Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  IPv6 on SRX-345 ICMP unreachable / TCP reset responds

    Posted 01-25-2021 10:17
    Edited by Steven Scholte 01-25-2021 10:19
    Hi,

    we are running a cluster of SRX-345's on Junos 19.4R3. We've got an IPv6 block from our internet service provider (a /48). In order to get some experience I enabled IPv6 in a test zone. Our /48 subnet is routed via a /124 routing subnet. Everything is working fine, I can get IPv6 internet access from the test zone and from the loopback interface.
    But there is one thing I don't understand. When you ping any of the addresses in the /48 that hasn't got a policy configured to allow traffic, the firewall is always responding with a ICMP type 1, code 1 destination unreachable. A trace shows that the traffic is denied by the global deny policy, as it should be. But shouldn't the firewall discard the incoming packets silently?

    Also, when sending a TCP-SYN to any of the addresses the firewall responds with a TCP-reset. This does not happen when you try to access the interface address in the routing subnet. Then everything is silently discarded. I'm pretty sure everything is closed, but how can I prevent the ICMP responses and TCP-resets being sent?
    I enabled no-tcp-reset drop-all-tcp under system internet options and tcp-reset is disabled in all the security zones.
    Any input is greatly appreciated!

    Best regards,
    Steven

    ------------------------------
    Steven Scholte
    ------------------------------


  • 2.  RE: IPv6 on SRX-345 ICMP unreachable / TCP reset responds

    Posted 01-30-2021 11:24

    Hi,
    I've done a couple of traces. This is the result of trying to connect to port 22 to an address that does not have a policy configured to allow that traffic. The trace shows that the traffic is denied by policy default-policy-logical-system-00(2). A TCP-reset is sent back, altough the default policy is a deny. I figured that only a reject would send back a reset. A deny should silently drop the packet, right?

