Expand all | Collapse all

EX-4300 protect-re mystery

  • 1.  EX-4300 protect-re mystery

    Posted 12-09-2020 18:37

    Hi, I am having a weird problem I can not explain, and need your input to solve this mystery.

    I have a viptela vedge connected to a Juniper EX-4300  switch which is the gateway to Internet, this Viptela vEdge router has many IPsec (over Internet) connections and worked just fine. Today I need to enforce the protect-re firewall rules for the RE, however after the change is made, vEdge reported that BFD over those IPsec tunnels are down. I can not make sense out of this behavior, it almost means the protect-re is somehow blocking transit traffic from Viptela vEdge. The changes made to protect-re firewall rules are totally irrelevant to any transit traffic. 

    What else can be wrong?

    John Gerro

  • 2.  RE: EX-4300 protect-re mystery

    Posted 12-09-2020 18:56
    In your filter permit bfd.   https://kb.juniper.net/InfoCenter/index?page=content&id=KB11991&actp=METADATA&act=login

    The way the protect RE stuff works now, some things are hitting the Control plan and gets dropped . Like dhcp request on clients running on a irb on the switch ..

  • 3.  RE: EX-4300 protect-re mystery

    Posted 12-09-2020 19:12
    Thanks, there is no BFD session between Viptela and EX-switch, the BFD I mentioned in the post is Viptela internal stuff encapsulated inside IPsec.

    John Gerro

  • 4.  RE: EX-4300 protect-re mystery

    Posted 12-09-2020 19:17
    Sorry about reading through your post..  If you can open you filter up to match the traffic that you know your dropping.. 
    Also just for giggles can you add  then log to what your filter to see what all else that may be dropped.

  • 5.  RE: EX-4300 protect-re mystery

    Posted 12-09-2020 19:19
    Yeah, that was my thinking also, I can not do that until next maintenance window, thought that was a trivial change and never should affect transit traffic.

    John Gerro