Routing

Hi

There is the trunk port between MX and Cisco. The MX side the mtu is 9192 but Cisco side its default. The PC behind cisco is able to ping web server behind MX but not able to access web server page, its extremely slow.

Can any body point out what could be the problem? is it MTU size on Cisco?

Thanks

MTU  on Cisco side is 9170

> Can any body point out what could be the problem? is it MTU size on Cisco?

From what you just described, the MTU problem is on the MX. You need to decrease it, not increase it, until it matches the one from the Cisco.

Also be aware that if you configure MTU in the physical interface level, that will also consider the encapsulation overhead.

If you configure it at the ifl level (as in "unit 0 family inet mtu xxxx"), that would be the actual protocol MTU.

Hope it helps,

 Saverio

Sorry, I missed your diagram - it was on another thread.

Are you referring to this?

PC---Access Switch (cisco)----802.1q Trunk Link---CE (cisco)----802.1q Trunk Link---PE (Juniper)----MPLS Network-----PE (Juniper)-----802.1q Trunk Link-----Access Switch (Juniper)------802.1q Trunk----Firewall (Fortinet)

If you are, most probably the problem is between the Juniper PEs, and not on the trunk port (remember a switch cannot fragment).

You can work around this by doing two things: decrease MTU on your Cisco CE, *and* also on the Fortinet firewall that is taking the role of your CE on the other side.

The best solution would be to remove the MTU bottleneck in the MPLS network of course, but this may be outside your control.

Hope it helps,

 Saverio

What MTU on core-face interfaces?

> What MTU on core-face interfaces?

Yes, if that is confirmed to be the problem, reducing these would also help.

Saverio

Hi Experts

Thanks for the input. Yes the previous thread is my topology. Below are the MTU we are using. In the core network interface the MTU is 9192. So I dont think so problem lies between PE.

1- CE (Cisco 6500) trunk port connected to Juniper PE1 has mtu default

2- PE1 trunk port connected to Cisco CE has mtu 9192

3-All core interfaces of MX in the MPLS network has MTU 9192

4-PE2 trunk port connected to Juniper CE (EX4200) has mtu 9192

5- Juniper CE (EX4200) trunk port conencted to PE2 has mtu 2000

6- Juniper CE (EX4200) trunk port connected to Fortinet Firewall has mtu 2000 and default both tried

7- Fortinet Firewall trunk port connected to Juniper CE (EX4200) has mtu default

Below are our observations:

1- Every time if PC is behind/connected Cisco CE in the same VLAN as Fortinet through VPLS services, ping is fine but with some drops and from PC windows we can ping -t <fortinet firewall IP> -f -l 1260 is fine but above 1260 is dropped and we are not able to access web access of fortinet firewall at all.

2- If PC is connected to PE1/PE2 or Juniper CE (EX4200) in the same VLAN as fortinet firewall ping is fine, web access is fine and we can ping ping -t <fortinet firewall IP> -f -l 1400 easily 

NOTE: Fortinet Firewall is connected to Juniper CE (EX4200) via trunk link having couple of VLANS and we testing using one of the VLANS

I would highly appreciate if any body could guide in right direction, where is the problem of MTU?

Thanks

Hi,

Microsoft ping '-l' uses ICMP payload size rathern than the whold datagram size; you need to add to it 42 bytes (and another 4 bytes for vlan tag); this brings you to a datagram size of 1306. Even adding a couple of MPLS labels, we are not close enough to Ethernet MTU for this to be a likely cause.

More than a MTU issue, it looks like some kind of fault on one of the devices which is causing large frames to be dropped.

Some hardware faults (bad packet memory) tend to cause this, both on Cisco and on Juniper devices.

I believe we should be able to find out, but let me ask you a few questions first; then I will give you a troubleshooting procedure.

First, this point:

> 5- Juniper CE (EX4200) trunk port conencted to PE2 has mtu 2000
> 6- Juniper CE (EX4200) trunk port connected to Fortinet Firewall has mtu 2000 and default both tried

Whan you say 'juniper CE' in point (5) and (6), do you mean that you use it as a router? If you do not, and you use the EX just as a switch, the actual CEs become the fortinet firewall.

My second question is this: if you connect the PC to the PE so that you ping through the VPLS service, do you still see the problem?

         PC <-- here
           |
           |   
PC----PE (Juniper)----MPLS Network-----PE (Juniper)-----802.1q Trunk Link-----Access Switch (Juniper)------Firewall (Fortinet)

From your mail (observation 2), I almost understood that you do NOT see the problem there; can you confirm that you *do* go through the MPLS cloud in your test of observation 2?

