Analysis of the problem:
- The problem happens only on traffic incoming to the X-Series side of the LACP bundle.
- Problem disappears when using only one link or only one NPM in the bundle
- The issue is related to the switch sending IP fragments on more than one link.
- Each fragment may reach a different NPM and therefore cannot be reassembled to determine to which firewall the fragmented packet should go. UDP/TCP information cannot be deduced from the fragment if the first fragment hasn't been received by this NPM.
How to address this issue:
- The X-series platform does not support fragments for the same flow being received on multiple NPM for a given LACP
- Configure the LACP to use all links on a single NPM
- Configure the upstream switches to send all packets for a given flow to s single link within the configured LACP
An extract of the IEEE 802.3 standard that proves the nonconformance to the IEEE standard is listed next.
43.2.4 Frame Distributor
The Frame Distributor is responsible for taking outgoing frames from the MAC Client and transmitting them through the set of links that form the Link Aggregation Group. The Frame Distributor implements a distribution function (algorithm) responsible for choosing the link to be used for the transmission of any given frame or set of frames.
This standard does not mandate any particular distribution algorithm(s); however, any distribution algorithm
shall ensure that, when frames are received by a Frame Collector as specified in 43.2.3, the algorithm shall not cause
a) Mis-ordering of frames that are part of any given conversation, or
b) Duplication of frames.
The above requirement to maintain frame ordering is met by ensuring that all frames that compose a given conversation are transmitted on a single link in the order that they are generated by the MAC Client; hence, this requirement does not involve the addition (or modification) of any information to the MAC frame, nor any buffering or processing on the part of the corresponding Frame Collector in order to reorder frames.
This approach to the operation of the distribution function permits a wide variety of distribution and load balancing algorithms to be used, while also ensuring interoperability between devices that adopt differing algorithms.