[j-nsp] tcp reset on srx

ashish verma ashish.scit at gmail.com
Sat Mar 31 06:39:19 EDT 2012


FYI

it turned out to be a bug..
PR# 730288

On Thu, Mar 22, 2012 at 1:26 AM, Nick Kritsky <nick.kritsky at gmail.com>wrote:

> This can happen if you are using policy-based IPSEC and if the outgoing
> interface of RST packet is not included in encryption domain.
>
> NK
>
> On Tue, Jan 17, 2012 at 11:01 AM, ashish verma <ashish.scit at gmail.com>wrote:
>
>> Yes it is "reject".
>> Just found out that it is only over the IPSEC tunnel. Without IPSEC tunnel
>> it seems to be working.
>>
>> On Tue, Jan 17, 2012 at 4:07 PM, Ben Dale <bdale at comlinx.com.au> wrote:
>>
>> >
>> > Ashish,
>> >
>> > On 17/01/2012, at 1:19 PM, ashish verma wrote:
>> >
>> > > In our SRX deployment I am seeing an issue where client does not
>> receive
>> > a
>> > > ICMP message back after getting denied by the policy.
>> > >
>> > > I can see that packet got dropped by the policy and SRX generates the
>> > > tcp-rst but client does not receive anything.
>> >
>> > Can you confirm that your policy action is "reject" and not "deny"?
>> >  Otherwise the traffic will be dropped silently.
>> >
>> > Cheers,
>> >
>> > Ben
>> >
>> >
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


More information about the juniper-nsp mailing list