[j-nsp] SRX drops BGP session
Jeroen Valcke
jeroen.valcke at belnet.be
Mon Oct 17 16:42:31 EDT 2011
Hello everybody,
Thanks for all the suggestions. I finally managed to get it working.
Actually, my interface was already in packet mode. When I changed it to
flow-mode the bgp session came up without any issue.
Somebody more confident with the SRX-platform pointed out that I need to
add some flow options, to avoid blocking tcp 'return' traffic.
jeroen at srx-2.test.belnet.net> show configuration security flow
...
tcp-session {
no-syn-check;
no-sequence-check;
}
That did the trick.
Best regards,
-Jeroen-
On Fri, Oct 14, 2011 at 02:30:50AM +0400, Pavel Lunin wrote:
> > Indeed, when I check the session table on the SRX. I do get an entry for
> > the
> > BGP session, but it dissapears after only a few seconds. That seems wrong
> > to
> > me.
> >
>
> You mean a firewall session in "show security flow session"? If so, let me
> express my doubts, an MTU related issue could make it close immediately. If
> Harry's quick test with decreasing MSS doesn't help, you'd rather unpack
> your sniffer and check if someone sends a TCP RST.
>
> We ran into a similar issue when a broken switch (BTW, an EX3200) flooded
> the frames carrying BGP packets instead of switching them. In addition it
> was not a P2P VLAN, other routers existed in the broadcast domain of the BGP
> peering subnet. As as result BGP peers received several copies of each
> packet. After a few attempts to sort out what happens, one of the peers sent
> a TCP RST, closing the FW session, but (I don't really remember why) not
> closing the BGP session on the peer itself. Which in turn led to "Hold down
> timer expired". Then the BGP session reestablished and the whole thing
> repeated again.
>
> In my case it was iBGP, so at the SRX side traffic passed from ingress IFL
> to loopback, falling under security policy with "log on close" option
> enabled. This is how we discovered the TCP RST.
--
Jeroen Valcke
Belnet . Network Department
Louizalaan 231 Avenue Louise
Brussel 1050 Bruxelles
België . Belgique
T: +32 2 790 33 33
www.belnet.be
More information about the juniper-nsp
mailing list