vSRX
vSRX

HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

I have deployed a basic network architecture on aws with a single vSRX firewall with 3 interfaces: fxp0 ge-0/0/0 and ge-0/0/1. I have currently a single WEB server behind the firewall in the private subnet that is connected using the ge0/0/1.0 interface. I am trying to access the web server using through the firewall at first i couldn't establish a TCP connection and after running wireshark both on my local pc and on the cloud vpc I figured out that the ACK packets were being sent back using the fxp0 interface! I turns out that during my testing I missed with the routing instances. So i added a default route a seperate routing instance called :

main-vr : interface ge0.0.0 and ge0.0.1 

and left the fxp0 interface in the default routing instance

Now I can establish a tcp connection but the http traffic keeps being redirected through the fxp0 interface! I don't know what is causing this problem. 

Do you have any possible ideas to what I should look at next ? And should I post my configuration as that could help trace back the issue ? 

Thank you for your help.

7 REPLIES 7
vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

What interface are you trying to access the WEB server from?  Sounds like you are coming in through fxp0. 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

I am accessing HTTP on the GE-0/0/3 interface.

If I ping the interface from my pc I get an echo reply.

If I try to access the HTTP server I get an error HTTP 302 "too many redirects".

What I think is happening is that the packets are being directed to the default route on the fxp0 interface instead of the route in the virtual routing instance that I created. It seems this routing instance is having no effect on the routing decisions. 

 

vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

That is strange. 

 

Just to make sure: is this what you are trying to do?

 

SRX.png

 

Also, have you tried turning packet trace to check how traffic is being processed?  If not, try this: 

 

[edit security flow]

user@srx# show

traceoptions {

   file FLOW_TRACING;

   flag basic-datapath;

   packet-filter filter-name {

       source-prefix <PC> ;

       destination-prefix <web_server>;

       source-port any;

       destination-port 80;

   }

}

 

user@srx> show log FLOW_TRACING. 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

I tried the traceoptions but to no success, I have been using wireshark to see how the traffic is being routed and it always leaves on the fxp0 interface. If i issue a ping from VSRX to the webserver it would leave the firewall on the fxp0, If i specify the routing instance in the ping command then I does go correctly on the GE-0/0/1.0.

This is the configuration file:


## Last changed: 2019-11-19 15:34:20 UTC
version 18.3R1.9;
#junos-config
groups {
aws-default {
system {
login {
user ec2-user {
full-name juniper-aws-ec2-user;
uid 100;
class super-user;
authentication {
ssh-rsa "ssh-rsa RSA-key-for-EC2-machine firewall";
}
}
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet;
}
}
}
}
}
apply-groups aws-default;
system {
root-authentication {
encrypted-password "password hash";
}
services {
web-management {
http {
interface fxp0.0;
}
https {
interface fxp0.0;
}
}
}
}
security {
log {
utc-timestamp;
mode stream;
format syslog;
report;
}
flow {
traceoptions {
flag basic-datapath;
packet-filter pf1 {
source-prefix my-ip-address/32;
}
}
}
nat {
static {
rule-set static-nat {
from zone untrust;
rule static-nat {
match {
destination-address 10.1.3.10/32;
}
then {
static-nat {
prefix {
10.1.1.239/32;
}
}
}
}
}
}
}
policies {
from-zone untrust to-zone trust {
policy allow-web-in {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
count;
}
}
}
from-zone trust to-zone untrust {
policy allow-web-out {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
count;
}
}
}
from-zone trust to-zone trust {
policy intra-trust-rule {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
count;
}
}
}
}
traceoptions {
file flow-trace;
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
interfaces {
ge-0/0/1.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.3.10/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.1.10/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.1.2.140/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 10.1.2.1;
}
}
}
routing-instances {
main-vr {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.3.1;
}
}
}
}

vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

Here is a copy of the log file I created, here  I tried to ping the firewall once and I tried to access the HTTP server

Attachments

vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

Your SRX is treating traffic as destined to itself, not to the server ("pak_for_self").

Try using different addresses for the SRX, and the server, as shown below.
Make sure that:

- you configure the policy correctly (I see that you configured it wide open, probably for testing). Destination NAT happens before a route lookup is performed, and a policy is checked, so the policy should match on the translated destination address (the actual server's address).  

- SRX has a route for the server's actual address (in the example is on the same network so not a problem)

- you configure proxy-arp for the SRX to respond to ARP requests for the pretend IP address that you are using for the server, since it is in the same network. 

 

WEB ACCESS.png

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
vSRX

Re: HTTP traffic entering the revenue interface is being answered by the management interface

3 weeks ago

I followed your advice and I added a new IP address to the firewall interface in AWS, without adding the address in the VSRX configuration. So currently public IP A.A.A.A when accessed will directly be sent to the ge-0 interface ( this is the only way I thought of to work without arp in the cloud) . Now aws will direct traffic destined to A.A.A.A to ge-0 with a destination IP of 10.1.3.11. I applied static NAT to this address:

 

nat {
static {
rule-set stat-rs1 {
from interface ge-0/0/0.0;
rule rule_for_server {
match {
destination-address 10.1.3.11/32;
}
then {
static-nat {
prefix {
10.1.1.239/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
10.1.3.11/32 to 10.1.3.11/32;
}
}
}
}


I still keep getting HITs on the nat rule but all sessions fail:

 

2019-11-20 17_23_15-52.211.169.7 - PuTTY.png

This is the flow-trace file and all I can understand is that NAT is failing and I don't see what is the possible error in the configuration.nat.png