SRX

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX "MIP" not routing

  • 1.  SRX "MIP" not routing

    Posted 08-22-2019 11:48

    I'm used to ScreenOS and Mapped IP of a public static to NAT'ed VLAN trust interface with an policy to allow a specific port for inbound TCP traffic coming from the Internet, but I understand JunOS doesn't work like that, so trying to do it the JunOS SRX-240 way but it's not routing right, here's the relevant portions of my config:

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 1.2.3.4/24;
                }
            }
        }
     ge-0/0/8 {
            vlan-tagging;
            unit 431 {
                vlan-id 431;
                family inet {
                    address 192.168.43.1/24;
                }
            }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 1.2.3.1;
        }
    }
    security {
        nat {
            source {
                pool src-nat-pooldata43 {
                    address {
                        192.168.43.1/32;
                    }
                }
                rule-set data43 {
                    from zone data43;
                    to zone Internet;
                    rule data43 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            static {
                rule-set 443 {
                    from zone Internet;
                    rule 43static {
                        match {
                            destination-address 1.2.3.5/32;
                        }
                        then {
                            static-nat prefix 192.168.43.50/32;
                        }
                    }
                }
            }
            proxy-arp {
                interface ge-0/0/0.0 {
                    address {
                        1.2.3.5/32;
                    }
                }
            }
            security-zone Internet {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone data43 {
                address-book {
                    address 43 192.168.43.50/32;
                }
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/8.431 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                            }
                        }
                    }
            from-zone data43 to-zone Internet {
                policy data43 {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy d43 {
                    match {
                        source-address 43;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internet to-zone data43 {
                policy suite43nat {
                    match {
                        source-address any;
                        destination-address 43;
                        application [ d43-nas d43-nas5006 d43-nas6281 ];
                    }
                    then {
                        permit;
                    }
                }
            }
            proxy-arp {
                interface ge-0/0/0.0 {
                    address {
                        1.2.3.5/32;
                    }
                }
            }
    applications {
        application d43-nas {
            protocol tcp;
            source-port 5001;
            destination-port 5001;
        }
        application d43-nas5006 {
            protocol tcp;
            source-port 5006;
            destination-port 5006;
        }
        application d43-nas6281 {
            protocol tcp;
            source-port 6281;
            destination-port 6281;
        }
    vlans {
        }
        data43 {
            vlan-id 431;
    ...

    Am I close? Do I actually need a proxy-arp? Is there something I can do to "watch" the traffic attempting to route?

     


    #MIP


  • 2.  RE: SRX "MIP" not routing

    Posted 08-22-2019 12:04

    Hi silverst8p,

     

    Yes, you would need proxy-arp in this scenario and your configuration looks good.

     

    Here is a KB for your reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785&actp=METADATA

     

    What exactly is the issue you are facing?

     

    Regards,

    HS



  • 3.  RE: SRX "MIP" not routing

    Posted 08-22-2019 12:15

    I set up a laptop on 192.168.43.50 VLAN tagged (by a downstream HP switch) as VLAN-id 431 into ge-0/0/8 running a website on port 5001 to test. I can access that website from other trust zones on ge-0/0/1, but not from outside the public internet connected to ge-0/0/0.

     

    Also, from the test laptop on 192.168.43.50 I can no longer ping the Internet, but can ping the gateway of 192.168.43.1.



  • 4.  RE: SRX "MIP" not routing

     
    Posted 08-22-2019 13:37

    Hi,

     

    The configuration looks fine and proxy-arp in required and configured correctly. The fact that the laptop cannot reach the Internet might be the reason why the communication is not working because NAT and security-policies are configured corretly.

