SRX

last person joined: 3 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Troubles with packet flow

    Posted 03-03-2014 09:04

    Hello everybody,

    i have some troubles with tcp packets, that are going through my SRX 100B router. From time to time router just drops the packets and don't forward them. Below is log taken from security flow. Both interfaces are in trust zone where is screen just for syn-flood alarm-treshold. In my security flow i have this:

     

    tcp-session {
    no-syn-check;
    no-syn-check-in-tunnel;
    no-sequence-check;
    }

     

    but still no change. Can you please help me with this? I found out also this: Plugin: id: 9, name: junos-tcp-svr-emul.

     

    Thanks.

     

     

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:<192.168.201.57/34115->10.200.20.130/1723;6> matched filter test:

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:packet [60] ipid = 62984, @4002001a

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 14, common flag 0x0, mbuf 0x4001fe00, rtbl_idx = 0

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: flow process pak fast ifl 68 in_ifp fe-0/0/0.0

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: fe-0/0/0.0:192.168.201.57/34115->10.200.20.130/1723, tcp, flag 2 syn

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: find flow: table 0x42686e08, hash 10923(0xffff), sa 192.168.201.57, da 10.200.20.130, sp 34115, dp 1723, proto 6, tok 6

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: flow_first_create_session

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 10.200.20.130, sp 34115, dp 1723

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.200.20.130(1723)

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.201.57, x_dst_ip 10.200.20.130, in ifp fe-0/0/0.0, out ifp N/A sp 34115, dp 1723, ip_proto 6, tos 0

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:Doing DESTINATION addr route-lookup

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: routed (x_dst_ip 10.200.20.130) from trust (fe-0/0/0.0 in 0) to fe-0/0/2.0, Next-hop: 192.168.200.62

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x854306bb,0x6bb)

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

    Mar 3 18:02:12 18:02:12.892196:CID-0:RT: 192.168.201.57/34115 -> 10.200.20.130/1723 proto 6

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: app 69, timeout 1800s, curr ageout 20s

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: permitted by policy TRUST-ALL(5)

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: dip id = 0/0, 192.168.201.57/34115->192.168.201.57/34115 protocol 0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:flow_first_get_out_ifp: IN!

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: choose interface fe-0/0/2.0 as outgoing phy if

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:is_loop_pak: No loop: on ifp: fe-0/0/2.0, addr: 10.200.20.130, rtt_idx:0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:jsf sess interest check. regd plugins 13

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Allocating plugin info block for 20 plugin(s) from OL

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0. rc 4

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0. rc 4

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x5. rc 3

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:Add plugid:9 to int table at :0, fill hole:0, holes:0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:Add plugid:0 to int table at :1, fill hole:0, holes:0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:Add plugid:14 to int table at :2, fill hole:0, holes:1

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 2

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:Add plugid:17 to int table at :3, fill hole:0, holes:1

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Allocating plugin info block for 3 plugin(s) from OL

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Attaching plugin 9, at index 0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Attaching plugin 14, at index 1

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Attaching plugin 17, at index 2

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Releasing plugin info block for 20 plugin(s) to OL

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Plugins enabled for session = 3 (frwk svcs mask 0xc), post_nat cnt 0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: service lookup identified service 69.

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: flow_first_final_check: in <fe-0/0/0.0>, out <fe-0/0/2.0>

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:flow_first_complete_session, pak_ptr: 0x3fdedcb0, nsp: 0x44cc0ad0, in_tunnel: 0x0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:construct v4 vector for nsp2

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: existing vector list 8082-41e1d848.

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: Session (id:13075) created for first pak 8082

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: flow_first_install_session======> 0x44cc0ad0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: nsp 0x44cc0ad0, nsp2 0x44cc0b50

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: make_nsp_ready_no_resolve()

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: route lookup: dest-ip 192.168.201.57 orig ifp fe-0/0/0.0 output_ifp fe-0/0/0.0 orig-zone 6 out-zone 6 vsd 0

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: route to 192.168.201.57

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:Doing jsf sess create notify

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:-jsf create notify: plugin id 9. rc 5

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: plugin 9 aborted sess creation in create evt. rc 5

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT:flow_session_state_pending2valid: set nat invalid 13075, timeout 1, reason 22

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: flow find session returns error.

    Mar 3 18:02:13 18:02:12.892196:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)



  • 2.  RE: Troubles with packet flow
    Best Answer

    Posted 03-04-2014 05:20

    From the flow trace, it looks like you are making a PPTP connection.  Is it always these connections that get dropped?

     

    There is some mention in the trace about plug-ins so I wonder if the PPTP ALG is stepping in and messing this up.

     

    Try disabling it and see if that fixes your issue:

     

    set security alg pptp disable

     



  • 3.  RE: Troubles with packet flow

    Posted 03-24-2014 01:53

    Thank you for your suggestion. It helped! .]