SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 11
Registered: ‎02-09-2011
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

the workaround doesn't seem to work for me. although, i'm still kind of learning my way around junos. could i see someones config with this workaround implemented? 

 

jason@liv> show system software                
Information for junos:

Comment:
JUNOS Software Release [10.3R3.7]

 

Trusted Contributor
Posts: 159
Registered: ‎08-29-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I just configured this at my home on a SRX210 with flow mode using 11.1R2.3 and have no issues with initial connectivity. One thing that I am running into is that the default tcp timeouts for ipv6 are very very short, like 30 seconds or so. This is causing connectivity issues as all of the host applications still think the session is up.

 

Anyone seen this? I'm not that familiar with IPv6, so I'm not sure if tcp timeout shoudl be lower than v4.. I would think not... 

Super Contributor
Posts: 222
Registered: ‎12-16-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

There is no reason for the timeouts of ipv6 to be shorter than ipv4. 30 seconds is extremely short for TCP. Could it be that there is some sort of assymetric routing going on? If the SRX only sees the client->server traffic but not server->client traffic, things like this could happen as the SRX will never see a completed 3-way handshake and will remove the session again (after some 20 seconds iirc).

 

Update: one other possibility is that a filter with "then packet-mode" is applied on all ingress traffic but not egress. This will cause the security module of the srx to only see one direction of the traffic flow which is just like assymmetric routing. Those packet-filters are no longer needed in 11.1R2 though - my tunnel works fine without it.

Trusted Contributor
Posts: 159
Registered: ‎08-29-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I believe you nailed it actually.. Looking at the flows, there is no return traffic from the server.. The website brings up a page just fine however. Which is odd that it works.. I do not have any assymetric routing going on. Must be something goofy with a policy or something?

 

 

root@SRX210> show security flow session family inet6    

Session ID: 18151, Policy name: trust-to-untrust/4, Timeout: 16, Valid  In: 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59572 --> 2001:4860:b009::93/80;tcp, If: vlan.11, Pkts: 11, Bytes: 3191

Out: 2001:4860:b009::93/80 --> 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59572;tcp, If: ip-0/0/0.0, Pkts: 0, Bytes: 0


Session ID: 18152, Policy name: trust-to-untrust/4, Timeout: 16, Valid  In: 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59573 --> 2001:4860:b009::93/80;tcp, If: vlan.11, Pkts: 5, Bytes: 1881

Out: 2001:4860:b009::93/80 --> 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59573;tcp, If: ip-0/0/0.0, Pkts: 0, Bytes: 0

Total sessions: 4

Trusted Contributor
Posts: 159
Registered: ‎08-29-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Another note: I can ping everything succesfully, ipv6 does infact work.. However something in the SRX is wonky as its not reporting and return traffic in the flows. I tried the workaround, made no difference.

 

I attached the config from my security policy.. its very very basic as I'm just trying to get things to work right now.

 

Super Contributor
Posts: 222
Registered: ‎12-16-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Can you include the output of show configuration interfaces & show firewall? My guess would be that their is a firewall filter active

Highlighted
Trusted Contributor
Posts: 159
Registered: ‎08-29-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

i have no firewall filters enabled at this point in time. the only security mechnisms are under the security stanza..

 

i can get the config, will post it later. i'm pointing this to a bug.. as i mentioned, ipv6 works but it doesn't recognize the return traffic flow.

Regular Visitor
Posts: 8
Registered: ‎02-28-2008
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Pressureman,
 
Thank you for posting your snippet.  I used this successfully on my 10.4R4 (SRX210) and got my SixxS tunnel working again (it broke after I followed JTAC's recommendation to downgrade from 11.x to address spontaneous chassis reboots).
 
Kudos given, I just wanted to thank you again for the workaround and the link explaining "how/why this workaround... works."  
 