Because if you do not see the problem, it is not an issue in the MPLS network, but a problem on the Cisco CE or switch; again, I am assuming that the Cisco-CE is a router.

Finally, last question: you mention that the core-facing interfaces are set to 9K; can the network between them actually support such a big MTU? This is most probably a mistake (and you will need to correct it), but I think it is unlikely it is causing your problem right now.

Now, the troubleshooting procedure. From your output, it looks like you are trying to do a ping from a Windows box.

You can start with that, but if you have a problem detecting if pings go through,  you will need to get hold of a better ping (one that can allow you do to flood pinging) and send a fast stream of packet (above 1260 bytes) towards the firewall.

If there is no other traffic, you should be able follow the stream by checking interface counters; as an additional check, configure a firewall filter on the left Juniper PE, counting icmp on the way in. Clear firewall counters, send 100 fast pings with size 1270, and make sure you receive them on the Juniper.,

If you don't receive, the problem is on the Cisco network on the left side of your diagram.

If everything is ok, move to the remote side, and do the same test; check traffic on the way out.

If you clear interface counters, and send 1000 rapid ICMP packets you should see a bit more than 1000 packets being sent towards the Fortinet fw; if you don't, they have been dropped within the MPLS network.

I hope it helps; let me know how it goes..

Saverio

Hi

Thanks a lot for your time.

1- Answering your first question, EX4200 switch is connected to PE via trunk link (only L2) and fortinet firewall has IP say from VLAN 700 (which is extended up to cisco side via VPLS)

2- Answering your second question, yes you are right if we connect the PC to PE or any where in MPLS network we are not facing any problem at all.

3- Cisco 6500 is connected to PE via trunk link (L2) and I connect my PC in VLAN 700 and tring to access web access of fortinet firewall.

Can you please elaborate your troubleshooting procedure more like fast ping from windows connected to Cisco 6500 to fortinet firewall and where I have to place the firewall filter on PE?

Thanks

Hi,

> 2- Answering your second question, yes you are right if we connect the PC to PE or any where in MPLS network we are not facing any problem at all.

Just to be clear, you connect the PC on the actual interface where the trunk to the Cisco goes, and the problem disappear?

In order to do this (looking at your diagram), you need to have vlan-tagging enabled on the PC; is that the case?

I am just trying to understand if we can rule out problems within the MPLS cloud; but in order to do this, I need to know if pings which succeed take the MPLS path or not. It would help to have the configuration of the VPLS instance, just to be sure we are on the same page.

Now, about your question:

> Can you please elaborate your troubleshooting procedure more like fast ping from windows connected to Cisco 6500

> to fortinet firewall and where I have to place the firewall filter on PE?

You need to have a way of generating lots of unidirectional traffic; on Unix, you could do a flood ping, on Juniper you could do a 'ping rapid interval 0.1' - but on Microsoft Windows, you cannot do any of this.

So you need to find/install a different (better) tool to generate that traffic, since it would make it easier to find out where the loss is - you want to be able to send few thousand pings without having to wait for hours.

I did a search "rapid ping for windows" and found several programs, but I cannot recommend any in particular as I do not use windows; please pick one which fits your version of Windows.

Now, about the troubleshooting procedure: if you do not have other traffic on the path, you can simply clear interface statistics ("clear interface statistics all") , send 1000 pings, and check again the counters ("show interfaces ge-X/XX extensive"); you should see at least 1000 packets coming in the PE1, and being send out of the remote PE2.

If there is other traffic, you should be able to configure a firewall filter (under family VPLS) on PE1:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/firewall-fitler-match-conditions-vpls-configuring.html

You can do something like this:

[edit firewall]

family vpls {
    filter pc-traffic {
        term 1 {
            from {
                source-mac-address {
                    <your PC MAC address>;
                }
            }
            then {
                count traffic-from-pc;
                accept;
            }
        }
        term t2 {          
            then accept;
        }
    }
}

Then, apply this on the CE-facing interface; under family vpls:

interfaces {
    ge-X/Y/Z {

        vlan-tagging;

          ...

            family vpls {
                filter {
                    input pc-traffic;
                }
     }

}

Then, do a "clear firewall", send 1000 ping packets, and  do a "show firewall". If you do not see the the 1000 packets, they have been dropped before.

Hope it helps,

 Saverio

Thanks Dear. Actually I connected my PC to EX4200 switch to access port in the same VLAN as fortinet firewall. Also I connected my PC to PE to access port and every thing was fine. Here is the configuration for VPLS and turnk ports of PE.

