SRX Services Gateway
Highlighted
SRX Services Gateway

RT_ALG_WRN_CFG_NEED

‎05-12-2019 04:21 PM

Hi All

I have recently had the following non-stop warning log on srx320(15.1X49-D50.3). When looking at the Juniper's System Log Explorer, the log says that it is not an error. If it is not an error, why does Junos need a configuration? Or how to fix this warning log? Any ideas or technique to respond the log? 

 

May 13 10:58:52 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/49488 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:58:55 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/49568 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:58:56 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/61580 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:58:56 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.22/51051 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:00 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/62001 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:10 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/63129 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:31 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50345 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:34 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/64807 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:37 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/64970 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:40 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50527 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:41 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.129/52665 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:41 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.129/52669 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:53 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.83.232/62423 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 11:00:05 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/50527 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 11:00:06 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.83.234/60448 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 11:00:08 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50842 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

 

Thanks,

Arix

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

‎05-12-2019 08:29 PM

Try to read this topic

Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

‎05-19-2019 09:33 PM

Hi all,

I have persistent & consistent the following logs, it is being generating every 4 seconds. It seems that by default MSRPC is enabled.

In order to get some logs via traceoptions about denied the associated traffic (MSRPC ALG), I created the follwing traceoptions with packet filter but I couldn't see any deny in the whole log files -alg_deny. 

If this log -MSRPC being denied, I should be seeing a deny traffic. But not... Where is my mistake or where am I not doing correct troubleshooting? Any ideas please? 

 

May 20 14:07:33 VItSRX320 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/57624 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

 

VItSRX320> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Enabled
SCCP : Disabled
SIP : Disabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled

VItSRX320>

 

VItSRX320>show configuration security | display set | match alg
set security alg sccp disable
set security alg sip disable

 

My traceoptions with the filter:

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag all
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29

 

 

VItSRX320>file list detail /var/log/ | match alg
-rw-r--r-- 1 root wheel 767199 May 20 13:41 alg_deny
-rw-r--r-- 1 root wheel 84685 May 20 13:40 alg_deny.0.gz

Thanks

Arix

 

Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

‎05-19-2019 10:04 PM

Hello,

 

I would suggest to not use the flag all in the flow traceoptions. This logs a lot of background noise.

 

Use the traceoptions flag basic-datapath. Additionally, also setup the filter for anything destined to 10.10.3.29 as well.

 

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29

set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

[ Edited ]
‎05-20-2019 09:56 PM

Hi All,

1-) This time I performed the following modified traceoptions and its output has showed that there is no any deny traffic that sourced and destinated 10.10.3.29 on srx. 

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29
set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

 

The following log is still generating every 8 seconds on the branch srx. I am not sure but when searching this log, many engineers in Juniper discussing board are pointing this traffic on MSRPC ALG is being blocked as the MSRPC ALG is enabled as default on srx. But traceoptions has just showed there is no any drop or denied traffic on MSRPC . 

 

>show security alg status | match msrpc
MSRPC : Enabled

 

junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/53835 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

 

 

2-) From the same traceoptions outputs I have accidently seen the following info related to fragmentation. This is another concern. Currently configured tcp mss value is 1450 on branch site. Can I ask please about fragmentation is being occurring or? If so, what should be done for establishing symmetric mss value between end to end?

 

remote site network---ex---srx(branch)------Ipsec vpn------srx(datacentre)------

 

May 21 08:40:17 08:40:17.513197:CID-0:RT:MSS found 0x 5b4

May 21 08:40:17 08:40:17.513197:CID-0:RT: rewrite TCP MSS, new MSS: 1450, old MSS: 1460

 

> show configuration security flow | display set
set security flow tcp-mss all-tcp mss 1450
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check

 

Thanks 

Ar

Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

‎05-20-2019 10:22 PM

Hello,

 

Thanks for taking that. My observations

 

> The flow traceoptions ran for about 20mins and no drops seen

> Flow processing shows the traffic passed

> So definitely it is not dropped by the flow module which incidently also involved in ALG processing

> Prima facie the logs seem to be non impacting

> I would be interested in seeing a pcap of traffic in and out of the firewall to check if anything is really dropped

> You can do a pcap on ingress and egress interfaces to see what we get

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

 

Regards,

 

Vikas

 

PS: Be sure to delete traceoptions

 

Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

‎05-20-2019 11:29 PM

Hi Arix,

 

I believe that the SRX is definitely dropping those packets, however Im not sure if you will see that in the flow traceoptions file. The SRX is reporting that in order to let the packets pass it needs extra configuration that is pretty much configuring the SRX to permit users connecting to UUIDs unknown to the SRX. You might configure MS-RPC traceoptions to dig further:

 

 

# set security alg ms-rpc traceoptions flag all
# set security alg traceoptions file MS-RPC-TRACE size 1g
# set security alg traceoptions level verbose
# commit
# run show log MS-RPC-TRACE

 

 

Also you could try using the flag "error" instead of the flag "basic-datapath" in the security flow traceoptions. You can upload the files when you post a coment.

 

First question: how is the security-policy, that is allowing the communications, configured? Are you specifically referencing the MS-RPC application or you are just using "application any"?

 

MS-RPC is used by windows devices to communicate processes running on different devices; these remote processes are identified by UUIDs.

The device acting as the client will first establish a connection via port 135 and will ask for the dynamic port on which a specific service (UUID) is listening on the remote end. The device acting as the server will provide this information and the client will open a new session on that dynamic port (a high random port). Ideally we dont configure security-policies that permit traffic on all ports so when you reference the ms-rpc application on a security-policy it only permits port 135 and the SRX listens to the communications between the client the server in order to determine what is the high random port that will be used next, and the SRX allows communications from the client on that port only, blocking traffic on any other non-negotiated port. Thats pretty much the funtionality of the MS-RPC ALG. However is very common that from specific zones we dont need that much of security and sometimes we can have a security-policy allowing all the traffic from a specific zone to another zone.

 

Second question: Can you disable MS-RPC ALG? If your security policy is configured for "application any" I believe there should not be any problem on disabling the ALG:

 

 

# set security alg ms-rpc disable
# commit
# run show security alg status

 

Based on the logs the UUIDs not being recognized are related to:

 

MS-NETLOGON12345678-1234-abcd-ef00-01234567cffb     and      12345778-1234-abcd-ef00-0123456789ab

WMIC-Webm-Level1Login: f309ad18-d86a-11d0-a075-00c04fb68820

 

Refences: 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-rpc-alg.html

https://kb.juniper.net/InfoCenter/index?page=content&id=KB12057

 

 

Please share the following operational commands:

 

show security alg ms-rpc

show security resource-manager summary

show security resource-manager resource active

show security resource-manager group active

show security flow session resource-manger summary

 

If you can determine that the logs are cosmetic and that no packet drops are happening you could always avoid those logs from you being written to your log file:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382

 

Hope this helps. Please my mark my post a Solution if it applies.

 

 

Highlighted
SRX Services Gateway

Re: RT_ALG_WRN_CFG_NEED

‎05-20-2019 11:33 PM

Forgot to mention that you could also configure the "junos-ms-rpc-any" application on your security-policy as the log states.

 

Hope this helps.

 

Feedback