SRX Services Gateway
Reply
Visitor
Celeus
Posts: 3
Registered: ‎04-29-2008
0

SRX650 flow behavior with UDP after ICMP Unreachable (port-unreachable)

We have encountered an issue where we believe our SRX650 (cluster, junos 10.0R3) is dropping packets destined to a UDP port  for approximately two seconds after it has forwarded an ICMP Destination Unreachable-Port Unreachable for that same IP/Port combination.

 

In our situation, even though one of the hosts has returned an ICMP unreachable, it is, in fact reachable shortly thereafter and we would like the large stream of UDP packets destined for it to arrive.

 

This behavior appears to have begun after we upgraded from a J2320 (non cluster, flow based code) to a pair of SRX650's (clustered).  We do not presently have definitive evidence that the issue is with the SRX650, but we strongly suspect it and are working on tracking things down with the appropriate traffic captures.  Presuming that is the case, we will also investigate turning up debug tracing to try and see what the session setup flow looks like.

 

I am wondering if anyone else is seeing something similar?  This sounds suspiciously like the SRX deciding the flow is invalid and waiting 2 seconds before allowing it to be restarted.  I can find no documentation on this, or any settings in JunOS to allow me to modify it.

 

Presuming we find it, and there is no other way, I suspect we will end up using a packet-filter to circumvent the flow-based code for this traffic.

 

My question is, has anyone else seen this behavior or have any suggestions as to what else might be causing it?  We'll open a case with JTAC after we can prove the behavior is the SRX, etc etc, but I'd love to hear if anyone else has seen anything similar.

 

Thanks!

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX650 flow behavior with UDP after ICMP Unreachable (port-unreachable)

Did you figure out a resolution and correct configuration for this?  I've been looking into a similar thing on my SRX and the most I've come up with is the following:

 

system {
    host-name cerberus;
    time-zone America/Chicago;
    internet-options {
        path-mtu-discovery;
    }
}

 

Thanks,

 

mawr

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.