[j-nsp] J/SRX ICMP handling

Klaus Groeger klauzi at gmail.com
Thu Apr 25 02:44:48 EDT 2013 

Hi Dale


just give


"set security flow allow-icmp-without-flow"


a try


Regards


Klaus
—
Sent from Mailbox for iPhone

On Thu, Apr 25, 2013 at 7:35 AM, Dale Shaw <dale.shaw+j-nsp at gmail.com>
wrote:

> Hi all,
> This post relates to a previous post of mine on asymmetrically routed
> UDP traffic:
> https://puck.nether.net/pipermail/juniper-nsp/2012-December/024878.html
> It seems as though a J/SRX in flow mode will drop ICMP packets such as
> unreachable and ttl-exceeded if, after consulting the session table,
> an entry corresponding to the header embedded in the ICMP packet is
> not found. In other words, "I'm gonna drop any ICMP packets[1] I see
> if I didn't handle the associated conversation".
> Assume I send a UDP packet between hosts "A" and "D" and it's routed
> outbound via SRX "B", and for whatever reason an ICMP unreachable or
> ttl-exceeded is generated (think traceroute). If that ICMP packet is
> sent towards host "D" not via SRX "B" but via SRX "C", SRX "C" drops
> it:
> (src/dst IPs replaced with "A" and "D")
> Jan 23 14:53:45 14:53:44.938394:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT:
> st0.1033:"D"->"A", icmp, (3/3)
> Jan 23 14:53:45 14:53:44.938424:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT:
> find flow: table 0x63ce7688, hash 494060(0x7ffff), sa "D", da "A", sp
> 33438, dp 47488, proto 17, tok 7
> Jan 23 14:53:45 14:53:44.938483:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT:
> packet dropped, no session found for embedded icmp pak
> Jan 23 14:53:45 14:53:44.938495:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT:
> flow find session returns error.
> Seems like perfectly reasonable behaviour for a firewall, right?
> Right, except when it's not :-)
> Can this behaviour be modified without fully or selectively running in
> packet mode? I'm running JUNOS 10.4R11.
> Cheers,
> Dale
> [1] Well, any ICMP packets that include a copy of the original
> datagram's header: echo request/reply are forwarded (subject to being
> permitted by security policy, of course).
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list