Junos OS

Dear Experts, 

I'm having problems with the host inbound traffic on interface pp0.1 after a system change of the ISP to G.Fast technology and I hope you can help me.

Explanations first:

1.1.1.1 example public IP address on interface pp0.1
2.2.2.2 example public IP address at the other site (VPN tunnel site to site)
80.180.101.14 mobile IP address from where I've sent ping requests to my example public IP address 1.1.1.1 (Session ID 16247)
Session ID 556/557: Host-Inbound-Traffic IKE
Junos Version: 12.3X48-D105.4

After some changes made by the ISP here in-house, I'm having trouble with host inbound traffic on an SRX220. Neither PING nor IKE work as they did before the changeover.

The data packets seem to arrive, but are not answered accordingly by the SRX:

root@SRX220> show security flow session destination-prefix 1.1.1.1
Session ID: 556, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;esp, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 557, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;ah, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 16247, Policy name: untrust-isp1-to-jhost/58, Timeout: 6, Valid
In: 80.180.101.145/30840 --> 1.1.1.1/2468;icmp, If: pp0.1, Pkts: 7, Bytes: 588
Out: 1.1.1.1/2468 --> 80.180.101.145/30840;icmp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 3

Configuration:

[edit]
root@SRX220# show interfaces pp0.1
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xyz"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}

root@SRX220# show security policies from-zone untrust-isp1 to-zone junos-host
policy untrust-isp1-to-jhost {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ike ];
}
then {
permit;
}
}

[edit]
root@SRX220# show firewall filter lo-filter
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term ping {
from {
protocol [ icmp icmp6 ];
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term default {
then {
reject;


[edit]
root@SRX220# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
address 127.0.0.1/32;
}
}
}

Does anybody has an idea how to fix this problem?

Any help is greatly apprciated! 

-Steve


------------------------------
Steve
------------------------------

I think we will need the full config.  What zone based system-services are enabled on the relevant interfaces?

------------------------------
David Divins
------------------------------

Original Message:
Sent: 07-11-2022 15:34
From: Steve
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

Dear Experts, 

I'm having problems with the host inbound traffic on interface pp0.1 after a system change of the ISP to G.Fast technology and I hope you can help me.

Explanations first:

1.1.1.1 example public IP address on interface pp0.1
2.2.2.2 example public IP address at the other site (VPN tunnel site to site)
80.180.101.14 mobile IP address from where I've sent ping requests to my example public IP address 1.1.1.1 (Session ID 16247)
Session ID 556/557: Host-Inbound-Traffic IKE
Junos Version: 12.3X48-D105.4

After some changes made by the ISP here in-house, I'm having trouble with host inbound traffic on an SRX220. Neither PING nor IKE work as they did before the changeover.

The data packets seem to arrive, but are not answered accordingly by the SRX:

root@SRX220> show security flow session destination-prefix 1.1.1.1
Session ID: 556, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;esp, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 557, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;ah, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 16247, Policy name: untrust-isp1-to-jhost/58, Timeout: 6, Valid
In: 80.180.101.145/30840 --> 1.1.1.1/2468;icmp, If: pp0.1, Pkts: 7, Bytes: 588
Out: 1.1.1.1/2468 --> 80.180.101.145/30840;icmp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 3

Configuration:

[edit]
root@SRX220# show interfaces pp0.1
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xyz"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}

root@SRX220# show security policies from-zone untrust-isp1 to-zone junos-host
policy untrust-isp1-to-jhost {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ike ];
}
then {
permit;
}
}

[edit]
root@SRX220# show firewall filter lo-filter
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term ping {
from {
protocol [ icmp icmp6 ];
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term default {
then {
reject;


[edit]
root@SRX220# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
address 127.0.0.1/32;
}
}
}

Does anybody has an idea how to fix this problem?

Any help is greatly apprciated! 

-Steve


------------------------------
Steve
------------------------------

Hi David. Thank you for your reply. 

Here you are the current config, shortened as far as possible and necessary, due to security reasons.

