[j-nsp] ISG Dropping TCP packets

Farrukh Haroon farrukhharoon at gmail.com
Sat Sep 3 10:35:34 EDT 2011


Dear Nicholas

Thanks a lot for sharing this with everybody.

Regards

Farrukh

On Fri, Sep 2, 2011 at 3:29 PM, Nicholas Oas <nicholas.oas at gmail.com> wrote:

> An update, this issue is officially PR 677385.  JTAC is working on a fix.
>
> Since I last posted we have observed the bug on an additional ISG-1000. To
> date, we have observed this in 6.3.0r7, 6.3.0r8, and 6.2.0r9.
>
> We were able to get packet captures of both the V1-Untrust and V1-Trust
> interface, in addition to numerous debug outputs as requested by JTAC.
>
> Analysis of the packet captures reveals that the ISG-1000 is actually
> sending response traffic when it erroneously activates TCP Proxy. The
> conversation looks like this:
>
> Packet 1:
> 10.0.2.4:56742         10.0.1.10:80         SYN
> (Correct src-mac)     (Correct dst-mac)
>
> Packet 2:
> 10.0.1.10:80       10.0.2.4:56742       SYN-ACK
> (src-mac: 00:00:00:00:00:00)   (dst-mac: 00:00:00:00:00:00)
>
> The full packet capture shows some other oddities with sequence numbers
> sent
> by the ISG, but the above is enough to prove the point.
>
> To summarize, this bug can be experienced if the following conditions are
> true:
> 1. ISG platform
> 2. ScreenOS 6.2 or 6.3
> 3. Transparent / Layer-2 mode
> 4. Undelivered TCP packets
> 5. UDP and ICMP packets delivered without issue
> 6. debug flow basic shows 'tcp proxy processing'
>
> ex:
> get ff
> (make sure no FF are set, if so use unset ff )
> clear db
> debug flow basic
> get db str | include "tcp proxy processing"
>
> I hope this helps if anyone else ever experiences this issue.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list