[j-nsp] SRX drops BGP session

Jeroen Valcke jeroen.valcke at belnet.be
Mon Oct 17 16:42:31 EDT 2011 

Hello everybody,

Thanks for all the suggestions. I finally managed to get it working.

Actually, my interface was already in packet mode. When I changed it to
flow-mode the bgp session came up without any issue.

Somebody more confident with the SRX-platform pointed out that I need to
add some flow options, to avoid blocking tcp 'return' traffic.

	jeroen at srx-2.test.belnet.net> show configuration security flow 
	...
	tcp-session {
	    no-syn-check;
	    no-sequence-check;
	}

That did the trick.

Best regards,
-Jeroen-

On Fri, Oct 14, 2011 at 02:30:50AM +0400, Pavel Lunin wrote:
> > Indeed, when I check the session table on the SRX. I do get an entry for
> > the
> > BGP session, but it dissapears after only a few seconds. That seems wrong
> > to
> > me.
> >
> 
> You mean a firewall session in "show security flow session"? If so, let me
> express my doubts, an MTU related issue could make it close immediately. If
> Harry's quick test with decreasing MSS doesn't help, you'd rather unpack
> your sniffer and check if someone sends a TCP RST.
> 
> We ran into a similar issue when a broken switch (BTW, an EX3200) flooded
> the frames carrying BGP packets instead of switching them. In addition it
> was not a P2P VLAN, other routers existed in the broadcast domain of the BGP
> peering subnet. As as result BGP peers received several copies of each
> packet. After a few attempts to sort out what happens, one of the peers sent
> a TCP RST, closing the FW session, but (I don't really remember why) not
> closing the BGP session on the peer itself. Which in turn led to "Hold down
> timer expired". Then the BGP session reestablished and the whole thing
> repeated again.
> 
> In my case it was iBGP, so at the SRX side traffic passed from ingress IFL
> to loopback, falling under security policy with "log on close" option
> enabled. This is how we discovered the TCP RST.

-- 
Jeroen Valcke 
Belnet . Network Department
Louizalaan 231 Avenue Louise 
Brussel 1050 Bruxelles
België . Belgique
T: +32 2 790 33 33
www.belnet.be

More information about the juniper-nsp mailing list