[j-nsp] DSCP-marked traffic mysteriously being dropped by MX960
John Neiberger
jneiberger at gmail.com
Fri Jul 20 16:56:31 EDT 2012
We've been troubleshooting a strange problem for a few days. JTAC is
on the case, too, but we have not found any resolution. I thought
maybe picking some minds here would be helpful. Here is a simplified
diagram:
[Device A] ------- [Router A] ------- [Router B] ------- [Router C]
----- [Device B]
The problem is that packets from Device B to Device A are being
dropped at Router A. Routers A and C are MX960s. Router B is a CRS.
Router C has an ingress firewall filter that does nothing but mark
traffic as cs2. Router A has an egress firewall filter toward Device
A, but it specifically allows the source IP address of Device B as
well as any traffic marked as cs2.
Here is where it really gets weird. If we remove the filter on Router
C that marks the traffic, everything starts working. Put the filter
back in place and the traffic stops. We've been looking at this for a
couple of days and JTAC has spent a few hours looking at it and we're
still no closer to figuring out why cs2 traffic is being dropped. With
the filter in place, traceroutes from Device B to A stop at Router A.
Remove the marking filter and traceroutes complete and pings start
succeeding.
Can any of you think of a potential culprit that we're not seeing? I
would hope that if this were something obvious, JTAC would have caught
it by now. We're all stumped.
Thanks!
John
More information about the juniper-nsp
mailing list