[j-nsp] SRX 3600 dropped packets - how to debug?
Phil Mayers
p.mayers at imperial.ac.uk
Fri May 24 11:21:20 EDT 2013
On 24/05/13 16:05, Alex Arseniev wrote:
>> At the moment, the SRX is sitting in front of our "personally owned"
>> VRF; this means all our wireless and wired laptops, and RAS VPN
>> address ranges.
>
> If You run any kind peer-to-peer apps (uTorrent, eMule, etc, also
> includes Skype) then You'll see that outside peers trying to establish
> LOADS of unsolicited connection to Your inside hosts.
> And all of them will be dropped unless You enable full cone NAT.
Good suggestion, but that's not it.
Firstly we don't have *any* NAT in play - all the devices are on public
IPs. Secondly, as mentioned all the policies are default permit, so any
unsolicited connections would be allowed. Thirdly, this SRX is actually
behind *another* firewall (Netscreen 5400s) that will eat the
unsolicited connections before the SRX sees them ;o)
Related to that 3rd item, as per my other email *if* that counter would
increment for failed 3-way handshakes, it's possible that the "drops"
are failed sessions which are allowed by the permit-all on the SRX, but
then denied by the Netscreen (e.g. SMTP/25, SMB/139, which we block
outbound). So, as per my other email - does anyone know *what* that
counter is counting?
More information about the juniper-nsp
mailing list