Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Can a packet get passed by the NetScreen firewall if the source and destination IP addresses are the same?

0

0

Article ID: KB20802 KB Last Updated: 24 Aug 2011Version: 1.0
Summary:
This article describes the issue of the inability to pass BFD (Bidirectional Forwarding Detection) echo packets through a firewall in Transparent (Layer2) mode.
Symptoms:
The source IP and the destination IP address are the same, as in the snoop output below:
3955304.0: ethernet0/0(i) len=54:0018742e5a80->0064403a1180/0800
                192.168.1.1 -> 192.168.1.1/17
                vhl=45, tos=c0, id=37011, frag=0000, ttl=255 tlen=40
                udp:ports 49152->3785, len=20

If the policy has both the Source and Destination addresses set to Any, then the packet is passed through the firewall:
     set policy id 1 from "V1-Trust" to "V1-Untrust" "Any" "Any" "Any" permit

However, if either the Source or Destination has a defined IP address, then there is no policy match and the packet is dropped.
For example:
     set address "V1-Trust" "192.168.1.1" 192.168.1.1 255.255.255.255
     set policy id 1 from "V1-Trust" to "V1-Untrust" "192.168.1.1" "Any" "Any" permit
****** 02160.0: <V1-Trust/ethernet0/0> packet received [46]******
  ipid = 9625(2599), @2d403910
  packet passed sanity check.
  packet with vlan 1, vlan-group vlan1, vsd 0
  v1-trust:192.168.1.1/49152->192.168.1.1/3785,17<Root>
L2: need flooding
  v1-trust:192.168.1.1/49152->192.168.1.1/3785,17<Root>
 L2 broadcast(1) to v1-untrust
L2 broadcasets: direct to v1-untrust only
  flow_decap_vector IPv4 process
  no session found
  flow_first_sanity_check: in <v1-trust>, out <v1-untrust>
  policy search from zone 12-> zone 11
 policy_flow_search policy search nat_crt from zone 12-> zone 11
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.1, port 3785, proto 17)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0


Solution:
To pass the BFD echo packets through the firewall:
  1. Set source and destination address in the policy to Any.
  2. NAT either the source IP or the destination IP, before the packet reaches the firewall.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search