SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-14-2011 18:08

    Hi All - I've done a lot of searching on this topic but have not had much luck, maybe I'm just using the wrong terms.  Anyway, the tunnel forms and I can browse the IPv6 intarwebs but cannot host services behind the SRX.  Any ideas?  JUNOS Software Release [11.1R2.3]

     

    If I do a tcpdump on the server inside I get the following:

     

    19:15:02.559203 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529550252 0,nop,wscale 7>
    19:15:02.559222 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253197943 529550252,nop,wscale 7>
    19:15:05.562793 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529550552 0,nop,wscale 7>
    19:15:05.562808 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253198694 529550252,nop,wscale 7>
    19:15:06.556490 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253198943 529550252,nop,wscale 7>
    19:15:11.561059 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529551152 0,nop,wscale 7>
    19:15:11.561076 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253200194 529550252,nop,wscale 7>
    19:15:12.756489 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253200493 529550252,nop,wscale 7>
    19:15:24.756489 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253203493 529550252,nop,wscale 7>

     

    And here are some snipets from my config

     

    interfaces {                            
        ge-0/0/0 {                          
            unit 0 {                        
                description Cablevision;    
                family inet {               
                    filter {                
                        input fix-v6v4-tunnel;
                    }                       
                    dhcp;                   
                }                           
            }                               
        }          
        ip-0/0/0 {                          
            unit 0 {                        
                description "HE IPv6 Tunnel";
                tunnel {                    
                    source 69.126.xxx.xxx;   
                    destination 209.51.161.14;
                }                           
                family inet6 {              
                    address 2001:xxxx:xxxx:xxxx::2/64;
                }                           
            }                               
        } 
    
    routing-options {
        rib inet6.0 {
            static {
                route ::/0 next-hop 2001:470:1f06:792::1;
            }
        }
    
    security {
        forwarding-options {                
            family {                        
                inet6 {                     
                    mode flow-based;        
                }                           
            }                               
        }
        policies {                          
            from-zone trust to-zone untrust {
                policy trust-to-untrust {   
                    match {                 
                        source-address [ any-ipv4 any-ipv6 ];
                        destination-address [ any-ipv4 any-ipv6 ];
                        application any;    
                    }                       
                    then {                  
                        permit {            
                            application-services {
                                idp;        
                            }               
                        }                   
                    }                       
                }                           
            }
            from-zone untrust to-zone trust {
                policy allow-inbound-ipv6-http {
                    match {                 
                        source-address any-ipv6;
                        destination-address SERVER-IPv6;
                        application junos-http;
                    }                       
                    then {                  
                        permit {            
                            application-services {
                                idp;        
                            }               
                        }                   
                        log {               
                            session-close;  
                        }                   
                    }                       
                }
            }
        }
        zones {
            security-zone trust {
                screen untrust-screen;      
                host-inbound-traffic {      
                    system-services {       
                        all;                
                    }                       
                    protocols {             
                        all;                
                    }                       
                }                           
                interfaces {                
                    vlan.0;                 
                    lo0.0;                  
                }                           
            }
            security-zone untrust {         
                screen untrust-screen;      
                interfaces {                
                    ge-0/0/0.0 {            
                        host-inbound-traffic {
                            system-services {
                                dhcp;       
                                tftp;       
                                ssh;        
                                ping;       
                                ike;        
                            }               
                        }                   
                    }                       
                    ip-0/0/0.0 {            
                        host-inbound-traffic {
                            system-services {
                                ssh;        
                            }               
                        }                   
                    }                       
                }                           
            }
        }
    }
    firewall {
        family inet {
            filter fix-v6v4-tunnel {
                term one {
                    from {
                        destination-address {
                            66.220.2.74/32;
                        }
                        protocol 41;
                    }
                    then packet-mode;
                }
                term two {                  
                    from {                  
                        source-address {    
                            66.220.2.74/32; 
                        }                   
                        protocol 41;        
                    }                       
                    then packet-mode;       
                }                           
                term three {
                    then accept;            
                }                           
            }                               
        }  
    }

     


    #IPv6
    #hosting
    #Server
    #SRX
    #inet6
    #he.net


  • 2.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-17-2011 08:53
    You forgot to anonymize the next hop on your 0/0 route, so it was me who just tried to ssh in to verify the oversight- sorry.

    So you're seeing traffic come in and traffic leave the server. How do you know that the server is properly configured? Can some device on the LAN access it with IPv6?


  • 3.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-17-2011 09:21

    Yes the tcpdump shows the traffic is hitting the server.  I know the server is properly configured because everything worked when I was using a Cisco router.



  • 4.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not
    Best Answer

    Posted 06-19-2011 05:53

    I've managed to resolve the problem, however, the solution seems to indicate a bug of some sort...

     

    Under policies -> from-zone untrust to-zone trust -> policy allow-inbound-ipv6-http

     

    I had to match application junos-tcp-any


    #IPv6
    #junos-tcp
    #SRX
    #Policies
    #policy
    #junos-http
    #inet6


  • 5.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-19-2011 10:23
    ddeviny@SRX> show configuration groups junos-defaults | display set | match junos-http 
    set groups junos-defaults applications application junos-http protocol tcp
    set groups junos-defaults applications application junos-http destination-port 80
    
    ddeviny@SRX> show configuration groups junos-defaults | display set | match junos-tcp     
    set groups junos-defaults applications application junos-tcp-any term t1 protocol tcp

     Above is what those applications do. So you replaced junos-http with junos-tcp to resolve the issue? You should open a case.