Routing
Routing

L3VPN Routing Problem

a month ago

Hi All,

 

I have a bit of a strange problem going on and I've been trying to find a solution for a while now.

 

Basically, I have a L3VPN which connects 9 customer sites. Previously the 8 sites, which are running Mikrotik routers have BGP sessions for 'vpn4' (inet-vpn) back to two MX104's which are acting as route reflectors. MPLS and LDP are up and running over OSPF. The sites can communictate between each other without issue.

 

The customer also has a rack in the same DC as us and we therefore added the VRF to one of the MX104s so that we can give them connectivity to the rest of their LAN from the DC. Again this worked absolutely fine.

 

Last week the customer opened a new site and we installed connectivity, but this time we installed a pair of SRX340s which basically had all of the security configuration in them stripped away so that they are just L3 switches.

 

Now here comes the issue. The SRXs can communicate with all of the other sites on the network, except the customer's kit in the DC which is inside the VRF on the MX104.

 

Routes to the subnets at the site and the DC are all present and it appears as though the MPLS routes are there and also the bpg.l3vpn routes are also there.

 

I've tried with and without vrf-table-label set, but this doesnt seem to make any difference.

 

I've attached a network diagram which shows what the route looks like to get to the SRXs. Some of the other sites are omitted.

 

With this issue, for example, I can ping from 10.224.224.254 which is a gateway on R1 to both 10.100.10.1 and 10.19.32.1, but 10.19.32.1 cannot ping 10.100.10.1.

 

There are no firewall filters running on any of the ports on any of the routers which may block traffic between the routers.

 

Setting up a different VRF on the DC and SRX results in the same issue.

 

Has anyone else ever come across anything like this?

Attachments

4 REPLIES 4
Routing

Re: L3VPN Routing Problem

a month ago
Please share the output of "show security flow status"
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Routing

Re: L3VPN Routing Problem

a month ago
Hi Nellikka,

Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Routing

Re: L3VPN Routing Problem

a month ago

Hi,

as far as I understand you tried to ping the destination with the 10.19.32.1  as source which is the VIP address. Did you set the accept-data knob within the vrrp configuration (because otherwise the router won't accept packets for the VIP and only forward transit packets)? Did you try to ping with the 10.19.32.2 as source?

Cheers,

Carsten

Routing

Re: L3VPN Routing Problem

a month ago

Hi,

 

We do have the accept-data knob set on the VRRP configuration and did test using .2 as the source also.

 

I also setup a completely new VRF on both devices and included lo0.1 as an interface with a basic non-vrrp IPv4 configuration set and unfortunately I still get the same issue.