Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Pass through AH traffic dropping



Article ID: KB11478 KB Last Updated: 25 Jun 2010Version: 4.0
Pass through Authentication Header (AH) traffic dropping
Pass through Authentication Header (AH) traffic is being dropped by the firewall managed by NSM.
There are predefined AH and ESP services defined in NSM . These NSM predefined services are only for VPN traffic, and in certain versions of NSM, these services are created with the dst-port 0-0.  Sometimes customers may also create the same predefined service on the firewall with dst-port 0-0 and the pass through AH or ESP traffic will get dropped by the global deny policy.

If you wish to allow pass through AH or ESP traffic through the firewall you will need to create custom services on the firewall as below:
set service AH-custom protocol 51 src-port 0-65535 dst-port 0-65535
set service ESP-custom protocol 50 src-port 0-65535 dst-port 0-65535

In NSM2007.1r3, the AS/ESP service is defined with dst-port 1-65535 and src-port 1-65535.
In NSM2008.1, the AS/ESP service is defined with dst-port 0-65535 and src-port 0-65535.
So with these two NSM versions, predefined services for ah/esp should work for pass-through VPN traffic, and there is no need to add custom services for ah/esp.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search