EX4200 virtual-router: packet drop while ARPing

Dear Experts!

Setup is a EX4200 stack running 12.3R12.4 (old release for stability reason) with a routing-instance with instance-type virtual-router. Within this virtual router are two SVI: vlan.5 and vlan.20. VLAN 5 is connecting to our office switch and firewall, VLAN 20 is the Management VLAN on the site.

In VLAN 20 are Linux hosts, routes, others. And all show the same behaviour:

Pinging from the Office firewall via vlan.5 routed to vlan.20 the first packet is lost until ARP response is finished. As soon as the ARP entry is done all is running smooth.

So I placed a target into VLAN 20 and VLAN 6 on a trunk port whereas VLAN 6 is in the global inet routing table. While this does NOT happen on vlan.6 interface, it happens every time after a clear arp in the virtual router.

This is also true for the first SYN packet, first DNS query, first packet indepentend of any protocol.

This is also true for different types of endpoints connected to VLAN 6 and VLAN 20. In VLAN 20 the packet is NOT queued for some amount of time until ARP finished while it is queued in e.g. VLAN 6.

Why is there a different behaviour in virtual router and global routing table?

Any configuration issues I can configure that?

All my googeling and searching and documents reading does not show any results into that direction. Any help is appreciated most!

Thanks!

Walter

P.S.: Also a control plane firewall on lo0 has no influence on this behaviour. Or do I need to allow something special there, more than term default { then { accpet; } } at the end. Any denys that could match here?

switch# show routing-instances
oam {
    description "OAM Mgmt VPN";
    instance-type virtual-router;
    interface lo0.5;
    interface vlan.5;
    interface vlan.20;
...
    protocols {
        ospf {
            export OSPF-REDIST-OAM;
            reference-bandwidth 10k;
            area 0.0.0.0 {
                interface vlan.5 {
                    metric 50;
                    priority 75;
                    hello-interval 1;
                    dead-interval 4;
                    authentication {
                        md5 1 key "****"; 
                    }
                    bfd-liveness-detection {
                        minimum-interval 300;
                        minimum-receive-interval 300;
                        multiplier 3;
                    }
                }
                interface lo0.5 {
                    passive;
                }
                interface vlan.20 {
                    passive;
                    metric 50;
                }
            }
        }
    }
}

switch# show interfaces vlan.20
description "OAM Server LAN";
family inet {
    mtu 1500;
    address 10.168.44.7/23 {  # not tried to remove the VRRP config yet
        preferred;
        vrrp-group 20 {
            virtual-address 10.168.44.254;
            priority 120;
            preempt;
            accept-data;
            authentication-type simple;
            authentication-key "***";
        }
    }
}

switch# show interfaces vlan.6
family inet {
    mtu 1500;
    filter {  # in/out filters do not have any influence on this issue
        input VLAN6-IN;
        output VLAN6-OUT;
    }
    address a.b.c.38/29; # some official IP
}