[j-nsp] tcp reset on srx

Nick Kritsky nick.kritsky at gmail.com
Wed Mar 21 10:26:58 EDT 2012


This can happen if you are using policy-based IPSEC and if the outgoing
interface of RST packet is not included in encryption domain.

NK

On Tue, Jan 17, 2012 at 11:01 AM, ashish verma <ashish.scit at gmail.com>wrote:

> Yes it is "reject".
> Just found out that it is only over the IPSEC tunnel. Without IPSEC tunnel
> it seems to be working.
>
> On Tue, Jan 17, 2012 at 4:07 PM, Ben Dale <bdale at comlinx.com.au> wrote:
>
> >
> > Ashish,
> >
> > On 17/01/2012, at 1:19 PM, ashish verma wrote:
> >
> > > In our SRX deployment I am seeing an issue where client does not
> receive
> > a
> > > ICMP message back after getting denied by the policy.
> > >
> > > I can see that packet got dropped by the policy and SRX generates the
> > > tcp-rst but client does not receive anything.
> >
> > Can you confirm that your policy action is "reject" and not "deny"?
> >  Otherwise the traffic will be dropped silently.
> >
> > Cheers,
> >
> > Ben
> >
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list