Thanks again!
Visitor
Posts: 5
Registered: ‎10-13-2010

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Well, now I'm very happy!  With the recommendations on configuring the firewall filter, along with a couple of sample configurations from a Google search for 'SRX Hurricane Electric IPv6', I have a working configuration for he.net's tunnel broker on a SRX220 running Junos 11.4R1.6.

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members default;
                }
            }
        }
    }
    ip-0/0/0 {
        unit 0 {
            tunnel {
                source <MY EXTERNAL STATIC IP;
                destination <HE.NET TUNNEL BROKER SERVER IPv4 ADDRESS>;
            }
            family inet6 {
                address <MY HE.NET ASSIGNED IPv6 ADDRESS>;
            }
        }
    }

 

    ge-0/0/7 {
        unit 0 {
            family inet {
                filter {
                    input fix-6in4;
                }
                address <MY EXTERNAL STATIC IPv4 ADDRESS>;
            }
            family inet6 {
                address <MY HE.NET ASSIGNED IPv6 CLIENT ADDRESS>;
            }
        }
    }

    vlan {
        unit 0 {
            family inet {
                address <MY INTERNAL TRUST IPv4 ADDRESS>;
            }
            family inet6 {
                address <MY INTERNAL HE.NET ASSIGNED IPv6 ADDRESS>;
            }
        }
    }
}

 

routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop <HE.NET IPv6 SERVER ADDRESS>;
        }
    }

 

protocols {
    router-advertisement {
        interface vlan.0 {
            prefix <MY INTERNAL HE.NET NETWORK ADDRESS /64>;
        }
    }
}

 

    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
        }
    }

 

[edit security zone security zones untrust]

        security-zone untrust {
            screen untrust-screen;
            interfaces {               
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ike;
                        }
                        protocols {
                            router-discovery;
                        }
                    }
                }
                ip-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            router-discovery;
                        }
                    }
                }
            }
        }  

 

 


firewall {
    filter fix-6in4 {
        term t1 {
            from {
                source-address {
                    216.66.22.2/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t2 {
            from {                     
                destination-address {
                    216.66.22.2/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t99 {
            then accept;
        }
    }
}

Contributor
Posts: 11
Registered: ‎02-09-2011
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

is there a working flow-based config for 6in4 tunnels yet? packet-based in 10.3 worked fine, didn't attempt any flow workarounds for it. i've tried all workarounds mentioned here for 10.4 and a few others to no avail. 

 

10.4R9.2

Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

So now that 12.1R2.9 was released (05-Jun-2012) for the Branch Series SRXs I found the following statement in the release notes:

 

12.1 Release Notes (07-Jun-2012) Revision 7

|

---> Resolved Issues in Junos OS Release 12.1 for Branch SRX Series Services Gateways and J Series Services Routers

       |

       ---> Resolved Issues in Junos OS Release 12.1 R2 for Branch SRX Series Services Gateways

              |

              --->IPv6

                     |

                     ---> "On all branch SRX Series devices, IPv6 tunnels over IPv4 network does not work in flow mode. [PR/741765 : This issue has been resolved.]"

 

First, I deactivated my firewall filter which forced all protocol 41 traffic to/from my HE.net tunnel broker previously handled in PACKET-MODE and forced it to be handled in FLOW-MODE.

 

Unfortunately, this did not work.  TCP traffic appeared to be the issue as UDP and ICMP was functional.  My ip interfaces MTU was 1480 and I'm using path-mtu-discovery on the tunnel.  I even enabled tcp-mss at 1420 but with no success.  I didn't have time to dig any further and will test more later this evening.

 

Has anyone else seen the same results after upgrading to 12.1R2.9 and placing the 6in4 tunnel traffic back in FLOW-MODE by deactviating the firewall filters we created earlier in this thread?

 

Contributor
Posts: 17
Registered: ‎06-15-2012
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I've deactivated my firewall filters that force the tunnel traffic to packet mode, and all seems to be working well.

Perhaps try a commit full?

--Phil
Contributor
Posts: 17
Registered: ‎06-15-2012
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?


pheller10 wrote:
I've deactivated my firewall filters that force the tunnel traffic to packet mode, and all seems to be working well.

