-re0 fpc5 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D 00c8:0800 00:10:94:00:00:02 -> 3c:94:d5:08:06:72  tcp 22.22.22.2 11.11.11.2  1024  1024 (982 packets) <<< The filter is applied to the xe-5/0/0.0 interface and valid L2 information is displayed as "00c8:0800".

Valid L2 header information can be explained as shown below:

  • 0800: The packet does not have a VLAN tag.

  • xxxx:0800: The packet has one VLAN tag (xxxx indicates the VLAN ID).

  • xxxx:xxxx:0800: The packet is QinQ (xxxx indicates the VLAN IDs).

Solution:

To display valid L2 header information on MX platforms, you need to apply the filter by using either of the following methods:

  • Method 1: Apply the egress filter to the interface that is on the same PFE as the ingress interface.

  • Method 2: Apply an ingress filter.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search