SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  No return path ???

    Posted 03-22-2013 19:12

    Greetings, Experts.

     

    I'm having difficulty with a new deployment of a pair of SRX550s in a chassis cluster.

    My issue SEEMS to be at the firewall level...

    I have a host on the inside (trusted zone) and a host on the outside(untrusted zone).

    Doing default source NAT -

    nat {

            source {

                rule-set trust-to-untrust {

                    from zone trust;

                    to zone untrust;

                    rule source-nat-rule {

                        match {

                            source-address 0.0.0.0/0;

                        }

                       then {

                            source-nat {

                                interface;

                            }

                                    policies {

            from-zone trust to-zone untrust {

                policy trust-to-untrust {

                    match {

                        source-address any;

                        destination-address any;

                        application any;

                    }

                    then {

                        permit;

     

     

    and an 'any-any-any' rule configured for trusted --> untrusted.

     

    Start a ping on a host in 'trusted'

    Run wireshark on my 'untrusted' host, and I see the ECHO REQUEST arrive at the untrusted host, which is happily responding with an ECHO REPLY.

    However, the REPLY never makes it back to the 'trusted' host.

     

    Same goes for HTTP outbound - at the 'untrusted' host, I see the TCP session start with a SYN, the 'untrusted' says SYNACK, and that's it.

     

    I feel like I'm missing something REALLY basic. I've over and around my physical setup, I've torn down and rebuilt. Is there something ... 'special' I need to do on

    a chassis cluster to allow the return path for trusted --> untrusted requests ?

     



  • 2.  RE: No return path ???
    Best Answer

    Posted 03-22-2013 19:44

    Hello Randyj

     

    There is no special config required other to allow traffic.

     

    Can you paste the session output?

    show security flow session source-prefix <trusted PC> destination-prefix <untrusted-pc>

     

    If SRX is dropping it, you should be able to find it usin flow traces.

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16108&smlogin=true

    (reff example 2)

     

    I hope this helps.



  • 3.  RE: No return path ???

    Posted 03-25-2013 09:53

    Following through with this suggestion:

    Begin a http session from the box on my 'trusted' net, to a box on the untrusted net:

    172.20.43.169 internal host.

    172.20.43.1 reth1.0 trusted zone

    xx.yy.zz.253 reth0.0 untrust zone

    zz.yy.zz.254 external host, default gateway for SRX

     

    {primary:node0} root@SEASRX01_0> show security flow session source-prefix 172.20.43.169 destination-prefix xx.yy.zz.254

    node0: --------------------------------------------------------------------------

    Session ID: 78807, Policy name: trust-to-untrust/4, State: Active, Timeout: 16, Valid   In: 172.20.43.169/56293 --> xx.yy.zz.254/80;tcp, If: reth1.0, Pkts: 4, Bytes: 256   Out: xx.yy.zz.254/80 --> xx.yy.zz.253/40383;tcp, If: reth0.0, Pkts: 0, Bytes: 0 Total sessions: 1

    node1: --------------------------------------------------------------------------

    Session ID: 69291, Policy name: trust-to-untrust/4, State: Backup, Timeout: 14404, Valid   In: 172.20.43.169/56293 --> xx.yy.zz.254/80;tcp, If: reth1.0, Pkts: 0, Bytes: 0   Out: 67.152.33.254/80 --> xx.yy.zz.253/40383;tcp, If: reth0.0, Pkts: 0, Bytes: 0 Total sessions: 1

     

    so it doesn't appear as if anything is actually being returned ??? However, I see the return being generated on my external host (xx.yy.zz.254)

     



  • 4.  RE: No return path ???

    Posted 03-25-2013 11:41

    dropped one of the SRXs from the cluster...

    Rebuilt the SIMPLE config, here is the same flow, which appears to work.

     

    172.20.43.169 host in trusted zone

    xx.yy.zz.253  SRX external interface

    xx.yy.zz.254 host in external subnet, untrusted zone

     

    Session ID: 4433, Policy name: trust-to-untrust/4, Timeout: 2, Valid
      In: 172.20.43.169/56430 --> xx.yy.zz.254/80;tcp, If: ge-6/0/8.0, Pkts: 7, Bytes: 766
      Out: xx.yy.zz.254/80 --> xx.yy.zz.253/29120;tcp, If: ge-6/0/0.0, Pkts: 6, Bytes: 2902



  • 5.  RE: No return path ???

    Posted 03-25-2013 14:11

    AVD's reccomendation has helped me figure this out.

     

    setting traceoptions logging to a file showed me this :

     


    Mar 25 20:46:44 20:46:44.653950:CID-1:RT:  route lookup failed: dest-ip 172.20.43.169 orig ifp reth1.0 output_ifp fxp0.0 fto 0x48d74f68 orig-zone 6 out-zone 1 vsd 1
    Mar 25 20:46:44 20:46:44.653950:CID-1:RT:  packet dropped,   pak dropped since re-route failed