[j-nsp] Input firewall on lo0 of EX --> ARP issue

[Dennis Krul | Tilaa]

Hello list,

We've been having a weird issue on our ex4200-24t's (all running 10.4R8.5). We use them for both L2 and L3. Gateways are configured on the vlan interface of the ex. So what happens is this:

- A new host enters the network
- I connect to the host (with ssh, but protocol doesn't matter as long as it's tcp) from another subnet/vlan, nothing happens (no arp requests on the target host, nothing in the arp cache on the ex)
- I send 1 icmp packet to the host, I get a reply
- We now see arp requests, the ex shows an arp entry
- Next connection succeeds

This issue exists both ways: It also happens if the first connection is attempted from this host to the outside world

This only happens with new hosts. Once they are learned by the EX everything keeps on working. It's easy to reproduce by manually clearing the arp entries and starting over. (The same happens with IPv6 ND.)

So after days of tcpdumping and excluding possible causes we finally learned that it was caused by our input filters on the loopback interface. We disabled the firewall on lo0 and everything started working.

The way I understand it firewall rules on the lo0 should only be protecting the RE and not interfere with forwarded traffic. So I guess the RE is somehow involved in the ARP learning process. 

I've been reading a lot of JunOS docs over the last couple of days, but I'm unable to figure out why this is happening. 

Does anybody recognize this behavior? Could someone enlighten me about why this is happening (and perhaps recommend a way to protect our RE without breaking ARP on our network)?

Any feedback would be much appreciated.

Regards,

--
Dennis Krul
Tilaa

e: dennis at tilaa.nl
w: http://www.tilaa.nl