Ok, I spoke too soon.  While deactivating the firewall filters under 12.1R2.9 did allow end-to-end connectivity, it also seems to treat all tunneled traffic as packet-mode, thus bypassing all security policy.

 

 

Visitor
Posts: 7
Registered: ‎06-26-2012
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I just upgraded to 10.4R10.7, and now IPv6 routing seems to be completely broken.  I can ping IPv6 hosts over the tunnel from the SRX itself, but from anything on the inside, everything IPv6 breaks at the SRX.  It worked fine in 10.4R9.2

 

> show security flow status | match Inet6
Inet6 forwarding mode: packet based

 

Visitor
Posts: 7
Registered: ‎06-26-2012
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Downgrading back to 10.4R9.2 fixed by problems

Contributor
Posts: 82
Registered: ‎07-10-2010
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Thanks for the update,  did you have a chance to open a case with JTAC?

 

R

Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

So it appears I've found the cause of MY problem.  Seems like another bug/defect to me.  I had to disable "security > flow > tcp-session > strict-syn-check" to get TCP to work.  It seems strict-syn-check doesn't work with the IPv6 traffic when tunnel in IPv4 (6IN4) all in FLOW-MODE.

 

Anyway, after I deactivated my protocol 41 > packet-mode filter the only thing that wouldn't work was tcp packets after the 3-way handshake.  For example, a three way handshake would complete and I could initially send data, or so it seemed, but then I would never see a response to my packet.  A very simple example using a curl HEAD request to an IPv6 host webserver, which looks like this:

 

$ curl --head -6 -v http://www.juniper.net
* About to connect() to www.juniper.net port 80 (#0)
*   Trying 2600:1400:1:2:8000::720... connected
* Connected to www.juniper.net (2600:1400:1:2:8000::720) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.20.1 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8r zlib/1.
2.5 libidn/1.18 libssh2/1.2.5
> Host: www.juniper.net
> Accept: */*
>
* Closing connection #0
* Failure when receiving data from the peer
curl: (56) Failure when receiving data from the peer

 After disabling 'strict-syn-check' the request completes successfully:

$ curl --head -6 -v http://www.juniper.net
* About to connect() to www.juniper.net port 80 (#0)
*   Trying 2600:1400:1:2:8000::720... connected
* Connected to www.juniper.net (2600:1400:1:2:8000::720) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.20.1 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8r zlib/1.
2.5 libidn/1.18 libssh2/1.2.5
> Host: www.juniper.net
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Server: Concealed by Juniper Networks DX
Server: Concealed by Juniper Networks DX
< Date: Thu, 28 Jun 2012 23:08:45 GMT
Date: Thu, 28 Jun 2012 23:08:45 GMT
< Connection: keep-alive
Connection: keep-alive
< Set-Cookie: rl-sticky-key=b159fd3052f1f60eea47e0dc56d57d62; path=/; expires=Thu, 28 Jun 2012 23:50:15 GMT
Set-Cookie: rl-sticky-key=b159fd3052f1f60eea47e0dc56d57d62; path=/; expires=Thu, 28 Jun 2012 23:50:15 GMT
* no chunk, no close, no size. Assume close to signal end

<
* Closing connection #0

 

Visitor
Posts: 3
Registered: ‎06-08-2012
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Hi, Is there already a case opened to JTAC? With my configuration I'm able to ping the internet from my VLAN interface. The pc's in this lan are not able to reach the internet. I'm using flow-based with JUNOS Software Release [12.1R2.9] Regards
Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

Not sure if you saw my previous reply, but "security > flow > tcp-session > strict-syn-check" must be disabled.

Visitor
Posts: 3
Registered: ‎06-08-2012
0 Kudos

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Hi,

 

That's why I replied to the post. I've already disabled strict-syn-check setting but it's still not working. Maybe there is a misconfiguration in my config file.

The IPv6 configuration is attached, maybe you could for me please?

 

Thanx