PE2

---------------------------

(Trunk port connected to Cisco 6500)

set interfaces xe-0/3/0 encapsulation flexible-ethernet-services
set interfaces xe-0/3/0 flexible-vlan-tagging
set interfaces xe-0/3/0 mtu 9192
set interfaces xe-0/3/0 unit 200 description Wireless-Backbone
set interfaces xe-0/3/0 unit 200 encapsulation vlan-bridge
set interfaces xe-0/3/0 unit 200 family bridge interface-mode trunk
set interfaces xe-0/3/0 unit 200 family bridge vlan-id-list 700
set interfaces xe-0/3/0 unit 200 family bridge vlan-id-list 701

(VPLS Configuration)
set routing-instances Wireless-Backbone-VPLS instance-type virtual-switch
set routing-instances Wireless-Backbone-VPLS interface xe-0/3/0.200
set routing-instances Wireless-Backbone-VPLS route-distinguisher 10.11.10.5:20200
set routing-instances Wireless-Backbone-VPLS vrf-target target:65001:20200
set routing-instances Wireless-Backbone-VPLS protocols vpls no-tunnel-services
set routing-instances Wireless-Backbone-VPLS protocols vpls site 5 site-identifier 5
set routing-instances Wireless-Backbone-VPLS bridge-domains vlan-700 vlan-id 700
set routing-instances Wireless-Backbone-VPLS bridge-domains vlan-701 vlan-id 701

PE1

------------

(Trunk Port connected to EX4200 switch)

set interfaces xe-0/1/0 encapsulation flexible-ethernet-services
set interfaces xe-0/1/0 flexible-vlan-tagging
set interfaces xe-0/1/0 mtu 9192
set interfaces xe-0/1/0 unit 200 description Wireless-Backbone
set interfaces xe-0/1/0 unit 200 encapsulation vlan-bridge
set interfaces xe-0/1/0 unit 200 family bridge interface-mode trunk
set interfaces xe-0/1/0 unit 200 family bridge vlan-id-list 700
set interfaces xe-0/1/0 unit 200 family bridge vlan-id-list 701

(VPLS Configuration)

set routing-instances Wireless-Backbone-VPLS instance-type virtual-switch
set routing-instances Wireless-Backbone-VPLS interface xe-0/1/0.200
set routing-instances Wireless-Backbone-VPLS route-distinguisher 10.11.10.4:20200
set routing-instances Wireless-Backbone-VPLS vrf-target target:65001:20200
set routing-instances Wireless-Backbone-VPLS protocols vpls no-tunnel-services
set routing-instances Wireless-Backbone-VPLS protocols vpls site 4 site-identifier 4
set routing-instances Wireless-Backbone-VPLS bridge-domains vlan-700 vlan-id 700
set routing-instances Wireless-Backbone-VPLS bridge-domains vlan-701 vlan-id 701

Thanks

> Actually I connected my PC to EX4200 switch to access port in the same VLAN as fortinet firewall. Also I connected my PC to PE to access port and every thing was fine. 

.. what I would suggest then is to leave the VPLS backbone for the moment, because big frames are dropped before that, apparently.

I would focus on the path before the first PE, and see if bigg-ish frames ( a bit above 1260) are able to get from the PC to the PE, first. You also mention packet loss; we may really be having just a broken Cisco device in the path after all..

Let us know how it goes..

 Saverio

Actually the trunk link between Cisco 6500 and Juniper MX have many VLANS, I assigned one IP to Cisco Switch from one VLAN and one IP to Juniper MX and tried to ping the IP of Cisco from MX with rapid ping with size of 1460 and there is no drop at all.

What MTU should I configured on the Juniper MX trunk port? Because I search on forums and there are some issue related to MTU between Cisco and Juniper. Below is the thread?

http://www.juniperforum.com/index.php?topic=3054.0;wap2

> Because I search on forums and there are some issue related to MTU between Cisco and Juniper. Below is the thread?

.. that is actually what I wrote in the second message of this thread:

    Also be aware that if you configure MTU in the physical interface level, that will also consider the encapsulation

    overhead.

    If you configure it at the ifl level (as in "unit 0 family inet mtu xxxx"), that would be the actual protocol MTU.

So, when you want to configure the IP or MPLS mtu, either you do it at the logical unit level and you use actual value or do so at the whole interface level, but then you must consider the encapsulation overhead (do not forget VLANs where you use them).

I would focus of finding out if is really true that packets bigger than 1260 cannot go through your switch. If it is, that is your problem..

Saverio

Hi,

I posted a full explanation on the way Cisco and Juniper configure MTU here:

http://forums.juniper.net/t5/Routing/Query-on-MTU/td-p/101478

Hopefully it will help, even if I believe you have a different, more serious problem (hardware) on your switches.

Thanks,

 Saverio