SRX Services Gateway
SRX Services Gateway

Strange flow session destination limit problems

‎11-15-2013 02:07 AM

Hi,

 

We just upgraded our SRX 550 cluster and we notice some strange behavior in the security screening.

One IP keep showing up as Dst session limited wich is all fine IF the session where at its limit.. wich it is not.

 

Please see config, logs and statistics below:

 

marcus@juniper-srx2> show configuration security screen
ids-option SCREEN {
    icmp {
        fragment;
        large;
        ping-death;
    }
    limit-session {
        source-ip-based 10000;
        destination-ip-based 50000;
    }
}


marcus@juniper-srx2> show security flow session destination-prefix X.X.X.117 summary
node0:
--------------------------------------------------------------------------

Valid sessions: 7
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 7

node1:
--------------------------------------------------------------------------

Valid sessions: 0
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 0




Nov 15 10:58:16  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 10:58:59  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 10:59:01  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 10:59:23  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 11:00:01  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 11:00:04  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 11:02:36  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop
Nov 15 11:02:37  juniper-srx2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: X.X.X.117, zone name: ISP, interface name: ge-9/0/5.0, action: drop

 

If anyone has any idea why it blocks where there are no traffic then I would really appriciate that.

 

Thanks!

4 REPLIES 4
SRX Services Gateway

Re: Strange flow session destination limit problems

‎11-15-2013 02:13 AM

I just noticed that it is only from node1 (second device) its beeing blocked. There is no logs about blocks in node0 at all and i see on statistics that there is 0 valid sessions.

 

Can there be some communication error between the two nodes?

marcus@juniper-srx1> show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary        no       no
    node1                   1           secondary      no       no

Redundancy group: 1 , Failover count: 71
    node0                   100         primary        yes      no
    node1                   1           secondary      yes      no

{primary:node0}


marcus@juniper-srx1> show chassis cluster ethernet-switching status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary        no       no
    node1                   1           secondary      no       no

Redundancy group: 1 , Failover count: 71
    node0                   100         primary        yes      no
    node1                   1           secondary      yes      no

Ethernet switching status:
    Probe state is UP. Both nodes are in single ethernet switching domain(s).

{primary:node0}



marcus@juniper-srx1> show chassis cluster control-plane statistics
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 205576
        Heartbeat packets received: 205180
        Heartbeat packet errors: 0
Fabric link statistics:
    Child link 0
        Probes sent: 411497
        Probes received: 410616
    Child link 1
        Probes sent: 411497
        Probes received: 410598

{primary:node0}



marcus@juniper-srx1> show chassis cluster data-plane statistics
Services Synchronized:
    Service name                              RTOs sent    RTOs received
    Translation context                       18492        11
    Incoming NAT                              0            0
    Resource manager                          1895096      96
    DS-LITE create                            0            0
    Session create                            153754398    34775
    IPv6 session create                       103025       1395
    Session close                             15334415     17582
    IPv6 session close                        51635        893
    Session change                            7687413      288
    IPv6 session change                       35551        1164
    Gate create                               0            0
    Session ageout refresh requests           51023        1247309
    IPv6 session ageout refresh requests      27           2858
    Session ageout refresh replies            1745908      8773
    IPv6 session ageout refresh replies       45           14
    IPSec VPN                                 0            0
    Firewall user authentication              0            0
    MGCP ALG                                  0            0
    H323 ALG                                  0            0
    SIP ALG                                   0            0
    SCCP ALG                                  0            0
    PPTP ALG                                  0            0
    JSF PPTP ALG                              0            0
    RPC ALG                                   0            0
    RTSP ALG                                  0            0
    RAS ALG                                   0            0
    MAC address learning                      0            0
    GPRS GTP                                  0            0
    GPRS SCTP                                 0            0
    GPRS FRAMEWORK                            0            0
    JSF RTSP ALG                              0            0
    JSF SUNRPC MAP                            0            0
    JSF MSRPC MAP                             0            0
    DS-LITE delete                            0            0
    JSF SLB                                   0            0
    APPID                                     0            0
    JSF MGCP MAP                              0            0
    JSF H323 ALG                              0            0
    JSF RAS ALG                               0            0
    JSF SCCP MAP                              0            0
    JSF SIP MAP                               1074         0
    PST_NAT_CREATE                            135          0
    PST_NAT_CLOSE                             0            0
    PST_NAT_UPDATE                            5798         3
    JSF TCP STACK                             0            0
    JSF IKE ALG                               0            0

{primary:node0}
marcus@juniper-srx1>

 

SRX Services Gateway

Re: Strange flow session destination limit problems

‎02-18-2014 05:26 PM

Hi, I have the same problem, but my SRX650 drop just DNS traffic. I have udp limit-session destination-ip-based 10000.

 

BOP_SRX650-DCFW RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 130.180.224.180, zone name: UNTRUST, interface name: reth2.700, action: drop

 

BOP_SRX650-DCFW RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 130.180.252.75/33269->130.180.224.164/53 junos-dns-udp 130.180.252.75/33269->130.180.224.164/53 None None 17 untrust-to-dns1 UNTRUST LDAP-DNS 224731 2(474) 1(377) 60 DNS UNKNOWN N/A(N/A) reth2.700

SRX Services Gateway

Re: Strange flow session destination limit problems

‎02-19-2014 12:49 AM

Hi,

 

After a very long support case with jtac i was told there is a bug in the version i am running.

 

 

Greetings from Juniper.
We have received an update from our engineering team that as per the data collected during the issue , they can see that the session-sync data is not synchronized between the nodes and the counters on node 1 was continuously incrementing and this causes the packet drops on node 1. We already have an old PR to track this issue and this is fixed in following versions 12.1X44-D30 / 12.1X45-D25 / 11.4R11 / 12.1X46-D10. We suggest you to upgrade to one of these versions .
Feel free to contact us incase of any questions.

 

I have not yet upgraded so I can not cofirm it fixed the issue.

SRX Services Gateway

Re: Strange flow session destination limit problems

‎05-27-2014 03:37 AM

exactly the same problem, but without cluster and for source limit for session, junos 12.1x44.D11.4. It was normal, that IPS/UTM and additional functionality like nat multipoint tunnels are always with bugs, but it's too bad that even base functions like name resolving or screens are broken in new junos releases.