Routing
Routing

Limit number of NAT sessions via IDS on MS-MIC-16G - possible ?

2 weeks ago

Hello,

 

I am using MX-104 with MS-MIC-16G and would like to limit number of sessions per IP using IDS (I have a mixed NAT setup with napt-44, twice-napt-44, dnat-44, basic-nat44 rules, so it looks quite easy to implement it this way).

 

When I apply the configuration below, the routers stops forwarding and shows error unknown plugin junos-ids in log.

I've tried it with and without stateful-firewall rules section and it behaved the same.

 

Q: Does IDS really work on MX-104 with MS-MIC-16G? Has something else be turned on somewhere in config (in chassis setion for example) for this to work? Or is it a license issue?

 

Would you recommend any other way how to prevent resource exhaustion on MS-MIC in case of some attack?

 

Nov 23 23:49:24  my-gw (FPC Slot 0, PIC Slot 2)  ms02 mspmand[229]: Failed to enque session 0xe0590fdb0 to service set 1, svc_id 2

Nov 23 23:49:24  my-gw (FPC Slot 0, PIC Slot 2)  ms02 mspmand[229]: Failed to enque session 0xf179b5ef0 to service set 1, svc_id 2

(repeated dozen times, service seriously degraded because the new sessions could not be established)

 

 

[edit services service-set NAT]
+    stateful-firewall-rules SFWR1;
+    ids-rules IDS1;

[edit services]
+   stateful-firewall {
+       rule SFWR1 {
+           match-direction input-output;
+           term t1 {
+               then {
+                   accept;
+               }
+           }
+       }
+   }
+   ids {
+       rule IDS1 {
+           match-direction input-output;
+           term t1 {
+               then {
+                   session-limit {
+                       by-source {
+                           maximum 4096;
+                       }
+                   }
+               }
+           }
+       }
+   }

And errors seen in log:

 

Nov 26 09:27:47  my-gw (FPC Slot 0, PIC Slot 2)  ms02 mspmand[229]: svc_set_get_svc_order_list: unknown plugin junos-ids
Nov 26 09:27:47  my-gw (FPC Slot 0, PIC Slot 2)  ms02 mspmand[229]: svc_set_create_init: SSRB blob for svc set id 2 does not contain forward order list
Nov 26 09:27:47  my-gw (FPC Slot 0, PIC Slot 2)  ms02 mspmand[229]: msvcs_svc_set_add: svc_set_create_and_add failed for svc-set (1)

Thank you for any ideas.

 

2 REPLIES 2
Routing

Re: Limit number of NAT sessions via IDS on MS-MIC-16G - possible ?

2 weeks ago

Hello,

You don't need IDS for session limiting, use "max-sessions-per-subscriber" knob instead

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/max-sessi...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: Limit number of NAT sessions via IDS on MS-MIC-16G - possible ?

a week ago

Thank you but , that unfortunately does not work because of various NAT types used. Any other ideas?

 

[edit]
admin@my-gw# show | compare
[edit services service-set NAT]
+    nat-options {
+        max-sessions-per-subscriber 4096;
+    }

[edit]
admin@my-gw# commit confirmed 5
[edit services]
  'service-set NAT'
    max-sessions-per-subscriber knob is not supported with configured translation-type.
error: configuration check-out failed