[j-nsp] Weird ARP issue

Luca Salvatore Luca at ninefold.com
Thu Jan 31 05:43:22 EST 2013 

Nope it doesn't

________________________________
From: Nick Kritsky [nick.kritsky at gmail.com]
Sent: Thursday, 31 January 2013 9:38 PM
To: Luca Salvatore
Subject: Re: [j-nsp] Weird ARP issue

Does transit traffic destined to SSH increase firewall counter "ssh-block-count"?

thanks
Nick


On Thu, Jan 31, 2013 at 1:20 PM, Luca Salvatore <Luca at ninefold.com<mailto:Luca at ninefold.com>> wrote:
Here is it... applied to lo0

 show configuration firewall family inet filter mgmt-traffic | display set
set firewall family inet filter mgmt-traffic term allow from source-prefix-list mgmt-subnets
set firewall family inet filter mgmt-traffic term allow from destination-prefix-list loop0
set firewall family inet filter mgmt-traffic term allow from protocol tcp
set firewall family inet filter mgmt-traffic term allow from destination-port ssh
set firewall family inet filter mgmt-traffic term allow then accept

set firewall family inet filter mgmt-traffic term deny from source-address 0.0.0.0/0<http://0.0.0.0/0>
set firewall family inet filter mgmt-traffic term deny from protocol tcp
set firewall family inet filter mgmt-traffic term deny from destination-port ssh
set firewall family inet filter mgmt-traffic term deny then count ssh-block-count
set firewall family inet filter mgmt-traffic term deny then discard
set firewall family inet filter mgmt-traffic term allow-all-else then accept


Here is the mgmt-subnet prefix list:
show configuration policy-options prefix-list mgmt-subnets | display set
set policy-options prefix-list mgmt-subnets 192.168.21.0/24<http://192.168.21.0/24>

And the loop0 which uses apply paths
show policy-options prefix-list loop0 | display inheritance
##
## apply-path was expanded to:
##     10.255.0.15/32<http://10.255.0.15/32>;
##
apply-path "interfaces lo0 unit <*> family inet address <*>";

So the deny statment blocks SSH to all other IP addresses.  I only want to be able to SSH to lo0.
It seems this was the problem, it blocked some (but not all) transit SSH also.

Luca

________________________________________
From: Mark Tees [marktees at gmail.com<mailto:marktees at gmail.com>]
Sent: Thursday, 31 January 2013 7:33 PM
To: Luca Salvatore
Subject: Re: [j-nsp] Weird ARP issue

Can we see the filter?

Sent from some sort of iDevice.

On 31/01/2013, at 7:01 PM, Luca Salvatore <Luca at ninefold.com<mailto:Luca at ninefold.com>> wrote:

> It seems a routing engine filter on lo0 was the cause. The filter was only allowing SSH to/from specific addresses.  Once we removed the filter the traffic ARPs worked and traffic flowed.
>
> Why is the switch using the routing engine filter for transit traffic?
>
> Sent from my iPhone
>
> On 31/01/2013, at 3:58 PM, "Payam Chychi" <pchychi at gmail.com<mailto:pchychi at gmail.com><mailto:pchychi at gmail.com<mailto:pchychi at gmail.com>>> wrote:
>
> Mmm are the mac addresses for the host arping via ping different than the host that does not arp via ssh?
>
> If so, it Might be an issue with virtual mac addreases
>
> --
> Payam Chychi
> Network Engineer / Security Specialist
>
>
> On Wednesday, 30 January, 2013 at 7:29 PM, Luca Salvatore wrote:
>
> I Haven’t touched any ARP config, it’s just the defaults.
>
>
>
> The plot thickens:
>
>
>
> I did some port-mirroring, when I send traffic on port 80 to the VM the switch will generate an Arp request.
>
> Same if I do a ping, I see an ARP request.
>
>
>
> However for SSH traffic, the switch never generates an ARP request so the traffic never gets to the end host.
>
>
>
> Luca
>
>
>
> From: Payam Chychi [mailto:pchychi at gmail.com<mailto:pchychi at gmail.com>]
> Sent: Thursday, 31 January 2013 1:48 PM
> To: Luca Salvatore
> Subject: Re: [j-nsp] Weird ARP issue
>
>
>
> What does your arp setup look like? I recall something about juniper handling arp differently depending on if you have arp proxy enabled
>
>
>
> --
> Payam Chychi
> Network Engineer / Security Specialist
>
>
>
> On Wednesday, 30 January, 2013 at 4:54 PM, Luca Salvatore wrote:
>
> Yes it must be the server... the switch doesn't care what type of traffic it is.
>
> The XenServers are running Open VSwitch though
>
>
>
> Luca
>
>
>
>
>
> -----Original Message-----
>
> From: Aaron Dewell [mailto:aaron.dewell at gmail.com<mailto:aaron.dewell at gmail.com>]
>
> Sent: Thursday, 31 January 2013 11:50 AM
>
> To: Luca Salvatore
>
> Cc: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net><mailto:juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
>
> Subject: Re: [j-nsp] Weird ARP issue
>
>
>
>
>
> Sounds like a Xen bridge issue, but I have no definitive experience or reason other than that's the only thing in the path which might block it. Strange that it would pass an arp for a ping but not for SSH. Should be the same arp off the switch either way.
>
>
>
> On Jan 30, 2013, at 5:41 PM, Luca Salvatore wrote:
>
> I have a very strange problem that may or may not be related to my switch, but I'm running out of ideas.
>
>
>
>
>
> I have a EX4200 switch running 11.4R2.14. The EX has a bunch of VLANs and is doing some basic routing using the L3 VLAN interfaces.
>
> Connected to this switch is some servers running XenServer with a bunch of VMs.
>
>
>
> Now, the issue I'm seeing is:
>
> When I try to SSH to a VM running on the XenServers i don't get any connection.
>
> If I then send a ping to the VM my SSH connection works.
>
>
>
> What I see happening is that there is no ARP entry in the switch when I use SSH.
>
> As soon as I send a ping, the switch sends an ARP request and gets a reply.
>
>
>
> In other words:
>
> When SSH is used and I do a TCP dump on the server I do not see an ARP
>
> request But when I send a ping, I see the ARP request (from the switch) hit the server and the response comes back, the switch the has an ARP entry and everything works.
>
>
>
> Wondering if anyone has any thoughts here?
>
> I'm about to do a port-mirror to try and dig a bit deeper, but not really confident it will help.
>
>
>
> Thanks
>
> Luca.
>
>
>
> _______________________________________________
>
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net><mailto:juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
> _______________________________________________
>
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net><mailto:juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list