SRX Services Gateway
Reply
Contributor
Jockel
Posts: 12
Registered: ‎01-27-2012
0

Response packets to services on the SRX with wrong source address

Hi,

 

I have another problem with the SRX210.It's a simple configuration with the routing-instance R1 and the default routing-instance, interface routes are shared between them. The SRX is acting as an NTP server. In the default instance lo0.0 has address 10.100.200.1/32 configured. This is used by the NTP Clients.

 

On Junos 10.4+ the response packets to a query from an NTP client are correct, but the response packets from a ping have wrong source address (no nat configured at all).

 

{primary:node0}
root@fw-01-0> monitor traffic interface reth0.10 no-resolve size 1500
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on reth0.10, capture size 1500 bytes

12:55:52.997039  In IP 10.168.10.10.123 > 10.100.200.1.123: NTPv4, Client, length 48
12:55:52.997745 Out IP 10.100.200.1.123 > 10.168.10.10.123: NTPv4, Server, length 48
12:55:57.993295  In arp who-has 10.168.10.1 tell 10.168.10.10
12:55:57.993395 Out arp reply 10.168.10.1 is-at 00:10:db:ff:10:00
12:55:58.872525  In IP 10.168.10.10 > 10.100.200.1: ICMP echo request, id 1845, seq 1, length 64
12:55:58.872647 Out IP 10.168.10.1 > 10.168.10.10: ICMP echo reply, id 1845, seq 1, length 64
12:55:59.874487  In IP 10.168.10.10 > 10.100.200.1: ICMP echo request, id 1845, seq 2, length 64
12:55:59.874604 Out IP 10.168.10.1 > 10.168.10.10: ICMP echo reply, id 1845, seq 2, length 64

 

The same configuration in Junos 11.2+ is even more strange, the response packets from the NTP query have wrong source address too:

 

{primary:node0}
root@fw-01-0> monitor traffic interface ge-0/0/0.10 no-resolve size 1500
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/0.10, capture size 1500 bytes

10:09:36.945765  In IP 10.168.10.10.123 > 10.100.200.1.123: NTPv4, Client, length 48
10:09:36.946637 Out IP 10.168.10.1.123 > 10.168.10.10.123: NTPv4, Server, length 48

{primary:node0}
root@fw-01-0> show security flow session
node0:
--------------------------------------------------------------------------

Session ID: 243, Policy name: default-policy-00/2, State: Active, Timeout: 36, Valid
  In: 10.168.10.10/123 --> 10.100.200.1/123;udp, If: ge-0/0/0.10, Pkts: 1, Bytes: 76
  Out: 10.100.200.1/123 --> 10.168.10.10/123;udp, If: .local..7, Pkts: 0, Bytes: 0

Session ID: 245, Policy name: self-traffic-policy/1, State: Active, Timeout: 36, Valid
  In: 10.168.10.1/123 --> 10.168.10.10/123;udp, If: .local..7, Pkts: 1, Bytes: 76
  Out: 10.168.10.10/123 --> 10.168.10.1/123;udp, If: ge-0/0/0.10, Pkts: 0, Bytes: 0

 

Does Junos do any NATing between routing instances and self-services ? And if so where do I change this behavior?

 

Regards

JK

Contributor
Jockel
Posts: 12
Registered: ‎01-27-2012
0

Re: Response packets to services on the SRX with wrong source address

Ok, I found the pattern behind this problem for NTP.

 

The origin of the problem is the address defined on the lo0.0 interface for the default routing instance. This address is used for queries against the SRX as NTP server.

 

* address 10.100.200.1/32 for lo0.0:

- NTP Clinet request from 10.168.10.10 on instance R1 get response with source address set to 10.168.10.1 (the client facing interface). NO NAT defined anywhere in the configuration! Connection is not working.

- NTP Client request from a host facing default instance gets the correct response!

 

* address 10.100.200.1/30 for lo0.0: (any? mask other than 32)

NTP Client request from 10.168.10.10 on instance R1 get response with source address set to 10.100.200.1. This works.

 

So when I use an address with a 32 mask on the lo0.0 interface for the NTP server, I get wrong response packets in routing instance R1.

 

Same happens when i define a loopback interface lo0.1 for R1 with an address with mask 32, But now NTP clients coming from default routing instance get wrong response packets and NTP clients coming from R1 get correct response packets.

 

This would mean as workaround:

1.) don't use a address with a 32 mask on the lo0.x interfaces for the NTP server

2.) use the lo0.x address from the routing instance the NTP client is connected to.

 

Regards JK

Contributor
Jockel
Posts: 12
Registered: ‎01-27-2012
0

Re: Response packets to services on the SRX with wrong source address

The same pattern holds for ping to lo0.x interfaces and addresses with mask 32.

 

The ICMP echo reply has the wrong source address when a host connected trough another routing instance pings the lo0.x interface.

 

Ok, don't shoot yourself in the foot and ping the SRX :smileylol:

 

Regards

JK

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.