SRX

I'm using an srx220 to try to route a 12kb packet which has been pre-fragmented by the sender into 8 packet fragments each equal to the firewall's MTU. I was able to achieve this using a Cisco router but on the srx the packets are being dropped. I can also decode these messages in wireshark so i believe they are correctly formatted. Can the srx model deal with pre-fragmented packets? Could receiving 8 mtus worth of packets at once be filling up a buffer somewhere?

If this is the case I did some searching online and learned of a data fragment buffer which can't be modified in the srx models..

Thanks for the help

Is there any chance you have a Screen configured on your SRX with the 'block-frag' option?

 

https://www.juniper.net/techpubs/en_US/junos12.1/topics/example/suspicious-packet-ip-packet-fragment-dropping-cli.html

 

https://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/suspicious-packet-ip-packet-fragment-protection-understanding.html

 

Evt

Thanks for the reply. Unfortunately not, I have no block frag screens enabled, that was my initial thought as well. I've also turned off all security measures like the syn-attack etc just in case it was accidentally triggering something. At the moment the firewall is literally just acting as a router, no policies etc

What are the ingress and egress zones?  Can you turn on logging for your default policy or turn on logging for the policy that matches the traffic?  What is the actual size of the packet and what is your SRX MTU configured at?  A 'show interfaces extensive <interface> | match frag" should show you whether any fragments have been seen by the ingress interface.

 

One thing you mention is that there are no policies configured - have you explicitly turned off flow mode and configured the SRX for packet mode?  Bear in mind that even with no policies configured, the SRX will not pass traffic from one zone or interface to another, even if the interfaces are in the same zone unless it is configured for packet mode forwarding.

Evt

For debugging I set the fragmented packet sizes of 1282 and the firewall MTU 1800.

Yes the increase in bytes received in show interfaces corresponds with what I am sending but they do not appear in the error statistics as dropped packets...

What I meant was all interfaces are internal zones with permit all traffic from internal to internal.

I'm quite new to these forums - am I allowed to dump my config in a post for ease? Its small

Yes, you can post your config.  I'd remove any sensitive information such as password hashes and SNMP strings.

 

A few questions:

 

1. I assume you can ping from your source to your destination?  If so, can you ping with size 1500 bytes with the DF-bit set?
2. Is one or both of the nodes in a VM environment?
3. Is this TCP or UDP traffic?  Can you run Wireshark on the destination to ensure that the traffic is not actually reaching it?

The config is pasted below, aside from censoring a few bits like passwords this what i am presently running.

 

1. Yes i can ping end to end. When i send packets that are over the FW mtu as one packet it does correctly fragment them and they're received at the far end, the problem is when i send a pre-fragmented packet that has left the sender machine already fragmented because thats how the software is creating the packets. I'm wondering whether reading already fragmented packets is not supported/a known bug?

2. At the moment they are both on the host, but in future I will need to exchange with a VM environment

3. UDP, yes I did and can confirm it does not reach it

 

Thanks for the help 

## Last changed: 2014-12-10 11:22:12 GMT
version 12.1X44.3;
system {
    host-name FWOpen;
    time-zone GMT;
    root-authentication {
        encrypted-password "xxxxxxx";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user xxxxxx {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "xxxxxxx";
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/7.0 ];
            }
            https {
                system-generated-certificate;
                interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/7.0 ];
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        host 192.168.1.4 {
            authorization info;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.244.0.17/24;
            }
        }
    }
    ge-0/0/1 {
        mtu 1800;
        unit 0 {
            family inet {
                address 192.168.0.2/24;
            }
        }
    }
    ge-0/0/2 {
        mtu 1800;
        unit 0 {
            family inet {
                address 10.244.5.201/24;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.123.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 10.0.0.0/8 next-hop 10.244.0.18;
        route 192.168.1.0/24 next-hop 192.168.0.1;
    }
}
protocols {
    pim {
        rp {
            local {
                family inet {
                    address 10.244.5.201;
                }
            }
        }
        interface all {
            mode dense;
            version 2;
        }
        interface fxp0.0 {
            disable;
        }
    }
    stp;
}
security {
    log {
        mode stream;
        source-address 192.168.0.2;
        stream SIEM {
            format syslog;
            host {
                192.168.1.4;
            }
        }
    }
    ike {
        traceoptions {
            flag all;
        }
    }
    application-tracking {
        first-update;
    }
    policies {
        from-zone Internal to-zone Internet {
            policy internaltowan {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy wantointernal {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone Internal {
            policy internaltointernal {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            address-book {
                address InternalAddresses 192.168.0.0/16;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
            application-tracking;
        }
        security-zone Internet {
            address-book {
                address WANSources 10.0.0.0/8;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
            application-tracking;
        }
        security-zone undefined;
        security-zone Maintenance {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile juniperUsers {
        authentication-order password;
        client juniper {
            firewall-user {
                password "xxxxxxx";
            }
        }
    }
}

Thanks for the answers and config.  If I have this right, you are trying to send from a host on ge-0/0/1 to a host on ge-0/0/2 (or vice versa) since those are the ones with MTU 1800.

 

Have you tried getting a PCAP from the SRX?

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

 

I personally am not aware of limitations regarding pre-fragmented packets other than when screens or IDP is involved.  Your config is pretty wide open and upon first glance, I don't see any issues.

This might be of interest:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21946

 

 

CAUSE:

 

SOLUTION:

 

 

 

Haven't checked latest release notes to see if this behavior has changed.

 

 

Regards,

Sam

Good find, samc!

 

I was just about to post that I tested on Firefly Perimeter with some pre-fragmented packets and did not have an issue passing them from one interface to another.  I'm running 12.1X47-D10.4, but that may not matter if this issue only affects hardware-based SRX.

Great find, thanks. Dumb question, what is meant by a branch?

Refers to the SRX models.  Branch SRX is 100, 110, 210, up to 650.  Data center or high end SRX are 1400 up through the 5800.

Ah ok. Fantastic, thanks very much folks

FYI, I have just installed the latest JunOS as mine was a couple of versions old. Same problem still exists and can't find anything in the release notes to suggest this had been fixed for the srx series

hi.

 

was thinking about it this morning.

 

perhaps a workaround is to use firewall filters and make that traffic be packet mode...otherwise known as "Selective Stateless Packet-Based Forwarding."

 

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB26757

 

Regards,

Sam