SRX Services Gateway
Highlighted
SRX Services Gateway

srx210 gr VPN tunnel frequently flap

‎06-19-2020 06:28 AM

Hi,

 

We have internet link in between site and head office with BGP configuration. VPN tunnel is configured with gr interface.

There is no issue observed for BGP tunnel. Based on below logs and config, please suggest what i need to do to fix the issue.(i.e. to increase/decrease bfd timer, flow control or something else)

Below are the logs observed under "show log messages"

 

Jun 15 09:17:31 fw-blr01 rpd[1421]: bgp_process_idled_flag_change:3404: NOTIFICATION sent to 10.71.17.18 (External AS 65377): code 6 (Cease) subcode 2 (Administratively Shutdown), Reason: Session down till BFD signals otherwise
Jun 15 10:15:21 fw-blr01 bfdd[1431]: BFDD_TRAP_SHOP_STATE_DOWN: local discriminator: 4, new state: down, interface: gr-0/0/0.20, peer addr: 10.71.17.18

 

BFD configuraiton

 

set protocols bgp group VPN-TUNNELBNGLR neighbor 10.71.17.27 bfd-liveness-detection minimum-interval 1000
set protocols bgp group VPN-TUNNELBNGLR neighbor 10.71.17.27 bfd-liveness-detection multiplier 3
set protocols bgp group VPN-TUNNELBNGLR neighbor 10.71.17.27 bfd-liveness-detection holddown-interval 1000

 

At site location SRX i can see flow control is "enable" but at head office location flow control is disable on WAN interface.

 

Thank you

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

‎06-19-2020 06:39 AM

Hello 

 

The BFD timmer you configued in 1 Sec ( 1000 millisec). So your detection timer is 4 sec  seconds . So kinldy increase the intervel to 2000 ms and multiplier to 5 and see if you see the same flaps . 

 

For testing you can disable the flow control on SRX. 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

‎06-19-2020 07:03 AM

Hi Joses,

 

Thank you for quick response.

 

do i need to change interval for minimum-interval as well holddown interval?

 

what is command to disable the flow control(i tried but couldn't get the command)

Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

‎06-19-2020 09:51 AM

Hello 

 

Holddown timer also can be changed to 5Sec . Flow control in by default disabled in Ethernet interface . We have to do the follwoing configuration to ebale it on SRX : 

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/interface...

 

Or can try using :

 

set interfaces <interface name >  gigether-options no-flow-control

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

‎06-22-2020 06:04 PM

Hi,

 

we implemente the suggested changes but still BGP tunnel flap issue is there.

Any suggestions or logs required?

 

Thank you..

Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

‎06-22-2020 08:29 PM

Hello Target,

 

Good day!
Can you please check the below and let us know the updates.

 

1. How frequently does the BGP tunnel flap. Is there a specific time inerval after which it goes down and comes back up?
2. Is the interface added to a trust zone on the SRX device?
3. Do you see any issues on the link between the peers? Any hardware issue?
4. Do you have any hold-times configured on the connecting interfaces?
5. Can you verify the output of the commands.

>> show bgp neighbor <neighbor_id>
>> show bgp summary
>>show interfaces gre statistics detail


You can check the debug output by enabling traceoptions for BGP and check for the logs at the time of the flap.

[edit protocols]
bgp {
  traceoptions {
      file bgp_log world-readable;
      flag all;
}
}

 


Regards,
Vishaal


Accept as Solution = cool ! (Help fellow community members with similar query be redirected here instead of them reposting again)
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

[ Edited ]
‎06-22-2020 09:35 PM

Hello , 

 

Did you disable the flow control also ? Still seeing the same issue . 

Do you have any screen options set on the SRX zone where the BFD is configured ? 

Do you see High RE CPU during the same ? 

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: srx210 gr VPN tunnel frequently flap

‎06-26-2020 12:10 PM

Hi Sam

Did you disable the flow control also ? Still seeing the same issue . 

--> I tried suggested command to disable flow control. Command accepted and commit completed but flow control not disabled

Do you have any screen options set on the SRX zone where the BFD is configured ? 

--> Yes. For untrust zone

Do you see High RE CPU during the same ?

--> No.

Feedback