I would also like to note that the public IP address can be reached externally. The configured port forwarding also works externally. Only ICMG services, such as PING, but also IKE, i.e. those that access the Junos host directly, are currently blocked by the SRX. But I can't find the reason for this.

root@SRX220# show
## Last changed: 2022-07-12 17:06:06 CEST
version 12.3X48-D105.4;
system {
host-name SRX220;
time-zone Europe/Berlin;
ports {
console log-out-on-disconnect;
}
root-authentication {
encrypted-password "xxx"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 3;
backoff-factor 10;
lockout-period 30;
}
class idle-super-user {
idle-timeout 30;
login-alarms;
permissions all;
}
}
static-host-mapping {
DPT {
inet x.x.x.100;
alias NASbox;
}
}
services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group net-users {
interface ge-0/0/1.0;
}
web-management {
traceoptions {
file log-web-mgmt;
flag webauth;
flag configuration;
}
https {
system-generated-certificate;
interface [ ... ];
}
session {
idle-timeout 1440;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
host 127.0.0.1 {
daemon any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
file blocked-traffic {
any any;
match RT_FLOW_SESSION_DENY;
}
file firewall {
firewall info;
}
console {
any emergency;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
}
security {
ike {
traceoptions {
file vpn-ike;
flag ike;
}
proposal IKE-1 {
authentication-method pre-shared-keys;
dh-group xxx;
authentication-algorithm xxx;
encryption-algorithm xxx;
lifetime-seconds 28800;
}
policy IKE-POL-1 {
mode main;
proposals IKE-1;
pre-shared-key ascii-text "xxx"; ## SECRET-DATA
}
gateway IKE-GATE-1 {
ike-policy IKE-POL-1;
address 2.2.2.2;
external-interface pp0.1;
local-address 1.1.1.1;
}
}
ipsec {
proposal IPSEC-1 {
protocol esp;
authentication-algorithm xxx;
encryption-algorithm xxx;
lifetime-seconds 28800;
}
policy IPSEC-POL-1 {
proposals IPSEC-1;
}
vpn VPN-1 {
bind-interface st0.1;
ike {
gateway IKE-GATE-1;
ipsec-policy IPSEC-POL-1;
}
establish-tunnels immediately;
}
}
address-book {
global {
...
...
}
}
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone [ untrust-isp1 untrust-isp2 ];
rule TRUST-NAT-CLIENT {
match {
source-address 10.0.0.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
destination {
pool vi_100p443 {
address x.x.x.100/32 port 443;
}
pool vi_100p5001 {
address x.x.x.100/32 port 5001;
}
rule-set vi-dst-nat-isp1 {
from zone untrust-isp1;
rule rule1_p58598 {
match {
destination-address 1.1.1.1/32;
destination-port {
58598;
}
}
then {
destination-nat {
pool {
vi_100p443;
}
}
}
}
rule rule2_p58598 {
match {
destination-address 1.1.1.1/32;
destination-port {
58598;
}
}
then {
destination-nat {
pool {
vi_100p5001;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone Internet {
policy trust-to-internet {
match {
source-address NET-LAN;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust-isp1 {
policy trust-to-untrust-isp1 {
match {
source-address NET-LAN;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust-isp2 {
policy trust-to-untrust-isp2 {
match {
source-address NET-LAN;
destination-address any;
application any;
}
then {
permit {
tcp-options {
initial-tcp-mss 1452;
}
}
}
}
}
from-zone VPN-1 to-zone trust {
policy vpn1-to-trust {
match {
source-address [ NET-1 NET-1-WLAN ];
destination-address NET-LAN;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone VPN-1 {
policy trust-to-vpn1 {
match {
source-address NET-LAN;
destination-address [ NET-1 NET-1-WLAN ];
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
description "LAN trust";
host-inbound-traffic {
system-services {
bootp;
dhcp;
ping;
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust-isp1 {
description "ISP 1";
host-inbound-traffic {
system-services {
bootp;
ike;
ping;
}
}
interfaces {
pp0.1 {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
}
}
}
security-zone untrust-isp2 {
description "ISP 2";
host-inbound-traffic {
system-services {
bootp;
ping;
ike;
}
}
interfaces {
pp0.0;
}
}
}
security-zone VPN-1 {
host-inbound-traffic {
system-services {
bootp;
ike;
ping;
}
}
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
ike;
bootp;
ping;
ssh;
}
}
}
}
}
}