     

    Please take  flow traceoptions when testing the communciation from the external user and share the output so we can help you finding the issue:

     

    # set security flow traceoptions file TRACE
    # set security flow traceoptions flag basic-datapath
    # set security flow traceoptions packet-filter TEST destination-prefix 1.2.3.5
    # set security flow traceoptions packet-filter TEST destination-port 5001
    # commit
    
     [try the test]
    
    # run show log TRACE


  • 5.  RE: SRX "MIP" not routing

    Posted 08-22-2019 14:49
    [edit]
    root@srx240# show security flow
    traceoptions {
    file TRACE;
    flag basic-datapath;
    packet-filter TEST {
    destination-prefix 1.2.3.5/32;
    destination-port 5001;
    }
    }

    root@srx240# run show log TRACE Aug 23 05:13:36 05:13:35.918537:CID-0:CTRL:flow0: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow0: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919539:CID-0:RT:filter 0 name TEST is set Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow1: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow1: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow2: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow2: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow3: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow3: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow4: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow4: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow5: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow5: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow6: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow6: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow7: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow7: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow8: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow8: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919038:CID-0:CTRL:flow9: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919539:CID-0:CTRL:flow9: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919539:CID-0:CTRL:flow10: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919539:CID-0:CTRL:flow10: Destination ID set to 2 Aug 23 05:13:36 05:13:35.919539:CID-0:CTRL:flow11: Rate limit changed to 0 Aug 23 05:13:36 05:13:35.919539:CID-0:CTRL:flow11: Destination ID set to 2

    I think I'm missing something, I'm guessing I should be seeing packets trying to reach 1.2.3.5. I can ping my ge-0/0/0 from the internet, but not the 1.2.3.5 (presumably because I don't have a ping policy for it).

     

    Do I need to add something else besides a default route and permit any-any policy to allow outbound traffic from my test laptop at 192.168.43.50, am I missing something there in my config?

     

    If I set my laptop to any other IP on the subnet besides 192.168.43.50, like just let dhcp pick up a lease, I can ping the internet.

     

    Are there other tests I can run to check stuff?



  • 6.  RE: SRX "MIP" not routing

     
    Posted 08-22-2019 15:30

    Regarding the flow traces, I would advise to delete the contents of the file and the re-apply then configuration again. And yes, the idea is to see traffic coming to 1.2.3.5.

     

    > clear log TRACE
    > show log TRACE   (confirm that it was cleared)
    > edit
    # delete security flow traceoptions
    # commit full
    # rollback 1
    # commit
    > show log TRACE   (confirm that it is still clear, else clear it again)
    
    [try the test again]
    
    > show log TRACE
    
    

     

    About pinging 1.2.3.5 from an external user, this wont work becuase the IP address is not really configured on the external interface of the SRX; 1.2.3.5 is there just for NAT purposes.

     

    As you said, you only need the default-route and a security-policy permitting the outbound traffic, however it is strange that if you use a different IP within the same subnet the PC is able to access Internet. It looks like the problem is related to the use of IP 192.168.43.50 specifically. The only think that comes to my mind is that if you use a different internal IP address, then the traffic will hit the regular source NAT rule instead of the Static NAT rule. Even though this shouldnt be a problem its the only difference that I can see between those flows. Anyways the flow traces will tell us that info.

     

    Are you running any other features like UTM, IDP, AppFW, etc, that could be dropping this traffic?

     

    Please ping 8.8.8.8 from the PC and gather the following command; maybe everything is working on the SRX and the problem resides on the ISP side:

     

    > show security flow session source-prefix 192.168.43.50 destination-prefix 8.8.8.8

     

     



  • 7.  RE: SRX "MIP" not routing

    Posted 08-23-2019 09:09

    cleared the log and repeated the test, confirmed it was clear, but it still just shows

    root@srx240> show log TRACE
    Aug 23 23:28:57 srx240CP clear-log[17345]: logfile cleared
    Aug 23 23:29:54 23:29:34.804487:CID-0:RT:traceflag 0x0
    
    Aug 23 23:29:54 23:29:53.609932:CID-0:CTRL:flow0: Rate limit changed to 0
    Aug 23 23:29:54 23:29:53.609932:CID-0:CTRL:flow0: Destination ID set to 2
    Aug 23 23:29:54 23:29:53.609932:CID-0:RT:filter 0 name TEST is set
    
    Aug 23 23:29:54 23:29:53.609932:CID-0:CTRL:flow1: Rate limit changed to 0
    Aug 23 23:29:54 23:29:53.609932:CID-0:CTRL:flow1: Destination ID set to 2
    ...

