Junos OS

Hi,

I am fairly new to Junos so after some advice.

I have a loopback filter. When i do show firewall log it shows some ICMP traffic (majority type 8 - echo response) dropped by the PFE filter:

show firewall log (minus the IP addresses)
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
12:19:27 pfe D ae1.0 ICMP
12:19:24 pfe D ae1.0 ICMP
12:19:23 pfe D ae1.0 ICMP
12:19:09 pfe D ae1.0 ICMP
12:19:01 pfe D ae1.0 ICMP
12:19:00 pfe D ae1.0 ICMP
12:18:55 pfe D ae1.0 ICMP

Why are these being dropped? Is the the Packet Forwarding Engine being overworked and dropping low priority ICMP traffic? 

No , PFE working as expected , somewhere you have filter with configured

then {
    log
    discard
}

and when traffic matching this filter , traffic is logged and then discarded

Hi, 

Thanks for the reply. This is the end of my loopback filter:

set firewall family inet filter protect-loopback term ICMP-FRAGS from is-fragment
set firewall family inet filter protect-loopback term ICMP-FRAGS from protocol icmp
set firewall family inet filter protect-loopback term ICMP-FRAGS then discard
set firewall family inet filter protect-loopback term ICMP-ALLOW from protocol icmp
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type echo-reply
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type echo-request
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type unreachable
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type time-exceeded
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type source-quench
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type router-advertisement
set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type parameter-problem
set firewall family inet filter protect-loopback term ICMP-ALLOW then policer limit-1m
set firewall family inet filter protect-loopback term ICMP-ALLOW then accept
set firewall family inet filter protect-loopback term TRACEROUTE-ALLOW from protocol udp
set firewall family inet filter protect-loopback term TRACEROUTE-ALLOW from destination-port 33434-33523
set firewall family inet filter protect-loopback term TRACEROUTE-ALLOW then accept
set firewall family inet filter protect-loopback term DENY-TERM then count dropped-packets
set firewall family inet filter protect-loopback term DENY-TERM then log
set firewall family inet filter protect-loopback term DENY-TERM then discard

So why do the Echo-requests get discarded? Wouldn't the 'show firewall log' show my 'loopback' filter rather than the 'pfe' filter?

Hi Juos3,

How do you know its ICMP echo request packet which is getting dropped ?

Here is the explanation why it show PFE rather than filter name. For packet accpeted and reaching to the RE it will show the filter name, for packet discarded and not reaching to the RE it will show the PFE.

Refer Below: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log.html

PS: Please accept my answer as solution if it answers your query, Kudos are appreciated too!

Thanks
Vishal

To follow on from this, I did orginally have a prefix-list on the ICMP-ALLOW term. I have taken this off and the messages in the logs have disappeared, so I guess I have accepting them now. This makes sense. Thanks