04-13-2012 12:30 AM
I have run into a small problem and im hoping the forum could shed some light and point me in the right direction.
I need to setup packet-mode for a particular range of public IP's
I have setup a prefix-list that refrences the public IP's
I have setup a firewall filter from source to destination(prefix-list) then packet-mode
I have then bound the filter to both interfaces. Ge-0/0/0 and Ge-0/0/3
I have attached a diagram and the config of the SRX220
Once i applied the config, we could ping the servers from the internet.
Voice services were working like a dream
sho firewall command indicated the filter was being hit
We could not connect to any TCP services on the prefic-list. But yet UDP traffic was working well.
port 80 was not responding
port 5900 - not responding
SSH - not responding
Seems like TCP was being blocked for some reason.........
Has anyone else had the same problem? am i doing something wrong
Let me know
Solved! Go to Solution.
04-13-2012 01:23 AM - edited 04-13-2012 01:25 AM
If possible, could you please provide the flow trace output for the problematic traffic - that would help in speedy resolution .
set security flow traceoptions file testing
set security flow traceoptions flag all ( not basic-datapath)
se security flow traceoptions packet-filter 1 source-prefix x.x.x.x desitnation-prefix y.y.y.y protocol tcp
set security flow traceoptions packet-filter 2 source-prefix y.y.y.y destination-prefix x.x.x.x protcol tcp
Initiate one TCP flow and provide the output of "show log testing | no-more" .
04-13-2012 01:32 AM
i will as soon as i get a change window.
do you think it might be because the interfaces are assigned to zones?
As soon as we get another change window, ill setup the trace and post the output
Currently the firewall is is full packet-mode
set security fowarding options family mpls mode packet-based
04-13-2012 04:11 AM
I think , as you have applied the same filter on ge-0/0/0 and ge-0/0/3 , for tcp connections initiated from Internet , first packet (SYN) will match firewall filter applied on ge-0/0/0 and processed in packet modei,e bypass flow module . the reply (SYN+ACK) fom the server in DMZ will come on ge-0/0/3 interface and does NOT match firewall filter main term (because for this packet, the destination is NOT the MIA prefix list) and it matches term 2 and will be processed by flow module . during this flow processing (first path processing) , and it might be dropped by SRX, as the first packet is not a syn .
so removing the filter on ge-0/0/3 might help or apply a different filter with correct match conditions.
04-13-2012 04:41 AM
correct - i should have show my latest config.....sorry
i realised that too - so i then created a reverse filter for source (porefix-list and destination 0/0 and then bound it to ge-0/0/3
same problem........TCP traffic would not pass through
ill setup a trace when we get a change window..
TX for the help so far
04-13-2012 06:44 AM
Just one more thing - how did you apply the firewall filters on these interfaces ? in both input and output directions(as shown in your current config) or only input direction ?
If we apply the same filter in both directions(input ,output) on the same interface , i think that will create an issue again .
You may try by applying the two filters configured on the respective interfaces only in the input direction .
04-14-2012 11:43 AM
I have moved to the new config and all seems to be working fine - i now have and input filter on ge-0/0/0 and an inout filter on ge-0/0/3
we have tested and now TCP works.......everything works
TX for your help