This article provides information on how to configure a SRX device to send a TCP reset or an ICMP port unreachable message, to the source host, when a packet is dropped by a policy.

To configure a SRX device to send a TCP reset or an ICMP port unreachable message, to the source host, when a packet is dropped by a policy.

A security policy allows you to specify the action to be taken on the traffic that matches a particular condition. The following actions can be configured in a security policy.

• permit - Permits the packet to go through


• deny - silently drops the packet


• reject - drops the packet and notifies the sender

When the action is configured as reject, SRX sends a TCP reset or an ICMP port unreachable message, depending on the protocol being used.

In the following example, SRX is configured to reject the Telnet and SSH connections, originating in the trust zone and destined to a host in the untrust zone.

         root@3600-1# show security policies
         from-zone trust to-zone untrust {
             policy discard-pol {
                 match {
                     source-address any;
                     destination-address any;
                     application [ junos-telnet junos-ssh ];
                 }
                 then {
                     reject;
                 }
             }
                 policy permit-pol {
                     match {
                         source-address any;
                         destination-address any;
                         application any;
                     }
                            then {
                                permit;
                            }
                 }
       }

This behavior can be explained via flow traceoptions.

Enabling traceoptions:

#set security flow traceoptions file discard-trace
#set security flow traceoptions flag basic-datapath
#set security flow traceoptions packet-filter pcap1 source-prefix 10.1.1.2/32
#set security flow traceoptions packet-filter pcap2 destination-prefix 10.1.1.2/32
#commit

Viewing the trace file :

[edit]
root@3600-1# run show log discard-trace
Jan 17 04:35:00 01:03:24.766088:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT:<10.1.1.2/3020->10.1.2.2/22;6> matched filter pcap1:

Jan 17 04:35:00 01:03:24.766123:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT:packet [48] ipid = 4476, @7ccf00e4

Jan 17 04:35:00 01:03:24.766142:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT:CP flow starts, mbuf=0xfeef000, ifl_idx=68, ctxt_type=0xd

Jan 17 04:35:00 01:03:24.766165:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT: cp_flow_fast_lookup

Jan 17 04:35:00 01:03:24.766178:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT:CP found session 601, flag=0x1

Jan 17 04:35:00 01:03:24.766190:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT:Fwd packet with rtbl idx 65535, cos 0

Jan 17 04:35:00 01:03:24.766205:CID-00:FPC-08:PIC-00:THREAD_ID-09:RT:CP fwd pkt to SPU ==*8*==, iif: 68, flag: 0x00000100

Jan 17 04:35:00 01:03:24.766243:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:SPU received an event, type 80

Jan 17 04:35:00 01:03:24.766256:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:Rcv packet with rtbl idx 65535, cos 0

Jan 17 04:35:00 01:03:24.766270:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:SPU received pak with event message from CP, cp_sess_id=00000259 a

Jan 17 04:35:00 01:03:24.766310:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:<10.1.1.2/3020->10.1.2.2/22;6> matched filter pcap1:

Jan 17 04:35:00 01:03:24.766345:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:packet [48] ipid = 4476, @7ccf2918

Jan 17 04:35:00 01:03:24.766364:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:---- flow_process_pkt: (thd 22): flow_ctxt type 17, common flag 0x0, mbuf 0xfeef200, rtbl_idx = 65534

Jan 17 04:35:00 01:03:24.766395:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: in_ifp <trust:ge-0/0/0.0>

Jan 17 04:35:00 01:03:24.766408:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_process_pkt_exception: setting rtt in lpak to 5cf94578

Jan 17 04:35:00 01:03:24.766427:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_process_pkt_exception: local_flag: 0x00000100

Jan 17 04:35:00 01:03:24.766444:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: ge-0/0/0.0:10.1.1.2/3020->10.1.2.2/22, tcp, flag 2 syn

Jan 17 04:35:00 01:03:24.766478:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: find flow: table 0x58551378, hash 375401(0x7ffff), sa 10.1.1.2, da 10.1.2.2, sp 3020, dp 22, proto 6, tok 6

Jan 17 04:35:00 01:03:24.766532:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 2048

Jan 17 04:35:00 01:03:24.766554:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:self ip check: not for self (address=0a010202)

Jan 17 04:35:00 01:03:24.766569:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: flow_first_create_session

Jan 17 04:35:00 01:03:24.766580:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_first_create_session: Found invalid sess. Start first path

Jan 17 04:35:00 01:03:24.766602:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 10.1.2.2, sp 3020, dp 22

Jan 17 04:35:00 01:03:24.766633:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: chose interface ge-0/0/0.0 as incoming nat if.

Jan 17 04:35:00 01:03:24.766648:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.1.2.2(22)

Jan 17 04:35:00 01:03:24.766679:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.1.1.2, x_dst_ip 10.1.2.2, in ifp ge-0/0/0.0, out ifp N/A sp 3020, dp 22, ip_proto 6, tos 0

Jan 17 04:35:00 01:03:24.766722:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:Doing DESTINATION addr route-lookup

Jan 17 04:35:00 01:03:24.766745:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: routed (x_dst_ip 10.1.2.2) from trust (ge-0/0/0.0 in 0) to ge-0/0/1.0, Next-hop: 10.1.2.2

Jan 17 04:35:00 01:03:24.766780:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: policy search from zone trust-> zone untrust (0x0,0xbcc0016,0x16)

Jan 17 04:35:00 01:03:24.766846:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: policy has timeout 900

Jan 17 04:35:00 01:03:24.766856:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: app 22, timeout 1800s, curr ageout 20s

Jan 17 04:35:00 01:03:24.766882:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_send_icmp_tcp_rst: Sending tcp-rst

Jan 17 04:35:00 01:03:24.766901:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jan 17 04:35:00 01:03:24.766913:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: encap vector

Jan 17 04:35:00 01:03:24.766919:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: no more encapping needed

Jan 17 04:35:00 01:03:24.766928:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: **** pak processing end.

Jan 17 04:35:00 01:03:24.766942:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:Denied by policy 4, generating icmp/tcp-rst

Jan 17 04:35:00 01:03:24.766953:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: packet dropped, denied by policy

Jan 17 04:35:00 01:03:24.766963:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: packet dropped, policy deny.

Jan 17 04:35:00 01:03:24.766979:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: flow find session returns error.

Jan 17 04:35:00 01:03:24.766990:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT:flow_process_pkt_exception: Freeing lpak 297adfd0 associated with mbuf 0xfeef200

Jan 17 04:35:00 01:03:24.767014:CID-00:FPC-08:PIC-00:THREAD_ID-22:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)


Jan 17 04:35:00 01:03:24.766962:CID-00:FPC-08:PIC-00:THREAD_ID-31:RT:<10.1.2.2/22->10.1.1.2/3020;6> matched filter pcap2:

Jan 17 04:35:00 01:03:24.766998:CID-00:FPC-08:PIC-00:THREAD_ID-31:RT:packet [40] ipid = 14, @76571cc2

Jan 17 04:35:00 01:03:24.767016:CID-00:FPC-08:PIC-00:THREAD_ID-31:RT:---- flow_process_pkt: (thd 31): flow_ctxt type 8, common flag 0x0, mbuf 0x1039be00, rtbl_idx = 65534

Jan 17 04:35:00 01:03:24.767059:CID-00:FPC-08:PIC-00:THREAD_ID-31:RT:fto 0x1ac96918

Jan 17 04:35:00 01:03:24.767072:CID-00:FPC-08:PIC-00:THREAD_ID-31:RT:nh word 0x30010

It is recommended to deactivate traceoptions, after debugging is complete.

#deactivate security flow traceoptions
#commit