    I still don't understand why I don't see inbound packets destined for 1.2.3.5. I then tried to ping 1.2.3.4 and got a response, so I know I'm connected to the right device and the rest of the network path is working from my test computer (unplugged ge-0/0/0 during ping and all packets dropped, then plugged back in and continued getting responses). Then I tried to see ping requests coming from 192.168.43.50 (pointing at 1.1.1.1 instead of 8.8.8.8) and got:

    Session ID: 122314, Policy name: data43/8, Timeout: 56, Valid
      In: 192.168.43.50/2 --> 1.1.1.1/9744;icmp, If: ge-0/0/8.431, Pkts: 1, Bytes: 84
      Out: 1.1.1.1/9744 --> 1.2.3.5/2;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
    
    Session ID: 122681, Policy name: data43/8, Timeout: 58, Valid
      In: 192.168.43.50/44212 --> 1.1.1.1/53;udp, If: ge-0/0/8.431, Pkts: 105, Bytes: 7174
      Out: 1.1.1.1/53 --> 1.2.3.5/44212;udp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
    
    Session ID: 126527, Policy name: data43/8, Timeout: 56, Valid
      In: 192.168.43.50/3 --> 1.1.1.1/9744;icmp, If: ge-0/0/8.431, Pkts: 1, Bytes: 84
      Out: 1.1.1.1/9744 --> 1.2.3.5/3;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

    So how do I decipher what's happening in this flow?



  • 8.  RE: SRX "MIP" not routing

    Posted 08-23-2019 15:54

    Checking on upstream potential routing issues, will report back, need to determine if something is going on upstream...



  • 9.  RE: SRX "MIP" not routing

     
    Posted 08-23-2019 16:08

    Please try to connect and confirm if the SRX is generating a session and if the static NAT rule is being hit:

     

    > show security flow session destination-prefix 1.2.3.5
    > show security nat static rule 43static

    Also, ping from the PC (192.168.43.50) to 8.8.8.8 in order to confirm if you are able to reach the Internet:

     

    > show security flow session destination-prefix 8.8.8.8 source-prefix 192.168.43.50 

    Pinging 1.1.1.1 is not a good test because you wont receive any replies from 1.1.1.1.

     

    Because flow traceoptions are not working properly, lets apply counters to tell if packets destined to 1.2.3.5 are reaching the external interface of the SRX:

     

    set firewall family inet filter FILTER term 1 from destination-address 1.2.3.5
    set firewall family inet filter FILTER term 1 then count COUNTER
    set firewall family inet filter FILTER term 1 then accept
    set firewall family inet filter FILTER term ALLOW_ELSE the accept
    set interfaces ge-0/0/0 unit 0 family inet filter input FILTER
    commit

    [try the test]

    >show firewall

     

     



  • 10.  RE: SRX "MIP" not routing

    Posted 08-27-2019 14:43

    I found out there was another conflict upstream on the network, which is fixed, so now I did:

    root@srx240> show security flow session destination-prefix 1.2.3.5
    root@srx240> show security nat static rule 43static
    Static NAT rule: 43static
    Rule-set: 443
    Rule-Id : 1
    Rule position : 1
    From zone : Internet
    Destination addresses : 1.2.3.5
    Host addresses : 192.168.43.50
    Netmask : 32
    Host routing-instance : N/A
    Translation hits : 258

    So now I can see that the interface is being hit, so I went back and setting up logging on the flow again and got:

    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  flow_first_create_session
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 1.2.3.5, sp 15948, dp 5001
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  chose interface ge-0/0/0.0 as incoming nat if.
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:flow_first_rule_dst_xlate: packet 1.2.3.5->1.2.3.5 nsp2 0.0.0.0->192.168.43.50.
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 5.6.7.8, x_dst_ip 192.168.43.50, in ifp ge-0/0/0.0, out ifp N/A sp 15948, dp 5001, ip_proto 6, tos 0
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:Doing DESTINATION addr route-lookup
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  routed (x_dst_ip 192.168.43.50) from Internet (ge-0/0/0.0 in 0) to ge-0/0/8.431, Next-hop: 192.168.43.50
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  policy search from zone Internet-> zone data43 (0x114,0x3e4c1389,0x1389)
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  app 33, timeout 1800s, curr ageout 20s
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  packet dropped, denied by policy
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  packet dropped,  policy deny.
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT:  flow find session returns error.
    
