[j-nsp] Weird ARP issue
Luca Salvatore
Luca at ninefold.com
Thu Jan 31 03:01:24 EST 2013
It seems a routing engine filter on lo0 was the cause. The filter was only allowing SSH to/from specific addresses. Once we removed the filter the traffic ARPs worked and traffic flowed.
Why is the switch using the routing engine filter for transit traffic?
Sent from my iPhone
On 31/01/2013, at 3:58 PM, "Payam Chychi" <pchychi at gmail.com<mailto:pchychi at gmail.com>> wrote:
Mmm are the mac addresses for the host arping via ping different than the host that does not arp via ssh?
If so, it Might be an issue with virtual mac addreases
--
Payam Chychi
Network Engineer / Security Specialist
On Wednesday, 30 January, 2013 at 7:29 PM, Luca Salvatore wrote:
I Haven’t touched any ARP config, it’s just the defaults.
The plot thickens:
I did some port-mirroring, when I send traffic on port 80 to the VM the switch will generate an Arp request.
Same if I do a ping, I see an ARP request.
However for SSH traffic, the switch never generates an ARP request so the traffic never gets to the end host.
Luca
From: Payam Chychi [mailto:pchychi at gmail.com]
Sent: Thursday, 31 January 2013 1:48 PM
To: Luca Salvatore
Subject: Re: [j-nsp] Weird ARP issue
What does your arp setup look like? I recall something about juniper handling arp differently depending on if you have arp proxy enabled
--
Payam Chychi
Network Engineer / Security Specialist
On Wednesday, 30 January, 2013 at 4:54 PM, Luca Salvatore wrote:
Yes it must be the server... the switch doesn't care what type of traffic it is.
The XenServers are running Open VSwitch though
Luca
-----Original Message-----
From: Aaron Dewell [mailto:aaron.dewell at gmail.com]
Sent: Thursday, 31 January 2013 11:50 AM
To: Luca Salvatore
Cc: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] Weird ARP issue
Sounds like a Xen bridge issue, but I have no definitive experience or reason other than that's the only thing in the path which might block it. Strange that it would pass an arp for a ping but not for SSH. Should be the same arp off the switch either way.
On Jan 30, 2013, at 5:41 PM, Luca Salvatore wrote:
I have a very strange problem that may or may not be related to my switch, but I'm running out of ideas.
I have a EX4200 switch running 11.4R2.14. The EX has a bunch of VLANs and is doing some basic routing using the L3 VLAN interfaces.
Connected to this switch is some servers running XenServer with a bunch of VMs.
Now, the issue I'm seeing is:
When I try to SSH to a VM running on the XenServers i don't get any connection.
If I then send a ping to the VM my SSH connection works.
What I see happening is that there is no ARP entry in the switch when I use SSH.
As soon as I send a ping, the switch sends an ARP request and gets a reply.
In other words:
When SSH is used and I do a TCP dump on the server I do not see an ARP
request But when I send a ping, I see the ARP request (from the switch) hit the server and the response comes back, the switch the has an ARP entry and everything works.
Wondering if anyone has any thoughts here?
I'm about to do a port-mirror to try and dig a bit deeper, but not really confident it will help.
Thanks
Luca.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list