SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-14-2011 18:08

    Hi All - I've done a lot of searching on this topic but have not had much luck, maybe I'm just using the wrong terms.  Anyway, the tunnel forms and I can browse the IPv6 intarwebs but cannot host services behind the SRX.  Any ideas?  JUNOS Software Release [11.1R2.3]

     

    If I do a tcpdump on the server inside I get the following:

     

    19:15:02.559203 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529550252 0,nop,wscale 7>
19:15:02.559222 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253197943 529550252,nop,wscale 7>
19:15:05.562793 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529550552 0,nop,wscale 7>
19:15:05.562808 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253198694 529550252,nop,wscale 7>
19:15:06.556490 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253198943 529550252,nop,wscale 7>
19:15:11.561059 IP6 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816 > 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www: S 3498304462:3498304462(0) win 5760 <mss 1380,sackOK,timestamp 529551152 0,nop,wscale 7>
19:15:11.561076 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253200194 529550252,nop,wscale 7>
19:15:12.756489 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253200493 529550252,nop,wscale 7>
19:15:24.756489 IP6 2001:470:88xx:xxxx:xxxx:xxxx:xxxx:xxxx.www > 2620:91:0:4205:xxxx:xxxx:xxxx:xxxx.40816: S 3738090997:3738090997(0) ack 3498304463 win 5712 <mss 1440,sackOK,timestamp 1253203493 529550252,nop,wscale 7>

     

    And here are some snipets from my config

     

    interfaces {                            
    ge-0/0/0 {                          
        unit 0 {                        
            description Cablevision;    
            family inet {               
                filter {                
                    input fix-v6v4-tunnel;
                }                       
                dhcp;                   
            }                           
        }                               
    }          
    ip-0/0/0 {                          
        unit 0 {                        
            description "HE IPv6 Tunnel";
            tunnel {                    
                source 69.126.xxx.xxx;   
                destination 209.51.161.14;
            }                           
            family inet6 {              
                address 2001:xxxx:xxxx:xxxx::2/64;
            }                           
        }                               
    } 

routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop 2001:470:1f06:792::1;
        }
    }

security {
    forwarding-options {                
        family {                        
            inet6 {                     
                mode flow-based;        
            }                           
        }                               
    }
    policies {                          
        from-zone trust to-zone untrust {
            policy trust-to-untrust {   
                match {                 
                    source-address [ any-ipv4 any-ipv6 ];
                    destination-address [ any-ipv4 any-ipv6 ];
                    application any;    
                }                       
                then {                  
                    permit {            
                        application-services {
                            idp;        
                        }               
                    }                   
                }                       
            }                           
        }
        from-zone untrust to-zone trust {
            policy allow-inbound-ipv6-http {
                match {                 
                    source-address any-ipv6;
                    destination-address SERVER-IPv6;
                    application junos-http;
                }                       
                then {                  
                    permit {            
                        application-services {
                            idp;        
                        }               
                    }                   
                    log {               
                        session-close;  
                    }                   
                }                       
            }
        }
    }
    zones {
        security-zone trust {
            screen untrust-screen;      
            host-inbound-traffic {      
                system-services {       
                    all;                
                }                       
                protocols {             
                    all;                
                }                       
            }                           
            interfaces {                
                vlan.0;                 
                lo0.0;                  
            }                           
        }
        security-zone untrust {         
            screen untrust-screen;      
            interfaces {                
                ge-0/0/0.0 {            
                    host-inbound-traffic {
                        system-services {
                            dhcp;       
                            tftp;       
                            ssh;        
                            ping;       
                            ike;        
                        }               
                    }                   
                }                       
                ip-0/0/0.0 {            
                    host-inbound-traffic {
                        system-services {
                            ssh;        
                        }               
                    }                   
                }                       
            }                           
        }
    }
}
firewall {
    family inet {
        filter fix-v6v4-tunnel {
            term one {
                from {
                    destination-address {
                        66.220.2.74/32;
                    }
                    protocol 41;
                }
                then packet-mode;
            }
            term two {                  
                from {                  
                    source-address {    
                        66.220.2.74/32; 
                    }                   
                    protocol 41;        
                }                       
                then packet-mode;       
            }                           
            term three {
                then accept;            
            }                           
        }                               
    }  
}

     


    #IPv6
    #hosting
    #Server
    #SRX
    #inet6
    #he.net


  • 2.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-17-2011 08:53
    You forgot to anonymize the next hop on your 0/0 route, so it was me who just tried to ssh in to verify the oversight- sorry.

    So you're seeing traffic come in and traffic leave the server. How do you know that the server is properly configured? Can some device on the LAN access it with IPv6?


  • 3.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-17-2011 09:21

    Yes the tcpdump shows the traffic is hitting the server.  I know the server is properly configured because everything worked when I was using a Cisco router.



  • 4.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not
    Best Answer

    Posted 06-19-2011 05:53

    I've managed to resolve the problem, however, the solution seems to indicate a bug of some sort...

     

    Under policies -> from-zone untrust to-zone trust -> policy allow-inbound-ipv6-http

     

    I had to match application junos-tcp-any


    #IPv6
    #junos-tcp
    #SRX
    #Policies
    #policy
    #junos-http
    #inet6


  • 5.  RE: SRX IPv6 tunnel to HE.net works, but inbound requests do not

    Posted 06-19-2011 10:23 
    ddeviny@SRX> show configuration groups junos-defaults | display set | match junos-http 
set groups junos-defaults applications application junos-http protocol tcp
set groups junos-defaults applications application junos-http destination-port 80

ddeviny@SRX> show configuration groups junos-defaults | display set | match junos-tcp     
set groups junos-defaults applications application junos-tcp-any term t1 protocol tcp

     Above is what those applications do. So you replaced junos-http with junos-tcp to resolve the issue? You should open a case.