    Aug 28 05:19:59 05:19:58.1058016:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

    okay, so somewhere I have a bad policy I guess



  • 11.  RE: SRX "MIP" not routing

     
    Posted 08-27-2019 14:50

    Nice!

     

    The NAT rule has 258 Translation hits so we can tell traffic is reaching the SRX. The fact that nothing is showing up when running "show security flow session destination-prefix 1.2.3.5" means that the session is not getting created and in this case the flow traceoptions will reveal the reason for that.

     



  • 12.  RE: SRX "MIP" not routing

    Posted 08-27-2019 14:54

    Thanks for this, I edited the above post to add the flow information.

    Is there some kind of flow that will tell me what aspect of the policy is denying the traffic? Seems I'm getting really close.

     

    Meanwhile, after clearing up the upstream network issues, I can ping the public internet just fine from 192.168.43.50, so that'a big step forward!

     

    Here's my policy from zone Internet > data43:

    from-zone Internet to-zone data43 {
        policy suite43nat {
            match {
                source-address any;
                destination-address 43;
                application [ d43-nas d43-nas5006 d43-nas6281 ];
            }
            then {
                permit;
            }
        }
    }

     



  • 13.  RE: SRX "MIP" not routing

     
    Posted 08-27-2019 16:10

    Can you also attach the configuration of the address-book "43" and the applications (d43-nas d43-nas5006 d43-nas6281)?

     

    Address "43" should contain: 192.168.43.50

     

    # show | display set | match "address 43"

     

    One of the applications should account for TCP traffic destined to port 5001

     

    # show applications | display set | match -nas

     

    Also run the following command:

     

    > show security match-policies from-zone Internet to-zone data43 source-ip 5.6.7.8 destination-ip 192.168.43.50 destination-port 5001 protocol tcp

     

     



  • 14.  RE: SRX "MIP" not routing

    Posted 08-27-2019 18:37

     

    root@srx240# show | display set | match "address 43"
    set security policies from-zone data43 to-zone Internet policy d43 match source-address 43
    set security policies from-zone Internet to-zone data43 policy suite43nat match destination-address 43

    root@srx240# show | display set | match -nas
    set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas
    set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas5006
    set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas6281

    >show security match-policies from-zone Internet to-zone data43 source-ip 5.6.7.8 source-port 5001 destination-ip 192.168.43.50 destination-port 5001 protocol tcp
    Policy: suite43nat, action-type: permit, State: enabled, Index: 10
    0
    Policy Type: Configured
    Sequence number: 1
    From zone: Internet, To zone: data43
    Source addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
    Destination addresses:
    43: 192.168.43.50/32
    Application: d43-nas
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
    Source port range: [5001-5001]
    Destination port range: [5001-5001]
    Application: d43-nas5006
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
    Source port range: [5006-5006]
    Destination port range: [5006-5006]
    Application: d43-nas6281
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
    Source port range: [6281-6281]
    Destination port range: [6281-6281]
    Per policy TCP Options: SYN check: No, SEQ check: No

    So it looks like there's a policy in place?

     



  • 15.  RE: SRX "MIP" not routing

     
    Posted 08-28-2019 15:17

    Yes, there is definately a policy for that traffic; it is strange that the SRX is dropping the packets. Please try applying the configuration again with a "commit full":

     

     

    # delete security policies from-zone Internet to-zone data43 policy suite43nat
    # commit
    # set security policies from-zone Internet to-zone data43 policy suite43nat match source-address any destination-address 43
    # set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas
    # set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas5006
    # set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas6281
    # set security policies from-zone Internet to-zone data43 policy suite43nat then permit
    # commit full

     

     

    Please check if there is any other filter on top of suite43nat that might be dropping the traffic.