interfaces {
ge-0/0/1 {
description trust;
unit 0 {
family inet {
filter {
input classify-isp;
}
address 10.0.0.1/24;
}
}
}
ge-0/0/2 {
description "ISP-1";
vlan-tagging;
unit 0 {
encapsulation ppp-over-ether;
vlan-id 50;
}
}
pt-2/0/0 {
description "ISP-2";
vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 7;
}
}
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
}
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
apply-macro ISP2;
ppp-options {
chap {
default-chap-secret "xxx"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface pt-2/0/0.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}
family inet6 {
mtu 1492;
}
}
unit 1 {
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xxx"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}
}
}
st0 {
unit 1 {
family inet {
address 10.1.0.1/30;
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
static {
route 10.2.1.0/24 next-hop st0.1;
route 0.0.0.0/0 {
next-hop pp0.0;
qualified-next-hop pp0.1 {
preference 7;
}
preference 5;
}
}
rib-groups {
fbf-group {
import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ];
}
}
}
protocols {
router-advertisement {
interface pp0.1;
}
ppp {
traceoptions {
file ppp;
level all;
flag all;
}
}
pppoe {
traceoptions {
file pppoe;
level all;
flag all;
}
}
stp;
}
policy-options {
prefix-list admin-ip {
x.x.x.x/32;
x.x.x.x/32;
}
prefix-list windows-server {
x.x.x.x/32;
x.x.x.x/32;
}
prefix-list provider-ip {
x.x.x.x/32;
x.x.x.x/32;
}
}
firewall {
filter lo-filter {
term Troubleshooting {
from {
source-address {
0.0.0.0/0;
}
destination-address {
1.1.1.1/32;
}
}
then {
count deny_count;
syslog;
}
}
term limited-ip {
from {
destination-address {
x.x.x.1/32;
x.x.x.1/32;
x.x.x.1/32;
}
source-prefix-list {
admin-ip;
}
port [ 22 443 ];
}
then accept;
}
term allow_in_ipv4_ping {
from {
protocol icmp;
icmp-type echo-reply;
}
then accept;
}
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term default {
then {
reject;
}
}
term tmp {
then accept;
}
}
filter classify-isp {
term isp-1-traffic {
from {
source-address {
x.x.x.x/24;
x.x.x.x/30;
x.x.x.x/24;
}
}
then {
routing-instance ISP-1;
}
}
term isp-2-traffic {
from {
source-address {
x.x.x.x/24;
x.x.x.x/24;
x.x.x.x/24;
}
}
then {
routing-instance ISP-2;
}
}
term default {
then accept;
}
}
}
access {
address-assignment {
pool trust-pool {
family inet {
network 10.0.0.0/24;
range admin-range {
low 10.0.0.100;
high 10.0.0.150;
}
dhcp-attributes {
name-server {
8.8.8.8;
}
router {
10.0.0.1;
}
}
}
}
}
}
routing-instances {
ISP-1 {
instance-type forwarding;
routing-options {
static {
route 10.2.1.0/24 next-hop st0.1;
route 0.0.0.0/0 {
next-hop pp0.1;
qualified-next-hop pp0.0 {
preference 7;
}
preference 5;
}
}
}
}
ISP-2 {
instance-type forwarding;
routing-options {
static {
route 10.2.1.0/24 next-hop st0.1;
route 0.0.0.0/0 {
next-hop pp0.0;
qualified-next-hop pp0.1 {
preference 7;
}
preference 5;
}
}
}
}
}
applications {
application VI-EXT-P58560 {
protocol tcp;
destination-port 58560;
}
application VI-EXT-P58598 {
protocol tcp;
destination-port 58598;
}
}

------------------------------
Steve
------------------------------

Original Message:
Sent: 07-12-2022 10:31
From: David Divins
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

I think we will need the full config.  What zone based system-services are enabled on the relevant interfaces?

------------------------------
David Divins

Original Message:
Sent: 07-11-2022 15:34
From: Steve
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

Dear Experts, 

I'm having problems with the host inbound traffic on interface pp0.1 after a system change of the ISP to G.Fast technology and I hope you can help me.

