View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX 345 (20.2R3.9) do not update arp table

    Posted 04-28-2023 08:34

    hello community,

    i was confronted to a problem regarding the arp table.
    my SRX 345 cluster active in A was not able the update arp answers from a specific reth.
    i did a tcpdump which was clearly showing that only arp request (broadcast) from my subinterfaces (inside reth) were presents.
    in front of my SRX, there is Cisco devices. i did a tcpdump at port-channel opposite to the reth and i well see the arp answers from the next hops.

    after a firewall failover, the table was properly updated with the answers.

    i suppose it s a bug of the software and i will plan to upgrade.

    is there someone who encountered the same issue ?



  • 2.  RE: SRX 345 (20.2R3.9) do not update arp table

    Posted 05-01-2023 04:58

    Is the reth interface involved the active one? 

    Reth are in pairs of active and passive and all activity on the passive side is ignored until reth group failover.  This is different than node RE failover.

    A common error I see is people thinking reth interfaces are ae groups and connecting them to a LAG on a switch.

    If this is a software bug with a correct reth configuration you can search the public database to find the listing and see where it is corrected.

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)

  • 3.  RE: SRX 345 (20.2R3.9) do not update arp table

    Posted 05-01-2023 08:46
    Edited by FAROUK KAHOUL 05-01-2023 08:52
    Hello Spuluka,
    my observation about arp was done on reth on active node (active-passive cluster).
    both devices (cluster) are connected in the same way to Cisco port-channel (2 datacenters with spanned vlans).

    this is the monitoring of the reth :

    arp from the opposite side (Cisco L2 vlan) where we see answers from L3 (OTN) :

    As you can see, arp answers are not monitored.
    so we can expect that a « filter » is blocking arp answer (I know it’s stupid) or firmware is buggy.

    i will check on the url you provided .


  • 4.  RE: SRX 345 (20.2R3.9) do not update arp table

    Posted 05-03-2023 05:13
    my observation about arp was done on reth on active node (active-passive cluster).
    both devices (cluster) are connected in the same way to Cisco port-channel (2 datacenters with spanned vlans).

    This in an incorrect configuration.  The two ports should both be independent trunk or access ports to the desired vlan(s).  NOT a port channel configuration.

    Reth is redundant ethernet standard with failover and NOT Aggregated ethernet.

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)

  • 5.  RE: SRX 345 (20.2R3.9) do not update arp table

    Posted 05-03-2023 06:30
    Edited by FAROUK KAHOUL 05-03-2023 06:31

    Thanks for your reply.

    this is what de did (Cisco switches opposite to fw) with LACP active (SRX in cluster)


  • 6.  RE: SRX 345 (20.2R3.9) do not update arp table

    Posted 05-01-2023 09:08
    Edited by FAROUK KAHOUL 05-01-2023 09:19

    I have found something similar excepted that we are using box firewall (not VM) : PR1681042

    I have forgot to say that L3 opposite to the firewall cluster is VRRP.
