SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Session close with "Closed by junos-tcp-clt-emul"

    Posted 01-30-2023 13:59
    Hi all. 

    On Friday we had an issues with MS-RPC through some SRX firewalls. The short story is that we needed to disable MS-RPC ALG for things to work again. 

    I've just started looking through events related to this issue and I see RT_FLOW_SESSION_CLOSE with "Reason: Closed by junos-tcp-clt-emul". 

    I can't find much information about this reason "code", other than a couple of articles where this is burried deep down in huge log files. 

    Can anyone enlighten me about what "junos-tcp-clt-emul" really is? Are events that are closed by junos-tcp-clt-emul a bad thing or kind of normal?

    I'm thankfull for every tip and thoughts. 


    ------------------------------
    Vidar Stokke
    ------------------------------


  • 2.  RE: Session close with "Closed by junos-tcp-clt-emul"

     
    Posted 02-01-2023 06:06
    Hello Vidar,

    The junos-tcp-svr-emul and junos-tcp-clt-emul are plug-ins.
    TCP stack has two instances of plug-ins, TCP termination (Server emulation) and TCP Initiation ( Client emulation).
    Each plug-in acts as a server for incoming packets and client for outgoing packets.
    The two TCP plug-ins work independently, so depending on the requirement stream plug-ins can do multiplexing and de-multiplexing of sessions between client and server.

    Regards,


    ------------------------------
    Brijil R
    ------------------------------



  • 3.  RE: Session close with "Closed by junos-tcp-clt-emul"

    Posted 02-07-2023 09:46
    Hi Brijil. 

    Thank you very much for your answer. 

    Do you have any information about how and when these plug-ins are used?  I don't think I understand when they kick in. 

    I've tried to investigate and see that there are several commands related to sessions and plugins.

    For instance I found out that issuing the "show security flow session plugins plugin-name junos-tcp-svr-emul", I could filter on the sessions that are involving the junos-tcp-svr-emul plugin. And from what I see, these are sessions that either are triggering ALG or session with IDP-rules on them. Is it then correct to say that plugins are triggered when the firewall does more than basic Layer4 statefull firewalling... like ALG and IDP?

    I've been looking for good documentation on this, but I can't find any. So if you could point me in the right direction, I would appreciate that. 


    ------------------------------
    Vidar Stokke
    ------------------------------