SRX Services Gateway
SRX Services Gateway

Flow Session Lookup Fails for return traffic when sourced from the SRX

‎06-25-2019 09:01 AM

Having some issues with an SRX dropping the return traffic because it thinks it is a new flow and doesn't belong to any existing sessions and says "packet dropped, first pak not syn".

 

security flow trace appears to have matching flow data but the return traffic gets dropped.

 

SRX is trying to connect to a remote secondary identity management server across an IPsec tunnel that is terminated on the SRX itself. This connection to the identity mangement server is sourced from a revenue port. This same issue occurs with an SRX trying to download threat intel feeds from a policy enforcer server across the same IPsec tunnel. Any traffic sourced from inside the firewall on the same subnet works, it is only traffic sourced from the SRX itself.

 

 

I have included the output of the security flow trace debut basic-datapath as an attachment

 

 

Return dropped


Jun 25 13:57:43 13:57:43.722769:CID-0:RT:  ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/59093, tcp, flag 12 syn ack
 
Jun 25 13:57:43 13:57:43.722834:CID-0:RT: find flow: table 0x4ec03d8, hash 5292(0xffff), sa 10.254.255.130, da 10.254.254.254, sp 9443, dp 59093, proto 6, tok 7, conn-tag 0x00000000
 
Jun 25 13:57:43 13:57:43.722848:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
 
Jun 25 13:57:43 13:57:43.722848:CID-0:RT:  packet dropped, first pak not syn
 
Jun 25 13:57:43 13:57:43.722848:CID-0:RT:flow_initiate_first_path: first pak no session

Attachments

21 REPLIES 21
SRX Services Gateway

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

‎06-25-2019 09:19 AM

Hi 

 

Could you please share the SRX configuration that you have in place currently? 

 

Regards,

HS

SRX Services Gateway

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

‎06-25-2019 09:20 AM

Hi

 

 

 

ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/59093, tcp, flag 12 syn ack

 

How does your flow trace configuration look like?

If you have packet filters enabled in both directions (request and response), that should cover both, the syn and syn-acks.

Is there a NAT in the traffic context?

 

Cheers

Pooja

 Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

SRX Services Gateway

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

‎06-25-2019 09:30 AM

There is an asymmetric routing in your network. Outgoing traffic from SRX is going via st0.2 (ge-0/0/3 exit interface) tunnel interface but the return traffic is not coming via tunnel.
Return traffic is received on another interfaces ge-0/0/2.0. That is why SRX is dropping the packets. Please check your routing. Return traffic should come via tunnel interface.

 

routed (x_dst_ip 10.254.255.130) from junos-host (.local..0 in 0) to st0.2, Next-hop: 10.254.255.130
going into tunnel 67108908 (nsp_tunnel=0x851eb98)
ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/60169, tcp, flag 10

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

‎06-25-2019 09:33 AM

Pooja,

 

enabling no-syn-check seems like a bad idea for a production firewall since that disables it globally. However, I thought about using a firewall filter to match the specific flow of traffic and then put that traffic in packet-mode. However, I wasn't sure which interface to apply it too.

 

 

 

trace config currently inactive:

 

safesys@Alpharetta-SRX340-01> show configuration security flow traceoptions 
##
## inactive: security flow traceoptions
##
file secFlowDebug size 20m files 5;
flag basic-datapath;
packet-filter filter2 {
    source-prefix 66.194.109.124/32;
    destination-prefix 172.127.49.85/32;
}
packet-filter filter1 {
    source-prefix 172.127.49.85/32;
    destination-prefix 66.194.109.124/32;
}
SRX Services Gateway

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

‎06-25-2019 09:34 AM

I'll see if I can sanitize it and exclude any uncessary bits. It is quite long.