    Jan 25 14:43:30 14:43:30.419980:CID-1:RT:<2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186->2002:7890:abcd:1018:0:0:0:1/22;6,0x0> matched filter test:
    Jan 25 14:43:30 14:43:30.420000:CID-1:RT:packet [32], @0x5ee34f20
    Jan 25 14:43:30 14:43:30.420006:CID-1:RT:---- flow_process_pkt_ipv6: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ee34d00
    Jan 25 14:43:30 14:43:30.420015:CID-1:RT: flow process pak fast ifl 90 in_ifp reth2.0
    Jan 25 14:43:30 14:43:30.420021:CID-1:RT:flow_process_pkt_ipv6: setting in_vrf_id in lpak to 0, grp 0
    Jan 25 14:43:30 14:43:30.420029:CID-1:RT:  reth2.0:2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186->2002:7890:abcd:1018:0:0:0:1/22,6, tcp flag 2 syn <root-logical-system> 
    Jan 25 14:43:30 14:43:30.420056:CID-1:RT: find flow v6: table 0x5521388, hash 36136(0xffff), sa 2001:abcd:1234:2:c47c:5b36:d770:3d9b, da 2002:7890:abcd:1018:0:0:0:1, sp 53186, dp 22, proto 6, tok 24586, conn-tag 0x00000000, vrf-grp-id 0
    Jan 25 14:43:30 14:43:30.420078:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    Jan 25 14:43:30 14:43:30.420102:CID-1:RT:search gate for FIBER:2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186->2002:7890:abcd:1018:0:0:0:1/22,0,6
    Jan 25 14:43:30 14:43:30.420117:CID-1:RT:gate_search_specific_bucket_v6: no gate found
    Jan 25 14:43:30 14:43:30.420117:CID-1:RT:search gate for FIBER:2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186->2002:7890:abcd:1018:0:0:0:1/22,0,6
    Jan 25 14:43:30 14:43:30.420127:CID-1:RT:gate_search_specific_bucket_v6: no gate found
    Jan 25 14:43:30 14:43:30.420127:CID-1:RT:search widecast gate for FIBER:2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186->2002:7890:abcd:1018:0:0:0:1/22,0,6
    Jan 25 14:43:30 14:43:30.420140:CID-1:RT:gate_search_widecast_bucket_v6: no gate found
    Jan 25 14:43:30 14:43:30.420140:CID-1:RT:Inside pak_to_my_addrs_v6
    Jan 25 14:43:30 14:43:30.420151:CID-1:RT:  flow_first_create_session_v6
    Jan 25 14:43:30 14:43:30.420157:CID-1:RT:  link IPv6 extension session to normal session
    Jan 25 14:43:30 14:43:30.420164:CID-1:RT:Save init hash spu id 0 to nsp and nsp2!
    Jan 25 14:43:30 14:43:30.420167:CID-1:RT:First path alloc and instl pending session, natp=0x12190b48, id=166164
    Jan 25 14:43:30 14:43:30.420179:CID-1:RT:  flow_first_in_dst_nat_v6: in <reth2.0>, out <N/A> dst_adr 2002:7890:abcd:1018:0:0:0:1, sp 53186, dp 22
    Jan 25 14:43:30 14:43:30.420179:CID-1:RT:  chose interface reth2.0 as incoming nat if.
    Jan 25 14:43:30 14:43:30.420201:CID-1:RT:flow_first_rule_dst_xlate_v6: DST no-xlate: 0:0:0:0:0:0:0:0(0) to 2002:7890:abcd:1018:0:0:0:1(22)
    Jan 25 14:43:30 14:43:30.420213:CID-1:RT:[JSF] Do ingress interest check. regd ingress plugins(1)
    Jan 25 14:43:30 14:43:30.420231:CID-1:RT:[JSF][0]plugins(0x0) enabled for session = 193273694484  implicit mask(0x0), service request(0x0)
    Jan 25 14:43:30 14:43:30.420240:CID-1:RT:-jsf : no plugin ingress interested for session 193273694484
    Jan 25 14:43:30 14:43:30.420243:CID-1:RT:flow_first_routing_v6: call flow_route_lookup(): src_ip 2001:abcd:1234:2:c47c:5b36:d770:3d9b, x_dst_ip 2002:7890:abcd:1018:0:0:0:1, in ifp reth2.0, out ifp N/A sp 53186, dp 22, ip_proto 6, tos 0
    Jan 25 14:43:30 14:43:30.420255:CID-1:RT:Doing DESTINATION addr route-lookup
    Jan 25 14:43:30 14:43:30.420269:CID-1:RT:flow_rt_lkup success 2002:7890:abcd:1018:0:0:0:1, iifl 0x5a, oifl 0x0 
    Jan 25 14:43:30 14:43:30.420280:CID-1:RT:Changing out-ifp from .local..0 to reth3.18 for dst: 2002:7890:abcd:1018:0:0:0:1 in vr_id:6
    Jan 25 14:43:30 14:43:30.420287:CID-1:RT:flow_first_routing_v6: setting out_vrf_id in lpak to 0, grp 0
    Jan 25 14:43:30 14:43:30.420292:CID-1:RT:  routed (x_dst_ip 2002:7890:abcd:1018:0:0:0:1) from FIBER (reth2.0 in 3) to reth3.18, Next-hop: 2002:7890:abcd:1018:0:0:0:1
    Jan 25 14:43:30 14:43:30.420298:CID-1:RT:flow_first_policy_search_v6: policy search from zone FIBER-> zone DMZ1
    Jan 25 14:43:30 14:43:30.420306:CID-1:RT:Policy lkup: vsys 0 zone(10:FIBER) -> zone(11:DMZ1) src_vrf_group (0) dst_vrf_group (0) scope:0
    Jan 25 14:43:30 14:43:30.420313:CID-1:RT:             2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186 -> 2002:7890:abcd:1018:0:0:0:1/22 proto 6
    Jan 25 14:43:30 14:43:30.420356:CID-1:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) src_vrf_group (0) dst_vrf_group (0) scope:0
    Jan 25 14:43:30 14:43:30.420362:CID-1:RT:             2001:abcd:1234:2:c47c:5b36:d770:3d9b/53186 -> 2002:7890:abcd:1018:0:0:0:1/22 proto 6
    Jan 25 14:43:30 14:43:30.420373:CID-1:RT:flow_first_policy_search_v6: dynapp_none_policy: 1? is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
    Jan 25 14:43:30 14:43:30.420378:CID-1:RT:  app 22, timeout 1800s, curr ageout 0s
    Jan 25 14:43:30 14:43:30.420386:CID-1:RT:  app 22, timeout 1800s, curr ageout 20s
    Jan 25 14:43:30 14:43:30.420402:CID-1:RT:flow_send_icmp_tcp_rst: Sending tcp-rst
    Jan 25 14:43:30 14:43:30.420402:CID-1:RT:flow_send_return_pak: lpak 0x23a9100, npak 0x6c94fd48, npak->in_if N/A, outifp reth2.0.
    Jan 25 14:43:30 14:43:30.420414:CID-1:RT:ip6hdr_info_extract, plen 20 , version 6, next prot 6
    Jan 25 14:43:30 14:43:30.420414:CID-1:RT:ip6hdr_info_extract, next prot 6, rc = 0, done = 1,lport 0x16cfc2, prot 6, len 20, flags 0x0, frag offlg 0x0
    Jan 25 14:43:30 14:43:30.420422:CID-1:RT:**** jump to packet:2002:7890:abcd:1018:0:0:0:1->2001:abcd:1234:2:c47c:5b36:d770:3d9b
    Jan 25 14:43:30 14:43:30.420434:CID-1:RT:  encap vector
    Jan 25 14:43:30 14:43:30.420437:CID-1:RT:  no more encapping needed
    Jan 25 14:43:30 14:43:30.420437:CID-1:RT:  **** pak processing end.
    Jan 25 14:43:30 14:43:30.420443:CID-1:RT:flow_send_return_pak: outifp reth2.0, iif 0, vr_id 6.
    Jan 25 14:43:30 14:43:30.420445:CID-1:RT:flow_send_return_pak : Using iif 0
    Jan 25 14:43:30 14:43:30.420450:CID-1:RT:flow_send_return_pak() 0x61083680 :  mbuf injected, return code 0
    Jan 25 14:43:30 14:43:30.420450:CID-1:RT:Denied by policy 2, generating icmp/tcp-rst
    Jan 25 14:43:30 14:43:30.420459:CID-1:RT:  packet dropped, denied by policy
    Jan 25 14:43:30 14:43:30.420459:CID-1:RT:  denied by policy default-policy-logical-system-00(2), dropping pkt
    Jan 25 14:43:30 14:43:30.420459:CID-1:RT:  packet dropped,  policy deny.
    Jan 25 14:43:30 14:43:30.420470:CID-1:RT:flow_initiate_first_path_v6: first pak no session
    Jan 25 14:43:30 14:43:30.420470:CID-1:RT:  flow find session returns error.
    Jan 25 14:43:30 14:43:30.420470:CID-1:RT:flow_proc_rc: -1.
    Jan 25 14:43:30 14:43:30.420470:CID-1:RT: ----- flow_process_pkt_ipv6: rc 0x7 (fp rc -1)
    ​


    ------------------------------
    Steven Scholte
    ------------------------------