SRX

Hi,

My setup is the Juniper JSEC lab.

JNPR-SV(VR) -> SV ->INTERNET

I have been able to do a ping successfully from JNPR-SV to INTERNET, but not ftp. I can't even FTP from SV to JNPR-SV. I have enabled ftp on the system hosting JNPR-SV and enabled it (host-inbound) on the VR zone. I have monitored the packets and gathered some info with traceoptions. I know the ftp packets are getting to the destination and it is sending packets back. The problem appears to be on the return, going from SV to JNPR-SV. Is there something I need to do special between the SV zone and the VR zone? Maybe my code is completely wrong. Here is my security code. I also provided the traceoptions output below that.

inactive: flow {
    traceoptions {
        file flow-trace2;
        flag basic-datapath;
        packet-filter f0 {
            source-prefix 172.20.101.10/32;
            destination-prefix 172.31.15.1/32;
        }
    }
}
policies {
    from-zone JNPR-SV to-zone untrust {
        policy internet-JNPR-SV {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone JNPR-SV-VR to-zone JNPR-SV {
        policy inter-JNPR-SV {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone untrust to-zone JNPR-SV {
        policy return-traffic {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone JNPR-SV-VR to-zone untrust {
        policy internet-traffic {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone JNPR-SV to-zone JNPR-SV-VR {
        policy traffic {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    default-policy {
        deny-all;
    }
}
zones {
    security-zone mgmt {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
        interfaces {
            ge-0/0/0.0;
        }
    }
    security-zone untrust {
        interfaces {
            ge-0/0/3.0;
        }
    }
    security-zone JNPR-SV {
        host-inbound-traffic {
            system-services {
                ftp;
            }
        }
        interfaces {
            lt-0/0/0.101;
        }
    }
    security-zone JNPR-SV-VR {
        host-inbound-traffic {
            system-services {
                ping;
                ftp;
            }
        }
        interfaces {
            lt-0/0/0.111;
        }
    }
}

Select traceoptions output...

Dec  3 18:28:47 18:28:46.843459:CID-0:RT:<172.31.15.1/21->172.20.101.10/55860;6> matched filter f0:
Dec  3 18:28:47 18:28:46.843464:CID-0:RT:packet [40] ipid = 0, @0x4dc7ccce
Dec  3 18:28:47 18:28:46.843465:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4dc7ca80, rtbl_idx = 0
Dec  3 18:28:47 18:28:46.843467:CID-0:RT: flow process pak fast ifl 73 in_ifp ge-0/0/3.0
Dec  3 18:28:47 18:28:46.843469:CID-0:RT:  ge-0/0/3.0:172.31.15.1/21->172.20.101.10/55860, tcp, flag 14 rst
Dec  3 18:28:47 18:28:46.843472:CID-0:RT: find flow: table 0x5cb2e4f0, hash 49051(0xffff), sa 172.31.15.1, da 172.20.101.10, sp 21, dp 55860, proto 6, tok 7
Dec  3 18:28:47 18:28:46.843477:CID-0:RT:Found: session id 0x18e70. sess tok 7
Dec  3 18:28:47 18:28:46.843478:CID-0:RT:  flow got session.
Dec  3 18:28:47 18:28:46.843478:CID-0:RT:  flow session id 102000
Dec  3 18:28:47 18:28:46.843489:CID-0:RT: vector bits 0x8082 vector 0x589eae18
Dec  3 18:28:47 18:28:46.843493:CID-0:RT: ****jsf svc chain: sess id 102000, dir 2, nat_done 0, pak pid 9951944, first pid 27
Dec  3 18:28:47 18:28:46.843495:CID-0:RT: plugin name junos-tcp-clt-emul. action JSF_SESSION_ACTION_NONE, stbuf 0x577a0670
Dec  3 18:28:47 18:28:46.843503:CID-0:RT: jsf resume sess id 102000, direction 2
Dec  3 18:28:47 18:28:46.843504:CID-0:RT: jsf sess id timed close. sess 102000, pid 27
Dec  3 18:28:47 18:28:46.843506:CID-0:RT:PKT-PROC for plugin junos-tcp-clt-emul jbuf 0x66cf09ec, sess jsf flags 0x0, rc 9
Dec  3 18:28:47 18:28:46.843507:CID-0:RT: begin walk strm chain: sess id 102000, dir 2
Dec  3 18:28:47 18:28:46.843508:CID-0:RT:  walk: pid 27, prev stbuf 0x0, curr stbuf 0x577a0670, ignore 0
Dec  3 18:28:47 18:28:46.843510:CID-0:RT:  walk: pid 24, prev stbuf 0x577a0670, curr stbuf 0x577a0600, ignore 0
Dec  3 18:28:47 18:28:46.843513:CID-0:RT: jsf resume sess id 102000, direction 2
Dec  3 18:28:47 18:28:46.843514:CID-0:RT: jsf resume sess id 102000, direction 2
Dec  3 18:28:47 18:28:46.843516:CID-0:RT:  Moved 0 bytes, rc=102. Prev tx empty[1], Curr Rx Empty[1], resume reqd[0]
Dec  3 18:28:47 18:28:46.843517:CID-0:RT:  walk: pid 10, prev stbuf 0x577a0600, curr stbuf 0x577a0590, ignore 0
Dec  3 18:28:47 18:28:46.843520:CID-0:RT: jsf resume sess id 102000, direction 2
Dec  3 18:28:47 18:28:46.843523:CID-0:RT: jsf reinj pak pid 10, dir 2, jbuf 0x66cf0ae4, release hold 0
Dec  3 18:28:47 18:28:46.843525:CID-0:RT:jsf_inject_pkt_to_flow: Fill in flow_ctxt->rtbl_idx(0) based on natp, cos 0.
Dec  3 18:28:47 18:28:46.843529:CID-0:RT: jsf sess id timed close. sess 102000, pid 10
Dec  3 18:28:47 18:28:46.843531:CID-0:RT:  Moved 0 bytes, rc=102. Prev tx empty[1], Curr Rx Empty[1], resume reqd[0]
Dec  3 18:28:47 18:28:46.843533:CID-0:RT:  total bytes moved 0, resume reqd 0
Dec  3 18:28:47 18:28:46.843534:CID-0:RT: after stream walk jb 0x66cf09ec, rc 9, ctx.jb 0x0
Dec  3 18:28:47 18:28:46.843535:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 5)


