cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
5
Helpful
4
Replies

viptela BFD/IPsec weird behavior

oldcreek12
Level 1
Level 1

Hi, I am having a weird problem I can not explain, and need your input to solve this mystery. I have a viptela vedge connected to a Juniper EX switch/router that is the gateway to Internet, this vEdge router has many inbound/outbound IPsec connections and worked just fine, today I need to enforce the stateless ACL rules for traffic going to EX switch's control plane (sam as IOS's control plane policing), the ACL will only affect the traffic going to the router's control plane CPU (Juniper calls it Routing Engine), it will not affect transit traffic coming into/going out Viptela vEdge. However after the change is made, vEdge reported that BFD over those IPsec tunnels are down therefore brought down those IPsec tunnels, I had to immediately roll back the change.

 

I can not make sense out of this behavior, does Viptela vEdge depend on some control traffic directly to its gateway device I might've missed?

 

Thanks,

4 Replies 4

David Aicher
Cisco Employee
Cisco Employee

By default BFD uses CS6 for marking.  check with Juniper to see if this might get caught up in the control plane ACL.  Even though the traffic is transit it may see that as "control" traffic and punt it. 

 

 

Thanks for your reply, why would any device punt a packet based on QoS marking? regardless, BFD packets are encapsulated inside IPsec right? there is no BFD session running between Viptela and Juniper EX switch.

that's a great question.  I have seen some odd behavior with packets marked cs6 before.   It is not a common marking for transit packets.  Typically cs6 is used for control packets or routing advertisements which are locally terminated.  Your original question was what might be causing traffic to hit the control plane ACL.   I was offering an idea given that this is an odd marking and could be misunderstood as a local control packet for some reason due to the marking. 

 

Correct on the second part BFD is effectively between two edge routers and should be transparent to the router in between.   it is just a transit UDP packet that is marked CS6. 

Transit ESP packet or UDP packet?

Review Cisco Networking for a $25 gift card