Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

TWAMP ALG

The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices in a network that supports the protocols in the TWAMP framework. The TWAMP Application Layer Gateway (ALG) extracts the IP addresses and the port details from messages between the control client and the TWAMP server and performs the IP address translation and gate opening to permit test sessions.

Understanding the Two-Way Active Measurement Protocol (TWAMP) Application Layer Gateway (ALG)

The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices in a network that supports the protocols in the TWAMP framework.

Starting from Junos OS Release 18.2R1, the TWAMP ALG is supported to enable the TWAMP data traffic to pass through the NFX Series or SRX Series Firewall without needing a predefined policy permission.

An Application Layer Gateway (ALG) is a software component that is designed to manage the specific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networks devices running Junos OS. The ALG module is responsible for application layer aware packet processing.

The TWAMP ALG is located between the control client and the TWAMP server. The TWAMP ALG extracts the IP addresses and the port details from messages between the control client and the TWAMP server and performs the IP address translation and gate opening to permit test sessions. The TWAMP ALG performs the following functions:

  • Decoding all the TWAMP control messages.

  • Performing the TWAMP message sanity checks and decoding.

  • Performing the IP address translation when the device is configured with NAT.

Understanding TWAMP ALG

The TWAMP consists of the following inter-related protocols:

  • The TWAMP-Control is used to initiate, start and stop the test sessions between the control client and the TWAMP server.

  • The TWAMP-Test is used to exchange the test packets between the session sender and the session reflector.

Figure 1: TWAMP ALGTWAMP ALG

As shown in Figure 1, the control client initiates all requested test sessions with the TWAMP server through control connection. Meantime, the TWAMP ALG extracts the IP addresses and the port details in the messages from both sides to open a pinhole to permit the test sessions. During this stage, the TWAMP ALG might bypass the packets if the TWAMP server and the TWAMP client support unauthenticated mode.

In this case, the session sender and the reflector can exchange the test packets according to the TWAMP-Test protocol for each active test session.

Limitations for TWAMP ALG

The following are the limitations for the TWAMP ALG:

  • For the TWAMP connections, the TWAMP client and the TWAMP server must re-initiate a new control connection for test in case of failover.

  • During the control connection negotiation, if the servers rejects the client request, the client or the server must close the connection.

  • The TWAMP ALG has a timeout period of four seconds to establish the session.

  • The TWAMP ALG requires that the sender address, receiver address, and the header destination IP from the same interface to translate the IP address in the payload.

Enabling the Two-Way Active Measurement Protocol (TWAMP) Application Layer Gateway (ALG)

The Application Layer Gateway (ALG) Two-Way Active Measurement Protocol (TWAMP) is supported to enable the TWAMP data traffic to pass through the NFX Series or SRX Series Firewall without needing a predefined policy permission. By default, the ALG TWAMP is disabled.

To enable the TWAMP ALG and traceoptions:

  1. Enable the TWAMP ALG.
  2. Enable the TWAMP traceoptions.

Use the show security alg status command to verify the status of the TWAMP ALG.

Release History Table
Release
Description
18.2R1
Starting from Junos OS Release 18.2R1, the TWAMP ALG is supported to enable the TWAMP data traffic to pass through the NFX Series or SRX Series Firewall without needing a predefined policy permission.