vSRX Sending ICMP redirects when it shouldn't

[ Edited ]
‎04-01-2020 04:20 AM

We have a vSRX with JunoOS version 12.1X47-D10.4. The hostname of the firewall is fw1.


It has a connected interface reth1.123 with IP

A host on that LAN segment (Host1) with IP is sending a ping is being learned from fw1 from three eBGP sources:

  • reth1.456 peer - local pref 200
  • reth1.789 and peers -  local pref 100 (two BGP sessions from a pair of routers using an FHRP)


steve@fw1> show route

inet.0: 334 destinations, 783 routes (334 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both *[BGP/170] 18:05:20, localpref 200
AS path: 64512 I
> to via reth1.456
[BGP/170] 15w3d 11:19:41, MED 0, localpref 100
AS path: 64513 ?
> to via reth1.789
[BGP/170] 15w5d 16:22:32, MED 0, localpref 100
AS path: 64513 ?
> to via reth1.789



There is nothing blocking anything between security zones.


If Host1 is pinging, and we bring down the bgp peering to, the next-hop to should take over.


And indeed, from the firewalls point of view, becomes to new next hop. But the vSRX then does something weird.


It sends an ICMP redirect to Host1 telling it that the next hop is Host1 then tries to ARP for this new next hop and, naturally, gets nowhere.


What's worse, when the BGP session to is restored, the server doesn't regain connectivity (presumably is it still waiting for the ARP response from


So my question is, why does the vSRX send an ICMP redirect? Surely it would recognise that the new next-hop is not on the same subnet as the sending host and refrain from sending the redirect.


I've tried to disable sending of ICMP redirects:


steve@fw1# show interfaces reth1.123
vlan-id 123;
family inet {

But running a new test shows it is still sending an ICMP redirect and according to this documentation I'll need to reboot the firewall for it to take effect. That's seems crazy. Although it shouldn't be sending a redirect in first place!


So I'm at a loss for the best next step to take....


Re: vSRX Sending ICMP redirects when it shouldn't

‎04-01-2020 05:03 AM

Hi Steve,


I don't have a solution, But, is this a vSRX-1, AKA VGW? It has been EOL for a while now.

The current vSRX aka vSRX2 starts from 15.1X49. 


You may want to consider migrating to vSRX2 or even better, vSRX3.


Re: vSRX Sending ICMP redirects when it shouldn't

[ Edited ]
‎04-01-2020 06:13 AM

- vSRX is not VGW (but 12.1X47 is EOL since quite a while indeed: https://support.juniper.net/support/eol/software/junos/ ) 


- (at least) "set system no-redirects" is meant to have been fixed so that it shouldn't require a reboot anymore / https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR894194


- why the SRX sends redirects ... I'm baffeled. But no time to lab this atm. Suggest to open a case or wait for somebody with more clue to come along

If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.