This Article explains that under certain conditions it can happen that the very first packet of the flow is lost with L2L3 serialization.First packet lost when L2L3 serialization is used together with broadcast ip-flow-rule in the L3 vap-group.
If below architecture is used, the first packet of the flow (connection initiation, not a reply) from A to any destination (B or chassis itself) is lost on NPM due to cct field in the u-header is not correct for the very first packet of the flow, which is used for flow classification. There is no FSC being generated and sent to L3 vap group members due to broadcast ip-flow-rule. Unlike FSC code path in flowd codes, cct field is not updated with egress circuit id. The first packet shows up with a circuit id of the bridge circuit, intoutside_ips(1034) instead of dhcp circuit id, 1074. After the flow is provisioned, subsequent packets of the same flow will be forwarded directly to the VAPs with correct circuit id.
A (client) - X_series (ISS IPS - CP) - B (server)
XOS configuration example to verify the issue with icmp traffic, but this is specially critical with VPN Office Mode using firewall as DHCP relay and DHCP pool configured under external DHCP server.
vap-group iss xslinux_v3 max-load-count 1 ap-list ap6 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule lb action load-balance activate