SRX

Expand all | Collapse all

RT_ALG_WRN_CFG_NEED

  • 1.  RT_ALG_WRN_CFG_NEED

     
    Posted 05-12-2019 16:22

    Hi All

    I have recently had the following non-stop warning log on srx320(15.1X49-D50.3). When looking at the Juniper's System Log Explorer, the log says that it is not an error. If it is not an error, why does Junos need a configuration? Or how to fix this warning log? Any ideas or technique to respond the log? 

     

    May 13 10:58:52 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/49488 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:58:55 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/49568 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:58:56 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/61580 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:58:56 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.22/51051 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:00 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/62001 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:10 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/63129 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:31 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50345 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:34 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/64807 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:37 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/64970 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:40 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50527 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:41 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.129/52665 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:41 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.129/52669 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 10:59:53 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.83.232/62423 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 11:00:05 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/50527 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 11:00:06 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.83.234/60448 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
    May 13 11:00:08 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50842 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

     

    Thanks,

    Arix



  • 2.  RE: RT_ALG_WRN_CFG_NEED

    Posted 05-12-2019 20:29

    Try to read this topic



  • 3.  RE: RT_ALG_WRN_CFG_NEED

     
    Posted 05-19-2019 21:33

    Hi all,

    I have persistent & consistent the following logs, it is being generating every 4 seconds. It seems that by default MSRPC is enabled.

    In order to get some logs via traceoptions about denied the associated traffic (MSRPC ALG), I created the follwing traceoptions with packet filter but I couldn't see any deny in the whole log files -alg_deny. 

    If this log -MSRPC being denied, I should be seeing a deny traffic. But not... Where is my mistake or where am I not doing correct troubleshooting? Any ideas please? 

     

    May 20 14:07:33 VItSRX320 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/57624 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

     

    VItSRX320> show security alg status
    ALG Status :
    DNS : Enabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Enabled
    MSRPC : Enabled
    PPTP : Enabled
    RSH : Disabled
    RTSP : Enabled
    SCCP : Disabled
    SIP : Disabled
    SQL : Disabled
    SUNRPC : Enabled
    TALK : Enabled
    TFTP : Enabled
    IKE-ESP : Disabled

    VItSRX320>

     

    VItSRX320>show configuration security | display set | match alg
    set security alg sccp disable
    set security alg sip disable

     

    My traceoptions with the filter:

    set security flow traceoptions file alg_deny files 2 size 1m world-readable
    set security flow traceoptions flag all
    set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29

     

     

    VItSRX320>file list detail /var/log/ | match alg
    -rw-r--r-- 1 root wheel 767199 May 20 13:41 alg_deny
    -rw-r--r-- 1 root wheel 84685 May 20 13:40 alg_deny.0.gz

    Thanks

    Arix

     



  • 4.  RE: RT_ALG_WRN_CFG_NEED

     
    Posted 05-19-2019 22:05

    Hello,

     

    I would suggest to not use the flag all in the flow traceoptions. This logs a lot of background noise.

     

    Use the traceoptions flag basic-datapath. Additionally, also setup the filter for anything destined to 10.10.3.29 as well.

     

    set security flow traceoptions file alg_deny files 2 size 1m world-readable
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29

    set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

     

    Regards,

     

    Vikas



  • 5.  RE: RT_ALG_WRN_CFG_NEED

     
    Posted 05-20-2019 21:56

    Hi All,

    1-) This time I performed the following modified traceoptions and its output has showed that there is no any deny traffic that sourced and destinated 10.10.3.29 on srx. 

    set security flow traceoptions file alg_deny files 2 size 1m world-readable
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29
    set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

     

    The following log is still generating every 8 seconds on the branch srx. I am not sure but when searching this log, many engineers in Juniper discussing board are pointing this traffic on MSRPC ALG is being blocked as the MSRPC ALG is enabled as default on srx. But traceoptions has just showed there is no any drop or denied traffic on MSRPC . 

     

    >show security alg status | match msrpc
    MSRPC : Enabled

     

    junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/53835 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

     

     

    2-) From the same traceoptions outputs I have accidently seen the following info related to fragmentation. This is another concern. Currently configured tcp mss value is 1450 on branch site. Can I ask please about fragmentation is being occurring or? If so, what should be done for establishing symmetric mss value between end to end?

