Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] Dynamic hostname address book entries do not refresh periodically causing traffic to drop after finding no policy/session match

0

0

Article ID: KB20118 KB Last Updated: 29 Sep 2020Version: 2.0
Summary:

This article explains how Dynamic hostname address book entries refresh periodically for SRX series Gateways.

Symptoms:

Prior to Junos 10.2R1, adding a hostname in the address book entry but not matching the same in policy would not resolve the DNS IP address for the hostname. However, on matching the address book entry to a policy, a commit would resolve the current DNS IP address.

We can see the same behavior by capturing the traffic on the DNS server. This means that, if we have a Dynamic DNS hostname, where in the IP address keeps refreshing periodically, we would not see the same change in the IP for the particular policy.

Viewing the cached entry for the policy, we see the following details:

root@SRX> show security policies detail
--------------------------------------------------------------------------
Default policy: deny-all
Policy: 1, action-type: permit, State: enabled, Index: 4
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
radius: 1.20.30.40/32
Destination addresses:
any: 0.0.0.0/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]

But, if the hostname IP address does change, we would not find the same change in the policy detail and hence in most cases, traffic would not match.
Solution:

A new feature was introduced in Junos 10.2R1 version and above:

When the SRX running on the above version, receives the DNS response after the query, a TTL field is associated with this. This field indicates how long after which the entry should be refreshed in the policy cache and with the querying device. Once the TTL value expires, the SRX will auto refresh the DNS entry for the address book entry.

Modification History:
2020-09-25: Archived.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search