SRX Services Gateway
Highlighted
SRX Services Gateway

Problem with filter on GRE interface in chassis cluster (branch)

‎08-29-2012 02:48 AM

Hi!

 

I am just now trying to set up a lab where I will use input filters to run in selective packet mode. As part of the design we will have to use IPsec tunnels between sites. As there is no support for firewall filters on IPsec tunnel interfaces (st0.X), we are running GRE as well (gr-0/0/0.X). On the GRE interfaces, we can have intput filters.

 

Using input filters on GRE works well on single units, but it looks like it does not work in a chassis cluster at all!

 

Anyone have experince with firewall filters on GRE in chassis clusters?

 

Details:

 

SRX100B (in lab, SRX240 in production)

Junos 11.4R4.4

 

Works in single unit (11.4R2.11)

 

adm_perw@segotlabfw04> show configuration firewall family inet filter count-input
interface-specific;
term count-all {
    then {
        count "Filtered packet";
        accept;
    }
}

adm_perw@segotlabfw04> show configuration interfaces gr-0/0/0
unit 41 {
    description "GRE tunnel to labcl01";
    tunnel {
        source 100.64.0.4;
        destination 100.64.0.1;
    }
    family inet {
        mtu 1400;
        filter {
            input count-input;
        }
        address 100.64.14.4/24;
    }
}
unit 43 {
    description "GRE tunnel to labfw03";
    tunnel {
        source 100.64.0.4;
        destination 100.64.0.3;
    }
    family inet {
        mtu 1400;
        filter {
            input count-input;
        }
        address 100.64.34.4/24;
    }
}

adm_perw@segotlabfw04> show firewall filter count-input-gr-0/0/0.41-i

Filter: count-input-gr-0/0/0.41-i
Counters:
Name                                                Bytes              Packets
Filtered packet-gr-0/0/0.41-i                         336                    4

 

This is the config of the non-working cluster (11.4R4.4)

adm_perw@segotlabcl01a> show configuration firewall family inet filter transit-packet-mode
interface-specific;
term transit {
    from {
        source-address {
            100.64.0.33/32;
            100.64.0.44/32;
        }
        destination-address {
            100.64.0.33/32;
            100.64.0.44/32;
        }
        protocol icmp;
    }
    then {
        count "Transit packet-mode";
        packet-mode;
        accept;
    }
}
term default {
    then {
        count "Deafult counter";
        accept;
    }
}

adm_perw@segotlabcl01a> show configuration interfaces gr-0/0/0
unit 13 {
    description "GRE tunnel to labfw03";
    tunnel {
        source 100.64.0.1;
        destination 100.64.0.3;
    }
    family inet {
        mtu 1400;
        filter {
            input transit-packet-mode;
        }
        address 100.64.13.1/24;
    }
}
unit 14 {
    description "GRE tunnel to labfw04";
    tunnel {
        source 100.64.0.1;
        destination 100.64.0.4;
    }
    family inet {
        mtu 1400;
        filter {
            input transit-packet-mode;
        }
        address 100.64.14.1/24;
    }
}

adm_perw@segotlabcl01a> show firewall

Filter: __default_bpdu_filter__

Filter: transit-packet-mode-gr-0/0/0.13-i
Counters:
Name                                                Bytes              Packets
Deafult counter-gr-0/0/0.13-i                           0                    0
Transit packet-mode-gr-0/0/0.13-i                       0                    0

Filter: transit-packet-mode-gr-0/0/0.14-i
Counters:
Name                                                Bytes              Packets
Deafult counter-gr-0/0/0.14-i                           0                    0
Transit packet-mode-gr-0/0/0.14-i                       0                    0

 

As you can see there are no hits in the counters at all, although there has been transit traffic. (I could se the sessions with "show security flow session interface gr-0/0/0.13"

Feedback