[j-nsp] SRX 3600 dropped packets - how to debug?

Phil Mayers p.mayers at imperial.ac.uk
Fri May 24 11:21:20 EDT 2013


On 24/05/13 16:05, Alex Arseniev wrote:

>> At the moment, the SRX is sitting in front of our "personally owned"
>> VRF; this means all our wireless and wired laptops, and RAS VPN
>> address ranges.
>
> If You run any kind peer-to-peer apps (uTorrent, eMule, etc, also
> includes Skype) then You'll see that outside peers trying to establish
> LOADS of unsolicited connection to Your inside hosts.
> And all of them will be dropped unless You enable full cone NAT.

Good suggestion, but that's not it.

Firstly we don't have *any* NAT in play - all the devices are on public 
IPs. Secondly, as mentioned all the policies are default permit, so any 
unsolicited connections would be allowed. Thirdly, this SRX is actually 
behind *another* firewall (Netscreen 5400s) that will eat the 
unsolicited connections before the SRX sees them ;o)


Related to that 3rd item, as per my other email *if* that counter would 
increment for failed 3-way handshakes, it's possible that the "drops" 
are failed sessions which are allowed by the permit-all on the SRX, but 
then denied by the Netscreen (e.g. SMTP/25, SMB/139, which we block 
outbound). So, as per my other email - does anyone know *what* that 
counter is counting?


More information about the juniper-nsp mailing list