SRX

Hi, I am having hard time to understand how BFD works on SRX-5400, I have a BGP session with peer 169.254.254.1, zone security policy is allowing host inbound protocol bgp and bfd

SRX-5400>show bgp summary | match 169.254.254.1
169.254.254.1          9059      37084      38202       0       1 1w5d 7:41:27 1/1/1/0              0/0/0/0

SRX-5400>show bfd session | match 169.254.254.1
169.254.254.1            Up        reth0.103      1.500     0.500        3

All is well, however, "show security flow session source " confuses me,

SRX-5400> show security flow session source-prefix 169.254.254.1

Session ID: 30000034, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
  In: 169.254.254.1/49152 --> 169.254.254.2/3784;udp, Conn Tag: 0x0, If: reth0.103, Pkts: 25066025, Bytes: 1303433300, CP Session ID: 30000128
  Out: 169.254.254.2/3784 --> 169.254.254.1/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0, CP Session ID: 30000128

The outbound leg counters always show 0, why is that? the actual BFD hello packets went out otherwise BFD session wouldn't be in UP state.

Hello,

AFAIK, what You are seeing is expected with distributed BFD.

"Distributed" means BFD packet generation/consumption happens on linecard CPU and not on Routing Engine.

One can verify it with following JUNOS CLI command:

show ppm transmissions protocol bfd detail 

You should see "Distributed: TRUE" for distributed BFD.

With d.BFD, one of linecard CPUs is selected as "BFD anchor" for a bunch of sessions meaning it handles BFD packet processing for several sessions even if the incoming interface is hosted on other linecards.

So, the inbound d.BFD session wing is passed through SPU on its way to BFD anchor but the other wing is not meaning generated d.BFD outgoing packets are directly put on the wire.

Hope this makes sense.

HTH

Thx
Alex