vSRX
Highlighted
vSRX

vSRX Sending ICMP redirects when it shouldn't

[ Edited ]
‎04-01-2020 04:20 AM

We have a vSRX with JunoOS version 12.1X47-D10.4. The hostname of the firewall is fw1.

 

It has a connected interface reth1.123 with IP 192.168.1.1/24.

A host on that LAN segment (Host1) with IP 192.168.1.50 is sending a ping 1.1.1.1.

 

1.1.1.1 is being learned from fw1 from three eBGP sources:

  • reth1.456 172.16.1.1 peer - local pref 200
  • reth1.789 172.17.1.1 and 172.17.1.2 peers -  local pref 100 (two BGP sessions from a pair of routers using an FHRP)

 

steve@fw1> show route 1.1.1.1

inet.0: 334 destinations, 783 routes (334 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32 *[BGP/170] 18:05:20, localpref 200
AS path: 64512 I
> to 172.16.1.1 via reth1.456
[BGP/170] 15w3d 11:19:41, MED 0, localpref 100
AS path: 64513 ?
> to 172.17.1.1 via reth1.789
[BGP/170] 15w5d 16:22:32, MED 0, localpref 100
AS path: 64513 ?
> to 172.17.1.2 via reth1.789

{primary:node1}
steve@fw1>

 

There is nothing blocking anything between security zones.

 

If Host1 is pinging 1.1.1.1, and we bring down the bgp peering to 172.16.1.1, the next-hop to 172.17.1.1 should take over.

 

And indeed, from the firewalls point of view, 172.17.1.1 becomes to new next hop. But the vSRX then does something weird.

 

It sends an ICMP redirect to Host1 telling it that the next hop is 172.17.1.1. Host1 then tries to ARP for this new next hop and, naturally, gets nowhere.

 

What's worse, when the BGP session to 172.16.1.1 is restored, the server doesn't regain connectivity (presumably is it still waiting for the ARP response from 172.17.1.1).

 

So my question is, why does the vSRX send an ICMP redirect? Surely it would recognise that the new next-hop is not on the same subnet as the sending host and refrain from sending the redirect.

 

I've tried to disable sending of ICMP redirects:

 

steve@fw1# show interfaces reth1.123
vlan-id 123;
family inet {
no-redirects;
address 192.168.1.1/24;
}
{primary:node1}[edit]

But running a new test shows it is still sending an ICMP redirect and according to this documentation I'll need to reboot the firewall for it to take effect. That's seems crazy. Although it shouldn't be sending a redirect in first place!

 

So I'm at a loss for the best next step to take....

2 REPLIES 2
vSRX

Re: vSRX Sending ICMP redirects when it shouldn't

‎04-01-2020 05:03 AM

Hi Steve,

 

I don't have a solution, But, is this a vSRX-1, AKA VGW? It has been EOL for a while now.

The current vSRX aka vSRX2 starts from 15.1X49. 

 

You may want to consider migrating to vSRX2 or even better, vSRX3.

Regards,
Gokul
Highlighted
vSRX

Re: vSRX Sending ICMP redirects when it shouldn't

[ Edited ]
‎04-01-2020 06:13 AM

- vSRX is not VGW (but 12.1X47 is EOL since quite a while indeed: https://support.juniper.net/support/eol/software/junos/ ) 

 

- (at least) "set system no-redirects" is meant to have been fixed so that it shouldn't require a reboot anymore / https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR894194

 

- why the SRX sends redirects ... I'm baffeled. But no time to lab this atm. Suggest to open a case or wait for somebody with more clue to come along

--
If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.