[j-nsp] j-series vs. short pings ?
Paul Goyette
pgoyette at juniper.net
Fri Feb 29 11:18:22 EST 2008
If your traffic is transiting an IPsec tunnel, please have
a look at the following tech bulletin:
http://alerts-int.juniper.net/pa/viewalert.jsp?actionBtn=Search&txtAlert
Number=PSN-2008-02-017&viewMode=Return
Paul Goyette
Juniper Networks Customer Service
JTAC Senior Escalation Engineer
PGP Key ID 0x53BA7731 Fingerprint:
FA29 0E3B 35AF E8AE 6651
0786 F758 55DE 53BA 7731
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Alexandre Snarskii
> Sent: Friday, February 29, 2008 6:51 AM
> To: Juniper-NSP Mailing list
> Subject: [j-nsp] j-series vs. short pings ?
> Importance: High
>
>
>
> Hi!
>
> During narrowing down one of our problems, I found, that I'm able
> to ping juniper from directly connected (vlan) subinterface only
> when ICMP payload size is more or equal 18 bytes...
>
> Example:
>
> root at chumadan:~>ping -s 17 10.21.88.100
> PING 10.21.88.100 (10.21.88.100): 17 data bytes
> ^C
> --- 10.21.88.100 ping statistics ---
> 4 packets transmitted, 0 packets received, 100.0% packet loss
>
> but when size is 18 (or more) - everything is fine:
>
> root at chumadan:~>ping -s 18 10.21.88.100
> PING 10.21.88.100 (10.21.88.100): 18 data bytes
> 26 bytes from 10.21.88.100: icmp_seq=0 ttl=64 time=0.435 ms
> 26 bytes from 10.21.88.100: icmp_seq=1 ttl=64 time=0.395 ms
>
>
> At the same time, doing
> monitor traffic interface ge-0/0/2.468 detail no-resolve matches icmp
> I can see, that when I'm pinging with 17-byte (or less) sized packets,
> juniper sees them with 'broken' ICMP checksum:
>
> 17:36:39.959518 In IP (tos 0x0, ttl 64, id 15916, offset 0,
> flags [none], proto: ICMP (1), length: 45) 10.21.88.99 >
> 10.21.88.100: ICMP echo request, id 13318, seq 0, length 25
> (wrong icmp cksum 0 (->d452)!)
> 17:36:40.970227 In IP (tos 0x0, ttl 64, id 15918, offset 0,
> flags [none], proto: ICMP (1), length: 45) 10.21.88.99 >
> 10.21.88.100: ICMP echo request, id 13318, seq 1, length 25
> (wrong icmp cksum 0 (->d1a6)!)
> 17:36:41.949567 In IP (tos 0x0, ttl 64, id 15920, offset 0,
> flags [none], proto: ICMP (1), length: 45) 10.21.88.99 >
> 10.21.88.100: ICMP echo request, id 13318, seq 2, length 25
> (wrong icmp cksum 0 (->ce47)!)
>
> but when I'm tcpdumping those pings on sending side or on SPAN port
> at the egress from switch to juniper - everything is OK....
>
> Details: Juniper is J6350 running [8.3R1.5] (Export edition),
> interface
> is onboard GE-TX, configuration is pretty simple:
>
> snar at RT088-002> show configuration interfaces ge-0/0/2
> description "DOWNLINK to SW088-001 inet";
> vlan-tagging;
> mtu 9018;
> unit 468 {
> description IP-MUX;
> vlan-id 468;
> family inet {
> mtu 1500;
> address 10.21.88.100/24;
> }
> }
>
> Question: is there any way to fix this behaviour ? (short ICMP pings
> is the way the RAD IPMux verifies mac-address of his gateway, and
> we're just unable to use IPMux'es as downlinks to Juniper)..
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list