SRX Services Gateway
SRX Services Gateway

Broken ECMP ipv6 with SRX1500 in paketmode

03.20.17   |  
‎03-20-2017 06:42 AM

hi,

 

I have here a setup with srx1500 in paketmode. If I try to enable ECMP with ipv6 all runs finex except Clients that runs Windows Server > 2012.  I found out that Windows Server Systems have ECN default enabled since Server 2012.

If I disable ECN on the Windows Client all runs fine. Linux Clients with ECN enabled run fine also.

 

without ECN:

SYN:                       Client – Router – > SERVER A
SYN ACK:             SERVER A – Router –> Client
ACK:                      Client – Router –> SERVER A

With ECN on Windows > 2012

SYN:                       Client – Router – > SERVER A
SYN ACK:             SERVER A – Router –> Client
ACK:                      Client – Router –> SERVER B

 

Does anyone have any sort of idea of whats wrong or how to prevent this?

3 REPLIES
Highlighted
SRX Services Gateway

Re: Broken ECMP ipv6 with SRX1500 in paketmode

03.20.17   |  
‎03-20-2017 04:33 PM

I suspect that you will need to turn ECN off.  This does require that both the hosts and the underlying network support the feature to work consistently.  

 

Juniper the ECN is not on by default and has to be configured as part of a CoS setup and is only supported on the switching platforms, not availalbe on the SRX series.

 

Screen Shot 2017-03-20 at 7.29.37 PM.png

https://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=6436&fn=CoS%20Explicit%20cong...)

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Broken ECMP ipv6 with SRX1500 in paketmode

03.21.17   |  
‎03-21-2017 06:11 AM

Sorry I think there is some missunderstanding. We can't turn ECN off cause it happend only if the client has ECN on.

The client could be any host on the internet.

 

We try to build something like :

 

http://www.nethero.org/post/102776865537/per-flow-load-balancing-without-a-load-balancer

 

but IPv6 only.

 

Means

 

Client ----Internet --> SRX ---> Servers

 

The SRX runs here in paketmode without any kind of NAT.  With linux / MAc OS X Clients with enabled ECN there is no problem only with customers using Windows Server Systemes > 2012.

 

 

 

SRX Services Gateway

Re: Broken ECMP ipv6 with SRX1500 in paketmode

04.18.17   |  
‎04-18-2017 03:24 AM

Hi rherold

 

Thanks for having reported this issue, also via JTAC.

 

This issue has the following reference and the fix will be in 15.1X49-D100 and higher:

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1265576

 

In this case if you have the servers directly connected on the ECMP links, the first SYN and the ACK (from the 3-way handshake) coming from the client may not be sent towards the same link, which in this case means not the same server.

 

Workarounds can be to

1) disable ECMP

or to load-balance in a different way:

2) use a firewall filter and forwarding type routing-instances to forward traffic selectively to specific links to achieve load-balancing. An example can be seen at https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 (just ignore the NAT and use ipv6 instead of ipv4 addresses).

 

Thanks,

Casper