Dec  3 18:28:47 18:28:46.843541:CID-0:RT:<172.31.15.1/21->172.20.101.10/55860;6> matched filter f0:
Dec  3 18:28:47 18:28:46.843543:CID-0:RT:packet [40] ipid = 528, @0x52dda700
Dec  3 18:28:47 18:28:46.843544:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 28, common flag 0x800, mbuf 0x52dda480, rtbl_idx = 0
Dec  3 18:28:47 18:28:46.843550:CID-0:RT:flow process pak, mbuf 0x52dda480, ifl 0, ctxt_type 28 inq type 6
Dec  3 18:28:47 18:28:46.843551:CID-0:RT:change ifl to 0x49
Dec  3 18:28:47 18:28:46.843552:CID-0:RT: in_ifp <untrust:ge-0/0/3.0>
Dec  3 18:28:47 18:28:46.843554:CID-0:RT:setting rtt to:0x6aa98ff8 based on VR ID:0 carried over in flow ctxt,  proto 2(ipv4)
Dec  3 18:28:47 18:28:46.843556:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6aa98ff8
Dec  3 18:28:47 18:28:46.843557:CID-0:RT: jsf reinj: ctxt flag 0 sess 102000 src pid 10 reinj flag 4
Dec  3 18:28:47 18:28:46.843559:CID-0:RT:host inq check inq_type 0x6
Dec  3 18:28:47 18:28:46.843560:CID-0:RT:  flow session id 102000
Dec  3 18:28:47 18:28:46.843561:CID-0:RT: vector bits 0x8082 vector 0x589eae18
Dec  3 18:28:47 18:28:46.843563:CID-0:RT:****jsf svc chain: sess id 102000, dir 2. No more plugins
Dec  3 18:28:47 18:28:46.843564:CID-0:RT: tcp 3way refresh, is_half_open:0, is_fwauth:0
Dec  3 18:28:47 18:28:46.843565:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Dec  3 18:28:47 18:28:46.843567:CID-0:RT:mbuf 0x52dda480, exit nh 0x110010
Dec  3 18:28:47 18:28:46.843568:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0xbf97d738 associated with mbuf 0x52dda480
Dec  3 18:28:47 18:28:46.843570:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Dec  3 18:28:47 18:28:46.843577:CID-0:RT:<172.31.15.1/21->172.20.101.10/55860;6> matched filter f0:
Dec  3 18:28:47 18:28:46.843579:CID-0:RT:packet [40] ipid = 528, @0x52dda700
Dec  3 18:28:47 18:28:46.843581:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x52dda480, rtbl_idx = 5
Dec  3 18:28:47 18:28:46.843582:CID-0:RT: flow_process_pkt_exception mbuf 0x52dda480, ifd=76, ctxt_type=0, in_ifp <JNPR-SV-VR:lt-0/0/0.111>
Dec  3 18:28:47 18:28:46.843585:CID-0:RT:  lt-0/0/0.111:172.31.15.1/21->172.20.101.10/55860, tcp, flag 14 rst
Dec  3 18:28:47 18:28:46.843588:CID-0:RT: find flow: table 0x5cb2e4f0, hash 49051(0xffff), sa 172.31.15.1, da 172.20.101.10, sp 21, dp 55860, proto 6, tok 20490
Dec  3 18:28:47 18:28:46.843592:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Dec  3 18:28:47 18:28:46.843594:CID-0:RT:  packet dropped, first pak not sync
Dec  3 18:28:47 18:28:46.843595:CID-0:RT:flow_initiate_first_path: first pak no session
Dec  3 18:28:47 18:28:46.843596:CID-0:RT:  flow find session returns error.
Dec  3 18:28:47 18:28:46.843597:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0xbf97d738 associated with mbuf 0x52dda480
Dec  3 18:28:47 18:28:46.843598:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)

Thanks!