     

    remote site network---ex---srx(branch)------Ipsec vpn------srx(datacentre)------

     

    May 21 08:40:17 08:40:17.513197:CID-0:RT:MSS found 0x 5b4

    May 21 08:40:17 08:40:17.513197:CID-0:RT: rewrite TCP MSS, new MSS: 1450, old MSS: 1460

     

    > show configuration security flow | display set
    set security flow tcp-mss all-tcp mss 1450
    set security flow tcp-session no-syn-check
    set security flow tcp-session no-syn-check-in-tunnel
    set security flow tcp-session no-sequence-check

     

    Thanks 

    Ar



  • 6.  RE: RT_ALG_WRN_CFG_NEED

     
    Posted 05-20-2019 22:23

    Hello,

     

    Thanks for taking that. My observations

     

    > The flow traceoptions ran for about 20mins and no drops seen

    > Flow processing shows the traffic passed

    > So definitely it is not dropped by the flow module which incidently also involved in ALG processing

    > Prima facie the logs seem to be non impacting

    > I would be interested in seeing a pcap of traffic in and out of the firewall to check if anything is really dropped

    > You can do a pcap on ingress and egress interfaces to see what we get

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

     

    Regards,

     

    Vikas

     

    PS: Be sure to delete traceoptions

     



  • 7.  RE: RT_ALG_WRN_CFG_NEED

    Posted 05-20-2019 23:29

    Hi Arix,

     

    I believe that the SRX is definitely dropping those packets, however Im not sure if you will see that in the flow traceoptions file. The SRX is reporting that in order to let the packets pass it needs extra configuration that is pretty much configuring the SRX to permit users connecting to UUIDs unknown to the SRX. You might configure MS-RPC traceoptions to dig further:

     

     

    # set security alg ms-rpc traceoptions flag all
    # set security alg traceoptions file MS-RPC-TRACE size 1g
    # set security alg traceoptions level verbose
    # commit
    # run show log MS-RPC-TRACE

     

     

    Also you could try using the flag "error" instead of the flag "basic-datapath" in the security flow traceoptions. You can upload the files when you post a coment.

     

    First question: how is the security-policy, that is allowing the communications, configured? Are you specifically referencing the MS-RPC application or you are just using "application any"?

     

    MS-RPC is used by windows devices to communicate processes running on different devices; these remote processes are identified by UUIDs.

    The device acting as the client will first establish a connection via port 135 and will ask for the dynamic port on which a specific service (UUID) is listening on the remote end. The device acting as the server will provide this information and the client will open a new session on that dynamic port (a high random port). Ideally we dont configure security-policies that permit traffic on all ports so when you reference the ms-rpc application on a security-policy it only permits port 135 and the SRX listens to the communications between the client the server in order to determine what is the high random port that will be used next, and the SRX allows communications from the client on that port only, blocking traffic on any other non-negotiated port. Thats pretty much the funtionality of the MS-RPC ALG. However is very common that from specific zones we dont need that much of security and sometimes we can have a security-policy allowing all the traffic from a specific zone to another zone.

     

    Second question: Can you disable MS-RPC ALG? If your security policy is configured for "application any" I believe there should not be any problem on disabling the ALG:

     

     

    # set security alg ms-rpc disable
    # commit
    # run show security alg status

     

    Based on the logs the UUIDs not being recognized are related to:

     

    MS-NETLOGON12345678-1234-abcd-ef00-01234567cffb     and      12345778-1234-abcd-ef00-0123456789ab

    WMIC-Webm-Level1Login: f309ad18-d86a-11d0-a075-00c04fb68820

     

    Refences: 

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-rpc-alg.html

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB12057

     

     

    Please share the following operational commands:

     

    show security alg ms-rpc

    show security resource-manager summary

    show security resource-manager resource active

    show security resource-manager group active

    show security flow session resource-manger summary

     

    If you can determine that the logs are cosmetic and that no packet drops are happening you could always avoid those logs from you being written to your log file:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382

     

    Hope this helps. Please my mark my post a Solution if it applies.

     

     



  • 8.  RE: RT_ALG_WRN_CFG_NEED

    Posted 05-20-2019 23:34

    Forgot to mention that you could also configure the "junos-ms-rpc-any" application on your security-policy as the log states.

     

    Hope this helps.