SRX

Hi All,

First of all, thank you for taking the time to read this post. I have a SRX220H which is running the 12.1X46-D40.2 release.

After an accidental reboot of the SRX, it seemed to be working fine and the machine came back without issues. However, later on it started to give me some issues...

To start of with the main issue:

It seems that the firewall is occasionally letting traffic pass through to the Internet (Untrusted zone), but mainly it refuses access from a random device, located in the trust zone, to the untrust zone. However, when pinging from the SRX to, for example 8.8.8.8, it seems to be working fine. When looking at the zones and policies, they all seem to be in order (They haven't changed prior to the reboot). When looking at the output of the "show security flow session", it seems not to hit the firewall while I clearly see it leaving the device (for example Directly connected).

Troubleshooting steps taken so far:

1. configuration checks
2. NAT translation checks
3. security policy checks
4. load factory-defaults
5. zeroized the srx
6. reinstalled 12.1X46-D40.2

Also, the SRX seems not to ping/ssh to devices (even with source set) which are located in the trust zone and ARE pingable / ssh-able from other devices within the trust zone.

By now, i'm a bit at the point of kicking it out and buying a simple router  I hope someone could give me a pointer. Attached is my config file.

Thank you in advance!! 

Greetings!

Dan

Attachment(s)

SRX220h.txt   14 KB 1 version

Hi,

I assume you have verified traffic from LAN_ZONE to untrust is being NAT correctly.

You could also check "show security nat source ....."

I noticed DHCP pool is 192.168.1.0/24 but policies from LAN_ZONE to UNTRUST only match DHCP_STATIC [192.168.1.1 - 192.168.1.127] while NAT_STATIC is also 192.168.1.0/24. Addresses in 192.168.1.128/25 would be denied out untrust zone?

Cheers,

Ashvin

Hi Ashvin,

Thank you for your response. You're right, thank you for pointing that out. I have corrected it in the meanwhile, however the hosts come from the lower part of the subnet (the one allowed).

SRX220> show security nat source summary
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 16777216
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
NAT-RULE-SOURCE    NAT-RULE-SET   LAN_ZONE          UNTRUST              interface

SRX220> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0

source NAT rule: LAN_NAT-RULE-SOURCE Rule-set: LAN_NAT-RULE-SET
  Rule-Id                    : 3
  Rule position              : 1
  From zone                  : LAN_ZONE
  To zone                    : UNTRUST
  Match
    Source addresses         : LAN_NAT-ADDRSET
    Destination port         : 0               - 0
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 6725
    Successful sessions      : 6709
  Number of sessions         : 123

The sessions are coming from 2 devices which seem to have a connection, they are not stable at all. My other devices seem to struggle to be able (read not able) to reach the gateway of the ISP. In other words, it seems the SRX is not allowing them through.

Thanks in advance!

Gr,

Dan

Hi All,

Just wanted to let you know that I found the issue. It seemed that a Chromecast was pretending to be a gateway for my network, pulling all traffic to it... I noticed some weird behavior when running a wirehark where the SRX was asking (Broadcast) who knew some DNS adresses. Also in the routing table, the 192.168.1.1 (GW address) was learned from the internal access network and the local vlan, which was confusing... Disconnected the Chromecast, and everything returned to normal.

Just some information, when one of you is in the same situation 

Gr,

Dan

Hi,

Nice to hear its resolved.

One of the things to do in this case ["show security flow session", it seems not to hit the firewall] could be to look at the arp and compare the mac address of the gateway.

Cheers,

Ashvin

Hi Ashvin,

Tha's the funny thing, there was no arp entry for 192.168.1.1. So yeah, weird... anyways, the problem is fixed. Thank you for your time!

Gr,

Dan