SRX

last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  I want to route 169 address space!

    Posted 10-10-2012 18:03

    Hi All,

     

    First off let me explain why I would want to route 169 addresses.  I am working with a WISP who uses Motorola AP for connections.  The AP uses an IP address of 169.254.1.1 (awesome I know).  Anyway its nice to web to that IP as it gives you stats on the wireless link.

     

    It seems that the SRX firewall does not like any traffic goign to that IP and drops it.  The log shows this

     

    Oct 10 08:53:28 08:53:27.999219:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

Oct 10 08:53:28 08:53:27.999219:CID-0:RT:  packet dropped, Non-self packet with link-local address

Oct 10 08:53:28 08:53:27.999219:CID-0:RT:  flow find session returns error.

     

     

    I can ping and telnet to the AP directly from the SRX but transit traffic gets dropped.  Is there a way to tell the SRX to deal with this 169 addressing?

     

     

     

    EDIT*

     

    I also tried the following which did not help...I guess since 169.254 is not a Martian

     

    martians {
    169.254.1.1/32 exact allow;
}

     

     

     

    ps. I know I can just change the AP's IP but I am curious if the SRX can be tamed in this way.

     

    Thanks!



  • 2.  RE: I want to route 169 address space!

    Posted 10-11-2012 01:12
    Interesting ! I think ,it is dropping because of ttl (becoming zero) issue,as it is a ipv4 link local address with ttl=1 . Unless there is a way to change th e initial ttl of the packet, i dont think srx (or any other l3 devce) will allow that transit traffic !!


  • 3.  RE: I want to route 169 address space!
    Best Answer

    Posted 10-11-2012 05:47

    Juniper is behaving correctly.  Bits from RFC 3927:

    The host MUST NOT send a packet with an IPv4 Link-Local destination
   address to any router for forwarding.

     

    An IPv4 packet whose source and/or destination address is in the
   169.254/16 prefix MUST NOT be sent to any router for forwarding, and
   any network device receiving such a packet MUST NOT forward it,
   regardless of the TTL in the IPv4 header.

     

    7.  Router Considerations

   A router MUST NOT forward a packet with an IPv4 Link-Local source or
   destination address, irrespective of the router's default route
   configuration or routes obtained from dynamic routing protocols.

   A router which receives a packet with an IPv4 Link-Local source or
   destination address MUST NOT forward the packet.  This prevents
   forwarding of packets back onto the network segment from which they
   originated, or to any other segment.

     



  • 4.  RE: I want to route 169 address space!

    Posted 09-15-2015 07:45

    Hi,

     

    We are selling these firewalls as part of a tool for the semiconductor industy. Up until now we have been using the SSG5 and this one did not drop 169.254 packets. Now the SSG5 has been phased out and we have to replace it with the SRX100. There is no way we can change the tool network which has been setup with a lot of PCs with different 169.254 subnets. So is there any way we can get the SRX100 to stop dropping this traffic?

     

    Thanks in advance,

    kastAUT