[j-nsp] DSCP-marked traffic mysteriously being dropped by MX960
OBrien, Will
ObrienH at missouri.edu
Fri Jul 20 17:04:01 EDT 2012
Have you captured traffic before and after to validate the marking?
Relavent config bits would help.
On Jul 20, 2012, at 3:56 PM, John Neiberger wrote:
> We've been troubleshooting a strange problem for a few days. JTAC is
> on the case, too, but we have not found any resolution. I thought
> maybe picking some minds here would be helpful. Here is a simplified
> diagram:
>
> [Device A] ------- [Router A] ------- [Router B] ------- [Router C]
> ----- [Device B]
>
> The problem is that packets from Device B to Device A are being
> dropped at Router A. Routers A and C are MX960s. Router B is a CRS.
> Router C has an ingress firewall filter that does nothing but mark
> traffic as cs2. Router A has an egress firewall filter toward Device
> A, but it specifically allows the source IP address of Device B as
> well as any traffic marked as cs2.
>
> Here is where it really gets weird. If we remove the filter on Router
> C that marks the traffic, everything starts working. Put the filter
> back in place and the traffic stops. We've been looking at this for a
> couple of days and JTAC has spent a few hours looking at it and we're
> still no closer to figuring out why cs2 traffic is being dropped. With
> the filter in place, traceroutes from Device B to A stop at Router A.
> Remove the marking filter and traceroutes complete and pings start
> succeeding.
>
> Can any of you think of a potential culprit that we're not seeing? I
> would hope that if this were something obvious, JTAC would have caught
> it by now. We're all stumped.
>
> Thanks!
> John
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list