[j-nsp] ISG Dropping TCP packets

Nicholas Oas nicholas.oas at gmail.com
Fri Sep 2 08:29:02 EDT 2011


An update, this issue is officially PR 677385.  JTAC is working on a fix.

Since I last posted we have observed the bug on an additional ISG-1000. To
date, we have observed this in 6.3.0r7, 6.3.0r8, and 6.2.0r9.

We were able to get packet captures of both the V1-Untrust and V1-Trust
interface, in addition to numerous debug outputs as requested by JTAC.

Analysis of the packet captures reveals that the ISG-1000 is actually
sending response traffic when it erroneously activates TCP Proxy. The
conversation looks like this:

Packet 1:
10.0.2.4:56742         10.0.1.10:80         SYN
(Correct src-mac)     (Correct dst-mac)

Packet 2:
10.0.1.10:80       10.0.2.4:56742       SYN-ACK
(src-mac: 00:00:00:00:00:00)   (dst-mac: 00:00:00:00:00:00)

The full packet capture shows some other oddities with sequence numbers sent
by the ISG, but the above is enough to prove the point.

To summarize, this bug can be experienced if the following conditions are
true:
1. ISG platform
2. ScreenOS 6.2 or 6.3
3. Transparent / Layer-2 mode
4. Undelivered TCP packets
5. UDP and ICMP packets delivered without issue
6. debug flow basic shows 'tcp proxy processing'

ex:
get ff
(make sure no FF are set, if so use unset ff )
clear db
debug flow basic
get db str | include "tcp proxy processing"

I hope this helps if anyone else ever experiences this issue.


More information about the juniper-nsp mailing list