Hi,
Why are new sessions created while I am using firewall filter on both interfaces with action-modifier packet-mode?
I have this configuration, interfaces:
ge-2/0/0 {
gigether-options {
802.3ad ae0;
}
}
ge-2/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-2/0/4 {
gigether-options {
802.3ad ae1;
}
}
ge-2/0/5 {
gigether-options {
802.3ad ae1;
}
}
ge-2/0/8 {
gigether-options {
802.3ad ae2;
}
}
ge-2/0/9 {
gigether-options {
802.3ad ae2;
}
}
ge-2/0/12 {
gigether-options {
802.3ad ae4;
}
}
ge-2/0/13 {
gigether-options {
802.3ad ae4;
}
}
ae0 {
description "!ISP!";
per-unit-scheduler;
vlan-tagging;
aggregated-ether-options {
minimum-links 1;
link-speed 1g;
lacp {
active;
}
}
unit 500 {
vlan-id 500;
family inet {
filter {
input bypass-flow-filter;
}
address x.x.x.2/29;
}
}
}
ae1 {
description "!core !";
per-unit-scheduler;
vlan-tagging;
mtu 1600;
aggregated-ether-options {
minimum-links 1;
link-speed 1g;
lacp {
active;
}
}
unit 47 {
vlan-id 47;
family inet {
filter {
input bypass-flow-filter;
}
address y.y.y.y/30;
}
}
}
ae2 {
description "!mgmt users nat!";
vlan-tagging;
aggregated-ether-options {
minimum-links 1;
link-speed 1g;
lacp {
active;
}
}
unit 1330 {
vlan-id 1330;
family inet {
address 192.168.30.1/24;
}
}
unit 1337 {
vlan-id 1337;
family inet {
address 192.168.2.5/24;
}
}
}
user@srx650# top show interfaces lo0.0
family inet {
filter {
input f-fw-re-protection;
}
address pub.lic.ip/32;
}
user@srx650> show configuration firewall
family inet {
filter bypass-flow-filter {
term bypass-flow-term-1 {
from {
destination-address {
x.x.x.3/32 except; # source nat-ip, pool on interface ae0.500
}
}
then packet-mode;
}
term accept-rest {
then accept;
}
}
user@srx650# show firewall family inet filter f-fw-re-protection # on lo0.0
term deny-ssh {
from {
inactive: source-prefix-list {
pref-kxnet-management except;
}
protocol tcp;
destination-port ssh;
}
then {
count "lo0.0 deny ssh";
log;
syslog;
discard;
}
}
term allow-icmp {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}
then {
policer icmp-policer;
accept;
}
}
term allow-tcp-connection {
from {
protocol tcp;
tcp-flags "(syn & !ack) | fin | rst";
}
then {
policer tcp-connection-policer;
accept;
}
}
term last-allow {
then accept;
}
user@srx650> show configuration security zones
security-zone xxx {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ae0.500;
}
}
security-zone yyy {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ae1.47;
ae3.37;
ae4.54;
lo0.0;
}
}
user@srx650> show configuration security policies
from-zone xxx to-zone yyy {
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone yyy to-zone xxx {
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
Majority of traffic is going through interfaces ae0.500 and ae1.47.. As you can see. I configured it for packet-mode with filters. Why I see number of flow sessions going through this two interfaces? Why are there so many packet drops? I don't use "set security forwarding-options family xyz mode packet-based" because of nat.
user@srx650> show security flow session
Session ID: 19, Policy name: permit-all/5, Timeout: 232, Valid
In: .../63953 --> .../80;tcp, If: ae1.47, Pkts: 7, Bytes: 288
Out: .../80 --> .../63953;tcp, If: ae0.500, Pkts: 1, Bytes: 48
Session ID: 50, Policy name: permit-all/4, Timeout: 34, Valid
In: .../3631 --> .../52745;udp, If: ae0.500, Pkts: 1, Bytes: 60
Out: .../52745 --> .../3631;udp, If: ae1.47, Pkts: 1, Bytes: 46
Session ID: 107, Policy name: permit-all/4, Timeout: 40, Valid
In: .../11714 --> .../55754;udp, If: ae0.500, Pkts: 2, Bytes: 316
Out: .../55754 --> .../11714;udp, If: ae1.47, Pkts: 2, Bytes: 1492
Session ID: 140, Policy name: permit-all/5, Timeout: 32, Valid
In: .../63691 --> .../53;udp, If: ae1.47, Pkts: 1, Bytes: 72
Out: .../53 --> .../63691;udp, If: ae0.500, Pkts: 1, Bytes: 703
Session ID: 169, Policy name: permit-all/5, Timeout: 1786, Valid
In: .../12177 --> .../80;tcp, If: ae1.47, Pkts: 4, Bytes: 824
Out: .../80 --> .../12177;tcp, If: ae0.500, Pkts: 3, Bytes: 1083
user@srx650> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
user@srx650> show security flow statistics
Current sessions: 9268
Packets forwarded: 0
Packets dropped: 25053944
Fragment packets: 61629518
I also see this on daily graph - current sessions. The number of current session corelate with traffic going through ae.500 <-> ae1.47
Does counters (sessions or dropped packets) have something with lo0.0 with no packet-mode action modifier?
Any answer appriciated.
Regards
#selective.packetmode