Explanations first:

1.1.1.1 example public IP address on interface pp0.1
2.2.2.2 example public IP address at the other site (VPN tunnel site to site)
80.180.101.14 mobile IP address from where I've sent ping requests to my example public IP address 1.1.1.1 (Session ID 16247)
Session ID 556/557: Host-Inbound-Traffic IKE
Junos Version: 12.3X48-D105.4

After some changes made by the ISP here in-house, I'm having trouble with host inbound traffic on an SRX220. Neither PING nor IKE work as they did before the changeover.

The data packets seem to arrive, but are not answered accordingly by the SRX:

root@SRX220> show security flow session destination-prefix 1.1.1.1
Session ID: 556, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;esp, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 557, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;ah, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 16247, Policy name: untrust-isp1-to-jhost/58, Timeout: 6, Valid
In: 80.180.101.145/30840 --> 1.1.1.1/2468;icmp, If: pp0.1, Pkts: 7, Bytes: 588
Out: 1.1.1.1/2468 --> 80.180.101.145/30840;icmp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 3

Configuration:

[edit]
root@SRX220# show interfaces pp0.1
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xyz"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}

root@SRX220# show security policies from-zone untrust-isp1 to-zone junos-host
policy untrust-isp1-to-jhost {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ike ];
}
then {
permit;
}
}

[edit]
root@SRX220# show firewall filter lo-filter
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term ping {
from {
protocol [ icmp icmp6 ];
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term default {
then {
reject;


[edit]
root@SRX220# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
address 127.0.0.1/32;
}
}
}

Does anybody has an idea how to fix this problem?

Any help is greatly apprciated! 

-Steve


------------------------------
Steve
------------------------------

Hello everyone!

I would like to give a quick update. I was able to find and fix all described problems.

In short, the following caused the problems:

1. Misconfiguration of the lo interface firewall filter. This led to ICMP traffic being blocked from untrust site.
2. Missing initial-tcp-mss configuration on the ISP-2 Internet Interface. (which was never required before, whatever) 
3. Asymmetric traffic of data packets between ISP-1 and ISP-2, which also resulted in data packets being dropped.

All errors have now been solved and the SRX is running again without any problems.

Thanks to all for your support.

PS: Some articles were very helpful in troubleshooting
https://junipertrain.wordpress.com/2017/02/18/destination-nat-on-juniper-srx-in-a-dual-isp-environment-dealing-with-routing-instances/
https://rtodto.net/how-to-avoid-flow-asymmetry-on-srx/
https://supportportal.juniper.net/s/article/ScreenOS-Source-routing-with-the-same-incoming-and-outgoing-interface-gets-dropped?language=en_US
https://supportportal.juniper.net/s/article/Junos-Understanding-firewall-filter-behavior-on-fragmented-IP-packets?language=en_US


------------------------------
Steve
------------------------------

Original Message:
Sent: 07-13-2022 03:12
From: Steve
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

Hi David. Thank you for your reply. 

Here you are the current config, shortened as far as possible and necessary, due to security reasons.

I would also like to note that the public IP address can be reached externally. The configured port forwarding also works externally. Only ICMG services, such as PING, but also IKE, i.e. those that access the Junos host directly, are currently blocked by the SRX. But I can't find the reason for this.