     

    # show security policies from-zone Internet to-zone data43 | display set

     

    Also gather the following commands after re-applying the policy configuration:

     

    > show security policies checksum

    > request pfe execute target fwdd command show usp policy checksum

     



  • 16.  RE: SRX "MIP" not routing

    Posted 08-29-2019 13:01

    Okay, I deleted them and then added them back and did a commit full like:

    from-zone data43 to-zone Internet {
        policy data43 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
        policy d43 {
            match {
                source-address 43;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone Internet to-zone data43 {
        policy suite43nat {
            match {
                source-address any;
                destination-address 43;
                application [ d43-nas d43-nas5006 d43-nas6281 ];
            }
            then {
                permit;
            }
        }
    }

    and

    # show security policies from-zone Internet to-zone data43 | display set
    set security policies from-zone Internet to-zone data43 policy suite43nat match source-address any
    set security policies from-zone Internet to-zone data43 policy suite43nat match destination-address 43
    set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas
    set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas5006
    set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas6281
    set security policies from-zone Internet to-zone data43 policy suite43nat then permit

    also

    > request pfe execute target fwdd command "show usp policy checksum"
    SENT: Ukern command: show usp policy checksum
    GOT:
    LOCAL: End of file

    > show security policies checksum From zone To zone Checksum core Internet 0x719779cf551608024ab0a792182fbc8f core core_phone 0x25c5bb45213ebad01d17b0b58c6c37d core data43 0xb6524e53b196f25670185954910f82da core_phone Internet 0x1af7ce90e0012fc146035f30bd9e3732 core_phone core 0xe3b7243d712f24681c1e9afe5ea2cd6 data43 Internet 0xe200429cbc4c7144e5081227d4bc0c76 Internet data43 0xa8eec3e1effb781d814a7e958af6941

    to make sure:

    >show security match-policies from-zone Internet to-zone data43 source-ip 1.2.3.5 source-port 5001 destination-ip 192.168.43.50 destination-port 5001 protocol tcp
    0 Policy Type: Configured Sequence number: 1 From zone: Internet, To zone: data43 Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: 43: 192.168.43.50/32 Application: d43-nas IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [5001-5001] Destination port range: [5001-5001] Application: d43-nas5006 IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [5006-5006] Destination port range: [5006-5006] Application: d43-nas6281 IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [6281-6281] Destination port range: [6281-6281] Per policy TCP Options: SYN check: No, SEQ check: No

    Then re-ran test:

    Aug 30 03:22:36 03:22:35.1707744:CID-0:RT:<1.2.3.2/8032->1.2.3.5/5001;6> matched filter TEST:
    
    Aug 30 03:22:36 03:22:35.1707744:CID-0:RT:packet [64] ipid = 0, @4231249c
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 1.2.3.2, x_dst_ip 192.168.43.50, in ifp ge-0/0/0.0, out ifp N/A sp 2817, dp 5001, ip_proto 6, tos 0
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:Doing DESTINATION addr route-lookup
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:  routed (x_dst_ip 192.168.43.50) from Internet (ge-0/0/0.0 in 0) to ge-0/0/8.431, Next-hop: 192.168.43.50
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:  policy search from zone Internet-> zone data43 (0x114,0xb011389,0x1389)
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:  app 33, timeout 1800s, curr ageout 20s
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:  packet dropped, denied by policy
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:  packet dropped,  policy deny.
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:  flow find session returns error.
    
    Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

    It seems like something in the policy is still blocking? Does it matter what order the rules are in JunOS? Is it possible I have something wrong in my custom applications definitions? here's what they look like:

    # show applications
    application d43-nas {
        protocol tcp;
        source-port 5001;
        destination-port 5001;
    }
    application d43-nas5006 {
        protocol tcp;
        source-port 5006;
        destination-port 5006;
    }
    application d43-nas6281 {
        protocol tcp;
        source-port 6281;
        destination-port 6281;
    }


  • 17.  RE: SRX "MIP" not routing
    Best Answer

     
    Posted 08-29-2019 14:58

    Hi,

     

    Delete the "source-port" statement from the custom applications. The traffic being sent has a destination-port of 5001 but not a source -port of 5001. That should fix it.

     



  • 18.  RE: SRX "MIP" not routing

    Posted 08-29-2019 15:25

    It WORKS! Thank you all soooo much!