SRX

Scenario:

- upstream QFX pair, connected to SRX HA-pair, 4 ports crossed over for mesh redundancy (reth on SRX to ae on QFX)

- reth has LACP active

Problem:

- ping from QFX to host behind SRX only works for odd numbered IP address

Using capture files, I can see:

- ICMP ECHO-REQUEST arrive on reth from QFX (both odd and even numbered IPs)

- ICMP ECHO-REQUEST sent out physical (for odd numbered IPs)

- ICMP ECHO-REPLY arrive on the other side reth (for odd numbered IPs)

- ICMP ECHO-REPLY sent out physical to QFX (for odd numbered IPs)

Even numbered IP packets disappear.

LACP output:

    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/6       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/6     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      ge-0/0/7       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/7     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      ge-9/0/6       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-9/0/6     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      ge-9/0/7       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-9/0/7     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/0/6                  Current   Fast periodic Collecting distributing
      ge-0/0/7                  Current   Fast periodic Collecting distributing
      ge-9/0/6                  Current   Fast periodic Collecting distributing
      ge-9/0/7                  Current   Fast periodic Collecting distributing

Interfaces are all up:

show interfaces terse | match reth6
ge-0/0/6.0              up    up   aenet    --> reth6.0
ge-0/0/7.0              up    up   aenet    --> reth6.0
ge-9/0/6.0              up    up   aenet    --> reth6.0
ge-9/0/7.0              up    up   aenet    --> reth6.0
reth6                   up    up
reth6.0                 up    up   inet     1.2.3.4/29

The reth looks like this:

show interfaces reth6
Physical interface: reth6  , Enabled, Physical link is Up
  Interface index: 134, SNMP ifIndex: 573
  Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
  Minimum bandwidth needed: 1bps
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Current address: 00:10:db:ED:IT:ED, Hardware address: 00:10:db:ED:IT:ED
  Last flapped   : 2018-12-10 17:08:10 EST (07:07:20 ago)
  Input rate     : 3936 bps (0 pps)
  Output rate    : 272 bps (0 pps)

  Logical interface reth6.0 (Index 95) (SNMP ifIndex 574)
    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :        135576          0      16490480         3936
        Output:         58629          0       4452718          272
    Adaptive Statistics:
        Adaptive Adjusts:          0
        Adaptive Scans  :          0
        Adaptive Updates:          0
    Security: Zone: UNTRUSTED
    Allowed host-inbound traffic : ping ssh
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary

What it feels like is the juniper is discarding the packets because it doesn't like which interface they arrived on.

reth6 is configured:

show configuration interfaces reth6
redundant-ether-options {
    redundancy-group 6;
    lacp {
        active;
    }
}
unit 0 {
    family inet {
        filter {
            input ICMP-CAPTURE;
            output ICMP-CAPTURE;
        }
        address 1.2.3.4/29;
    }
}

show configuration interfaces ge-0/0/6
gigether-options {
    redundant-parent reth6;
}
...

which I imagine to be pretty normal and the ge's are all the same.

I feel like I'm missing something obvious but I don't quite know what.

Please enable flow traceoption and initiate traffic to see where the packet is getting dropped

1. Enable flow trace:

set security flow traceoptions file FLOW.log size 10m

set security flow traceoptions flag packet-drops

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter p1 source-prefix <ip address of the outside PC from where traffic is initiated>

set security flow traceoptions packet-filter p2 destination-prefix <ip address of the outside PC from where traffic is initiated>

commit

2. Initiate traffic from QFX Side

3. Remove flow trace options

delete security flow traceoptions

4. Analyze the FLOW.log or share with us

show log FLOW.log | match "p[12]|permit|drop|policy"

From your description it sounds like you have one single ae on your QFX-switches. This is not supported towards a SRX HA-cluster. There you need a seperate between QFX and each SRX node.

Problem is that a reth is either active on node0 or node1... traffic received on passive node will be dropped. That explains why half of your traffic disappears.

This link describes how it should be configured:

https://www.juniper.net/documentation/en_US/junos/topics/example/interface-security-aggregated-ethernet-lacp-chassis-cluster-configuring.html

Yes, thank you! I knew there was something simple I was missing.

Ideally I would want to make this an active/active SRX HA pair.