root@SRX220# show
## Last changed: 2022-07-12 17:06:06 CEST
version 12.3X48-D105.4;
system {
host-name SRX220;
time-zone Europe/Berlin;
ports {
console log-out-on-disconnect;
}
root-authentication {
encrypted-password "xxx"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 3;
backoff-factor 10;
lockout-period 30;
}
class idle-super-user {
idle-timeout 30;
login-alarms;
permissions all;
}
}
static-host-mapping {
DPT {
inet x.x.x.100;
alias NASbox;
}
}
services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group net-users {
interface ge-0/0/1.0;
}
web-management {
traceoptions {
file log-web-mgmt;
flag webauth;
flag configuration;
}
https {
system-generated-certificate;
interface [ ... ];
}
session {
idle-timeout 1440;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
host 127.0.0.1 {
daemon any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
file blocked-traffic {
any any;
match RT_FLOW_SESSION_DENY;
}
file firewall {
firewall info;
}
console {
any emergency;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
}
security {
ike {
traceoptions {
file vpn-ike;
flag ike;
}
proposal IKE-1 {
authentication-method pre-shared-keys;
dh-group xxx;
authentication-algorithm xxx;
encryption-algorithm xxx;
lifetime-seconds 28800;
}
policy IKE-POL-1 {
mode main;
proposals IKE-1;
pre-shared-key ascii-text "xxx"; ## SECRET-DATA
}
gateway IKE-GATE-1 {
ike-policy IKE-POL-1;
address 2.2.2.2;
external-interface pp0.1;
local-address 1.1.1.1;
}
}
ipsec {
proposal IPSEC-1 {
protocol esp;
authentication-algorithm xxx;
encryption-algorithm xxx;
lifetime-seconds 28800;
}
policy IPSEC-POL-1 {
proposals IPSEC-1;
}
vpn VPN-1 {
bind-interface st0.1;
ike {
gateway IKE-GATE-1;
ipsec-policy IPSEC-POL-1;
}
establish-tunnels immediately;
}
}
address-book {
global {
...
...
}
}
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone [ untrust-isp1 untrust-isp2 ];
rule TRUST-NAT-CLIENT {
match {
source-address 10.0.0.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
destination {
pool vi_100p443 {
address x.x.x.100/32 port 443;
}
pool vi_100p5001 {
address x.x.x.100/32 port 5001;
}
rule-set vi-dst-nat-isp1 {
from zone untrust-isp1;
rule rule1_p58598 {
match {
destination-address 1.1.1.1/32;
destination-port {
58598;
}
}
then {
destination-nat {
pool {
vi_100p443;
}
}
}
}
rule rule2_p58598 {
match {
destination-address 1.1.1.1/32;
destination-port {
58598;
}
}
then {
destination-nat {
pool {
vi_100p5001;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone Internet {
policy trust-to-internet {
match {
source-address NET-LAN;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust-isp1 {
policy trust-to-untrust-isp1 {
match {
source-address NET-LAN;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust-isp2 {
policy trust-to-untrust-isp2 {
match {
source-address NET-LAN;
destination-address any;
application any;
}
then {
permit {
tcp-options {
initial-tcp-mss 1452;
}
}
}
}
}
from-zone VPN-1 to-zone trust {
policy vpn1-to-trust {
match {
source-address [ NET-1 NET-1-WLAN ];
destination-address NET-LAN;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone VPN-1 {
policy trust-to-vpn1 {
match {
source-address NET-LAN;
destination-address [ NET-1 NET-1-WLAN ];
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
description "LAN trust";
host-inbound-traffic {
system-services {
bootp;
dhcp;
ping;
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust-isp1 {
description "ISP 1";
host-inbound-traffic {
system-services {
bootp;
ike;
ping;
}
}
interfaces {
pp0.1 {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
}
}
}
security-zone untrust-isp2 {
description "ISP 2";
host-inbound-traffic {
system-services {
bootp;
ping;
ike;
}
}
interfaces {
pp0.0;
}
}
}
security-zone VPN-1 {
host-inbound-traffic {
system-services {
bootp;
ike;
ping;
}
}
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
ike;
bootp;
ping;
ssh;
}
}
}
}
}
}

