SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-14-2011 18:08

    Hi All - I've done a lot of searching on this topic but have not had much luck, maybe I'm just using the wrong terms.  Anyway, the tunnel forms and I can browse the IPv6 intarwebs but cannot host services behind the SRX.  Any ideas?  JUNOS Software Release [11.1R2.3]

     

    If I do a tcpdump on the server inside I get the following:

     

    19:15:02.559203 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529550252 0,nop,wscale 7>
    19:15:02.559222 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253197943 529550252,nop,wscale 7>
    19:15:05.562793 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529550552 0,nop,wscale 7>
    19:15:05.562808 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253198694 529550252,nop,wscale 7>
    19:15:06.556490 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253198943 529550252,nop,wscale 7>
    19:15:11.561059 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529551152 0,nop,wscale 7>
    19:15:11.561076 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253200194 529550252,nop,wscale 7>
    19:15:12.756489 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253200493 529550252,nop,wscale 7>
    19:15:24.756489 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253203493 529550252,nop,wscale 7>

     

    And here are some snipets from my config

     

    interfaces {                            
        ge-0/0/0 {                          
            unit 0 {                        
                description Cablevision;    
                family inet {               
                    filter {                
                        input fix-v6v4-tunnel;
                    }                       
                    dhcp;                   
                }                           
            }                               
        }          
        ip-0/0/0 {                          
            unit 0 {                        
                description "HE IPv6 Tunnel";
                tunnel {                    
                    source 69.126.xxx.xxx;   
                    destination 209.51.161.14;
                }                           
                family inet6 {              
                    address 2001:xxxx:xxxx:xxxx::2/64;
                }                           
            }                               
        } 
    
    routing-options {
        rib inet6.0 {
            static {
                route ::/0 next-hop 2001:470:1f06:792::1;
            }
        }
    
    security {
        forwarding-options {                
            family {                        
                inet6 {                     
                    mode flow-based;        
                }                           
            }                               
        }
        policies {                          
            from-zone trust to-zone untrust {
                policy trust-to-untrust {   
                    match {                 
                        source-address [ any-ipv4 any-ipv6 ];
                        destination-address [ any-ipv4 any-ipv6 ];
                        application any;    
                    }                       
                    then {                  
                        permit {            
                            application-services {
                                idp;        
                            }               
                        }                   
                    }                       
                }                           
            }
            from-zone untrust to-zone trust {
                policy allow-inbound-ipv6-http {
                    match {                 
                        source-address any-ipv6;
                        destination-address SERVER-IPv6;
                        application junos-http;
                    }                       
                    then {                  
                        permit {            
                            application-services {
                                idp;        
                            }               
                        }                   
                        log {               
                            session-close;  
                        }                   
                    }                       
                }
            }
        }
        zones {
            security-zone trust {
                screen untrust-screen;      
                host-inbound-traffic {      
                    system-services {       
                        all;                
                    }                       
                    protocols {             
                        all;                
                    }                       
                }                           
                interfaces {                
                    vlan.0;                 
                    lo0.0;                  
                }                           
            }
            security-zone untrust {         
                screen untrust-screen;      
                interfaces {                
                    ge-0/0/0.0 {            
                        host-inbound-traffic {
                            system-services {
                                dhcp;       
                                tftp;       
                                ssh;        
                                ping;       
                                ike;        
                            }               
                        }                   
                    }                       
                    ip-0/0/0.0 {            
                        host-inbound-traffic {
                            system-services {
                                ssh;        
                            }               
                        }                   
                    }                       
                }                           
            }
        }
    }
    firewall {
        family inet {
            filter fix-v6v4-tunnel {
                term one {
                    from {
                        destination-address {
                            66.220.2.74/32;
                        }
                        protocol 41;
                    }
                    then packet-mode;
                }
                term two {                  
                    from {                  
                        source-address {    
                            66.220.2.74/32; 
                        }                   
                        protocol 41;        
                    }                       
                    then packet-mode;       
                }                           
                term three {
                    then accept;            
                }                           
            }                               
        }  
    }

     


    #IPv6
    #hosting
    #Server
    #SRX
    #inet6
    #he.net


  • 2.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-17-2011 08:53
    You forgot to anonymize the next hop on your 0/0 route, so it was me who just tried to ssh in to verify the oversight- sorry.

    So you're seeing traffic come in and traffic leave the server. How do you know that the server is properly configured? Can some device on the LAN access it with IPv6?


  • 3.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-17-2011 09:21

    Yes the tcpdump shows the traffic is hitting the server.  I know the server is properly configured because everything worked when I was using a Cisco router.



  • 4.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not
    Best Answer

    Posted 06-19-2011 05:53

    I've managed to resolve the problem, however, the solution seems to indicate a bug of some sort...

     

    Under policies -> from-zone untrust to-zone trust -> policy allow-inbound-ipv6-http

     

    I had to match application junos-tcp-any


    #IPv6
    #junos-tcp
    #SRX
    #Policies
    #policy
    #junos-http
    #inet6


  • 5.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-19-2011 10:23
    ddeviny@SRX> show configuration groups junos-defaults | display set | match junos-http 
    set groups junos-defaults applications application junos-http protocol tcp
    set groups junos-defaults applications application junos-http destination-port 80
    
    ddeviny@SRX> show configuration groups junos-defaults | display set | match junos-tcp     
    set groups junos-defaults applications application junos-tcp-any term t1 protocol tcp

     Above is what those applications do. So you replaced junos-http with junos-tcp to resolve the issue? You should open a case.