Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  EX error on QFX switch

    Posted 06-10-2020 09:35
    Hi Fellas,

    I am trying to configure basic config on a factory reset Juniper QFX device. While I was trying to execute something, I noticed a very strange thing.
    In between my configuration changes, a warning popped up ----
    "warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed accross EX2300 switch"
    Now the strange part here is, my device is a standalone QFX5100 .

    Is this some kind of bug that displays false messages or some issue with my switch not recognising it as QFX?


  • 2.  RE: EX error on QFX switch
    Best Answer

    Posted 06-10-2020 09:55

    Hi Netgear,

     

    When committing any change on QFX5100 that is running Junos OS release 18.3R1.9, a warning message appears for an EX2300 Series switch.

    Example:

    {master:0}
root@switch> configure
Entering configuration mode

{master:0}[edit]
root@switch# set interfaces xe-0/0/0 description test

{master:0}[edit]
root@switch# commit
[edit firewall family inet filter PROTECT-RE term ALLOW-SSH then]
  'accept'
    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch.
[edit firewall family inet filter PROTECT-RE term ALLOW-SSH then]
  'accept'
    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch.
[edit firewall family inet filter PROTECT-RE term ALLOW-SSH then]
  'accept'
    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch.
configuration check succeeds
commit complete

     

    CAUSE:

    These messages were added to the QFX platform by design to raise awareness about a known bug in the EX2300 Series switches where if a firewall filter term that has log or syslog with accept is assigned to an interface, traffic might be dropped without any warning when commit or commit-check is issued.

     

    {master:0}
root@switch> show configuration firewall family inet filter PROTECT-RE
term ALLOW-SSH {
    from {
        source-address {
            10.0.0.0/8;
        }
        destination-port ssh;
    }
    then {
        count ALLOW-SSH;
        log;
        accept;
    }
}
term ALLOW-IP-FRAGMENTS {
    then log;
}
term DENY-ALL {
    then {
        count DENY-ALL;
        log;
        discard;
    }
}

     

    SOLUTION:

    These messages are harmless and can be ignored.

     

    More below:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB33785&cat=QFX5100&actp=LIST

     

    Hope this helps 🙂

     

    Please mark "Accepted Solution" if this helps you solve your query.

    Kudos are always appreciated!



  • 3.  RE: EX error on QFX switch

     
    Posted 06-10-2020 18:39

    Hi Netgear,

     

    Good day 

     

    I tested the reported issue in QFX5K.

    After I apply below commands, some warning log displayed.

    It shows that if a firewall filter term includes log/syslog and accept, then a packet matching the firewall filter would not be routed across EX2300 and QFX5K switches.

    --------------------------------------------------------------------------

    {master:0}[edit]

    root@QFX5100# ...EST-management-ipv4 term accept-icmp then log

     

    {master:0}[edit]

    root@QFX5100# commit

    [edit firewall family inet filter filter-TEST-management-ipv4 term accept-icmp then]

    'accept'

    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 and QFX5K switches.

    [edit firewall family inet filter filter-TEST-management-ipv4 term accept-icmp then]

    'accept'

    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 and QFX5K switches.

    [edit firewall family inet filter filter-TEST-management-ipv4 term accept-icmp then]

    'accept'

    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 and QFX5K switches.

    configuration check succeeds

    commit complete

    --------------------------------------------------------------------------

    There is a PR1405138 shows that the warning logs was added on below fixed version.

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1405138


    Fix info as per the PR:- junos:18.1R4 junos:18.2R3 junos:18.3R2 junos:18.4R2 junos:19.1R1 junos:19.2R1


    Please advise if further assistance is required and I will be happy to assist you.

     

    Please mark "Accepted Solution" if this helps.

     

    Kudos are always appreciated

     

    Thanks

    Suraj