interfaces {
ge-0/0/1 {
description trust;
unit 0 {
family inet {
filter {
input classify-isp;
}
address 10.0.0.1/24;
}
}
}
ge-0/0/2 {
description "ISP-1";
vlan-tagging;
unit 0 {
encapsulation ppp-over-ether;
vlan-id 50;
}
}
pt-2/0/0 {
description "ISP-2";
vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 7;
}
}
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
}
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
apply-macro ISP2;
ppp-options {
chap {
default-chap-secret "xxx"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface pt-2/0/0.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}
family inet6 {
mtu 1492;
}
}
unit 1 {
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xxx"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}
}
}
st0 {
unit 1 {
family inet {
address 10.1.0.1/30;
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
static {
route 10.2.1.0/24 next-hop st0.1;
route 0.0.0.0/0 {
next-hop pp0.0;
qualified-next-hop pp0.1 {
preference 7;
}
preference 5;
}
}
rib-groups {
fbf-group {
import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ];
}
}
}
protocols {
router-advertisement {
interface pp0.1;
}
ppp {
traceoptions {
file ppp;
level all;
flag all;
}
}
pppoe {
traceoptions {
file pppoe;
level all;
flag all;
}
}
stp;
}
policy-options {
prefix-list admin-ip {
x.x.x.x/32;
x.x.x.x/32;
}
prefix-list windows-server {
x.x.x.x/32;
x.x.x.x/32;
}
prefix-list provider-ip {
x.x.x.x/32;
x.x.x.x/32;
}
}
firewall {
filter lo-filter {
term Troubleshooting {
from {
source-address {
0.0.0.0/0;
}
destination-address {
1.1.1.1/32;
}
}
then {
count deny_count;
syslog;
}
}
term limited-ip {
from {
destination-address {
x.x.x.1/32;
x.x.x.1/32;
x.x.x.1/32;
}
source-prefix-list {
admin-ip;
}
port [ 22 443 ];
}
then accept;
}
term allow_in_ipv4_ping {
from {
protocol icmp;
icmp-type echo-reply;
}
then accept;
}
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term default {
then {
reject;
}
}
term tmp {
then accept;
}
}
filter classify-isp {
term isp-1-traffic {
from {
source-address {
x.x.x.x/24;
x.x.x.x/30;
x.x.x.x/24;
}
}
then {
routing-instance ISP-1;
}
}
term isp-2-traffic {
from {
source-address {
x.x.x.x/24;
x.x.x.x/24;
x.x.x.x/24;
}
}
then {
routing-instance ISP-2;
}
}
term default {
then accept;
}
}
}
access {
address-assignment {
pool trust-pool {
family inet {
network 10.0.0.0/24;
range admin-range {
low 10.0.0.100;
high 10.0.0.150;
}
dhcp-attributes {
name-server {
8.8.8.8;
}
router {
10.0.0.1;
}
}
}
}
}
}
routing-instances {
ISP-1 {
instance-type forwarding;
routing-options {
static {
route 10.2.1.0/24 next-hop st0.1;
route 0.0.0.0/0 {
next-hop pp0.1;
qualified-next-hop pp0.0 {
preference 7;
}
preference 5;
}
}
}
}
ISP-2 {
instance-type forwarding;
routing-options {
static {
route 10.2.1.0/24 next-hop st0.1;
route 0.0.0.0/0 {
next-hop pp0.0;
qualified-next-hop pp0.1 {
preference 7;
}
preference 5;
}
}
}
}
}
applications {
application VI-EXT-P58560 {
protocol tcp;
destination-port 58560;
}
application VI-EXT-P58598 {
protocol tcp;
destination-port 58598;
}
}

------------------------------
Steve

Original Message:
Sent: 07-12-2022 10:31
From: David Divins
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

I think we will need the full config.  What zone based system-services are enabled on the relevant interfaces?

------------------------------
David Divins

Original Message:
Sent: 07-11-2022 15:34
From: Steve
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

Dear Experts, 

I'm having problems with the host inbound traffic on interface pp0.1 after a system change of the ISP to G.Fast technology and I hope you can help me.

Explanations first:

1.1.1.1 example public IP address on interface pp0.1
2.2.2.2 example public IP address at the other site (VPN tunnel site to site)
80.180.101.14 mobile IP address from where I've sent ping requests to my example public IP address 1.1.1.1 (Session ID 16247)
Session ID 556/557: Host-Inbound-Traffic IKE
Junos Version: 12.3X48-D105.4

After some changes made by the ISP here in-house, I'm having trouble with host inbound traffic on an SRX220. Neither PING nor IKE work as they did before the changeover.