Hi Tjordan,

I am not able to understand your topology:

I need the interface details and where is the client and server connected.

From the flow traceoptions ,

 lt-0/0/0.111:172.31.15.1/21->172.20.101.10/55860, tcp, flag 14 rst
Dec  3 18:28:47 18:28:46.843588:CID-0:RT: find flow: table 0x5cb2e4f0, hash 49051(0xffff), sa 172.31.15.1, da 172.20.101.10, sp 21, dp 55860, proto 6, tok 20490
Dec  3 18:28:47 18:28:46.843592:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Dec  3 18:28:47 18:28:46.843594:CID-0:RT:  packet dropped, first pak not sync

Reset packet is sent from the ip address 172.31.15.1 going to the 172.20.101.10.

SRX is dropping this packet because this packet is suppose to be received on ge-0/0/3 interface but in this case it is received on lt- interface.

This packet is suppose to match the  session id 102000 but since it is received on a different interface , it is getting dropped by SYN Check mechanism enforced by SRX.

Kindly help with me source client ip , destination server ip , source interface , destination interface , their ip address etc also flow session information on srx.

Regards,
rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Thanks for the help!

I've attached a diagram showing the topology. These devices are all virtual (vMX and fireflies)

Source client IP (on VR) - 172.20.101.10

Dest server IP - 172.31.15.1

Source Interface - lt-0/0/0.111

Dest Interface - eth1 (virtual centos)

The virtual host doesn't allow FTP, but I should get a connection refusal message. I get that message when I attempt the FTP from the srx-SV rather than the VR. Here is the output, first two FTP sessions are run from srx-SV and connect. Second two are from the VR and time out.

root@srx-SV# run ftp 172.31.15.1
ftp: connect: Connection refused
ftp> ftp> quit

[edit]
root@srx-SV# run ftp 172.31.15.2
Connected to 172.31.15.2.
220 Internet FTP server (Version 6.00LS) ready.
Name (172.31.15.2:root): ^C
[edit]
root@srx-SV# run ftp 172.31.15.1 routing-instance JNPR-SV
ftp: connect: Operation timed out
ftp> quit

[edit]
root@srx-SV# run ftp 172.31.15.2 routing-instance JNPR-SV
ftp: connect: Operation timed out
ftp> quit

Hi tjordan,

If you are trying to do FTP to a VR, it will not work. This is a day one issue with SRX "host inbound traffic like SSH/FTP/Telnet to VR, not working ".

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Suraj,

      I'm not trying to do FTP TO the VR, I'm FTPing FROM the VR to a server. But that's good to know that I cannot FTP to a virtual-router.

Thanks,

-Tyler

I've figure out what is causing this issue with FTP. I changed the VR LT interfaces to GE interfaces. Interestingly enough, PING worked on both interfaces, but FTP only worked across GE. I don't know why this is, but is good to know either way.

I've provided both interface configurations below...

LT Config

    lt-0/0/0 {
        unit 101 {
            encapsulation vlan;
            vlan-id 100;
            peer-unit 111;
            family inet {
                address 172.20.101.1/24;
            }
        }
        unit 111 {
            encapsulation vlan;
            vlan-id 100;
            peer-unit 101;
            family inet {
                address 172.20.101.10/24;
            }
        }
        unit 201 {
            encapsulation vlan;
            vlan-id 200;
            peer-unit 211;
            family inet {
                address 172.20.201.1/24;
            }
        }
        unit 211 {
            encapsulation vlan;
            vlan-id 200;
            peer-unit 201;
            family inet {
                address 172.20.201.10/24;
            }
        }
    }

 GE Config

ge-0/0/4 {
    vlan-tagging;
    unit 101 {
        vlan-id 101;
        family inet {
            address 172.20.101.1/24;
        }
    }
    unit 201 {
        vlan-id 201;
        family inet {
            address 172.20.201.1/24;
        }
    }
}
ge-0/0/5 {
    vlan-tagging;
    unit 101 {
        vlan-id 101;
        family inet {
            address 172.20.101.10/24;
        }
    }
    unit 201 {
        vlan-id 201;
        family inet {
            address 172.20.201.10/24;
        }
    }
}

 Thanks for the help.