[j-nsp] Default SRX Behaviour

Paul Stewart paul at paulstewart.org
Thu Aug 5 13:19:57 EDT 2010


Thanks very much - have had a few offline replies already.  We're trying a
few of these suggestions one step at a time.  Bacula apparently has a
"heartbeat" option which is supposed to resolve that particular issue -
we're testing now.

Appreciate all the responses - nice to know this isn't a completely isolated
behavior...

Paul


-----Original Message-----
From: Michael Damkot [mailto:mdamkottwc at gmail.com] 
Sent: Thursday, August 05, 2010 1:06 PM
To: Paul Stewart
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Default SRX Behaviour

Paul-

I was having some similar events as far as your TCP session issues...

I found a work around by using:
set security flow tcp-session rst-invalidate-session.


Not sure if it's the perfect solution, but it did seem to solve our similar
issue. 


On Aug 5, 2010, at 09:59 , Paul Stewart wrote:

> Hi there..
> 
> 
> 
> We just deployed an SRX650 in front of some servers recently   - at this
> point it's doing nothing more than routing + running screen on inbound
> traffic.  No other UTM features are enabled at this point.
> 
> 
> 
> Configuration is pretty "stock" but we're running into a few issues.
First
> the relevant config:
> 
> 
> 
> security {
> 
>    idp {
> 
>        security-package {
> 
>            url https://services.netscreen.com/cgi-bin/index.cgi;
> 
>        }
> 
>    }
> 
>    screen {
> 
>        ids-option Internet-Inbound {
> 
>            icmp {
> 
>                ping-death;
> 
>            }
> 
>            ip {
> 
>                source-route-option;
> 
>                tear-drop;
> 
>            }
> 
>            tcp {
> 
>                syn-flood {
> 
>                    alarm-threshold 1024;
> 
>                    attack-threshold 200;
> 
>                    source-threshold 1024;
> 
>                    destination-threshold 2048;
> 
>                    timeout 20;
> 
>                }
> 
>                land;
> 
>            }
> 
>        }
> 
>    }
> 
>    zones {
> 
>        security-zone Internet {
> 
>            screen Internet-Inbound;
> 
>            interfaces {
> 
>                ge-6/0/23.0 {
> 
>                    host-inbound-traffic {
> 
>                        system-services {
> 
>                            ssh;
> 
>                            snmp;
> 
>                            ping;
> 
>                            traceroute;
> 
>                        }
> 
>                        protocols {
> 
>                            ospf;
> 
>                        }
> 
>                    }
> 
>                }
> 
>            }
> 
>        }
> 
>        security-zone Linux {
> 
>            interfaces {
> 
>                vlan.11 {
> 
>                    host-inbound-traffic {
> 
>                        system-services {
> 
>                            ping;
> 
>                        }
> 
>                    }
> 
>                }
> 
>            }
> 
>        }
> 
> 
> 
> 
> 
>    policies {
> 
>        from-zone Internet to-zone Linux {
> 
>            policy Internet-to-Linux {
> 
>                match {
> 
>                    source-address any;
> 
>                    destination-address any;
> 
>                    application any;
> 
>                }
> 
>                then {
> 
>                    permit;
> 
>                }
> 
>            }
> 
>        }
> 
>        from-zone Linux to-zone Internet {
> 
>            policy Linux-to-Internet {
> 
>                match {
> 
>                    source-address any;
> 
>                    destination-address any;
> 
>                    application any;
> 
>                }
> 
>                then {
> 
>                    permit;
> 
>                }
> 
>            }
> 
>        }
> 
> 
> 
> 
> 
> The problem is a couple of things that we've noticed so far. the first is
a
> minor issue with inactivity - if I have a SSH session open to one of these
> servers and let it sit for approximately 2 minutes then the connection
> drops.  The SSH configuration on the boxes is set to 10 minutes of
> inactivity which worked well before the SRX was implemented.  
> 
> 
> 
> The second issue is alarming us - we run Bacula for server backups.  The
> actual Bacula server is remote from this network (not on the same subnet
or
> attached to the SRX logically/physically).  Some of the servers are
backing
> up just fine (smaller datasets) but some of these servers which contain
> larger amounts of backup data are timing out after an hour or more of the
> backup working - something is stopping the data transfer in the middle.
> 
> 
> 
> We removed the "screen" process on the security-zone but that made no
> difference - now I'm thinking there is some default settings that are
> causing this but not sure where to look.
> 
> 
> 
> Model: srx650
> 
> JUNOS Software Release [10.0R3.10]
> 
> 
> 
> Any thoughts?  Appreciate it.
> 
> 
> 
> Paul
> 
> 
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list