The data packets seem to arrive, but are not answered accordingly by the SRX:

root@SRX220> show security flow session destination-prefix 1.1.1.1
Session ID: 556, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;esp, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 557, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;ah, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 16247, Policy name: untrust-isp1-to-jhost/58, Timeout: 6, Valid
In: 80.180.101.145/30840 --> 1.1.1.1/2468;icmp, If: pp0.1, Pkts: 7, Bytes: 588
Out: 1.1.1.1/2468 --> 80.180.101.145/30840;icmp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 3

Configuration:

[edit]
root@SRX220# show interfaces pp0.1
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xyz"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}

root@SRX220# show security policies from-zone untrust-isp1 to-zone junos-host
policy untrust-isp1-to-jhost {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ike ];
}
then {
permit;
}
}

[edit]
root@SRX220# show firewall filter lo-filter
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term ping {
from {
protocol [ icmp icmp6 ];
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term default {
then {
reject;


[edit]
root@SRX220# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
address 127.0.0.1/32;
}
}
}

Does anybody has an idea how to fix this problem?

Any help is greatly apprciated! 

-Steve


------------------------------
Steve
------------------------------

That is an unusual config.  I suspect this may be a lot of back and forth, I will send a private reply...

Best,
dsd

------------------------------
David Divins
------------------------------

Original Message:
Sent: 07-11-2022 15:34
From: Steve
Subject: SRX220H2 Problems with Host-Inbound-Traffic from extern (Public IP Address), PING, IKE, etc. ( ICMP Protocol )

Dear Experts, 

I'm having problems with the host inbound traffic on interface pp0.1 after a system change of the ISP to G.Fast technology and I hope you can help me.

Explanations first:

1.1.1.1 example public IP address on interface pp0.1
2.2.2.2 example public IP address at the other site (VPN tunnel site to site)
80.180.101.14 mobile IP address from where I've sent ping requests to my example public IP address 1.1.1.1 (Session ID 16247)
Session ID 556/557: Host-Inbound-Traffic IKE
Junos Version: 12.3X48-D105.4

After some changes made by the ISP here in-house, I'm having trouble with host inbound traffic on an SRX220. Neither PING nor IKE work as they did before the changeover.

The data packets seem to arrive, but are not answered accordingly by the SRX:

root@SRX220> show security flow session destination-prefix 1.1.1.1
Session ID: 556, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;esp, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 557, Policy name: N/A, Timeout: N/A, Valid
In: 2.2.2.2/0 --> 1.1.1.1/0;ah, If: pp0.1, Pkts: 0, Bytes: 0

Session ID: 16247, Policy name: untrust-isp1-to-jhost/58, Timeout: 6, Valid
In: 80.180.101.145/30840 --> 1.1.1.1/2468;icmp, If: pp0.1, Pkts: 7, Bytes: 588
Out: 1.1.1.1/2468 --> 80.180.101.145/30840;icmp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 3

Configuration:

[edit]
root@SRX220# show interfaces pp0.1
apply-macro ISP1;
ppp-options {
chap {
default-chap-secret "xyz"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/2.0;
idle-timeout 0;
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}

root@SRX220# show security policies from-zone untrust-isp1 to-zone junos-host
policy untrust-isp1-to-jhost {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ike ];
}
then {
permit;
}
}

[edit]
root@SRX220# show firewall filter lo-filter
term ike {
from {
source-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 4500 1398 ];
destination-port [ 500 4500 1398 ];
}
then accept;
}
term ike-2 {
from {
destination-address {
2.2.2.2/32;
}
protocol [ udp tcp ];
source-port [ 500 1398 4500 ];
destination-port [ 500 1398 4500 ];
}
then accept;
}
term dhcp {
from {
protocol udp;
source-port [ 67 68 ];
}
then accept;
}
term dhcpv6 {
from {
protocol udp;
source-port [ 546 547 ];
}
then accept;
}
term dns {
from {
protocol [ tcp udp ];
source-port [ 53 2289 3295 ];
}
then accept;
}
term ping {
from {
protocol [ icmp icmp6 ];
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term default {
then {
reject;


[edit]
root@SRX220# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input lo-filter;
}
address 127.0.0.1/32;
}
}
}

Does anybody has an idea how to fix this problem?

Any help is greatly apprciated! 

-Steve


------------------------------
Steve
------------------------------