Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] TCP packets are being silently dropped or lost after the 'tcp proxy processing....' message is found in the output of debug flow basic

0

0

Article ID: KB22877 KB Last Updated: 28 Aug 2013Version: 4.0
Summary:

This article describes the issue of TCP packets being silently dropped or lost, after the tcp proxy processing message is found in the output of debug flow basic. The firewall is running in Transparent mode and the issue occurs when a particular server, which is located behind the firewall, is accessed.

Symptoms:

The firewall is running in Transparent mode and when a particular server, which is located behind the firewall is accessed, the firewall silently drops the traffic. In the output of debug flow basic, the tcp proxy processing message is generated.


Note:
  • After the TCP PROXY PROCESSING message in the debug, there is no further mention about the same packet and neither is the packet going out from the firewall in debugs or snoop.

  • Another point to consider is the screening option, which is enabled at the zone level (the zone to which the server is connected), to have Syn Flood Protection.

Debug output:
****** 8670207.0: <V1-Trust/ethernet1/1> packet received [44]******
ipid = 43057(a831), @04c3a5c0
packet passed sanity check.
packet with vlan 1, vlan-group vlan1, vsd 0
v1-trust:192.168.120.249/21698->192.168.100.25/80,6<Root>
found mac 00135f7e4cc0 on ethernet1/2
flow_decap_vector IPv4 process
no session found
flow_first_sanity_check: in <v1-trust>, out <v1-untrust>
policy search from zone 12-> zone 11
policy_flow_search policy search nat_crt from zone 12-> zone 11
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.100.25, port 80, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 7/3/0x9
Permitted by policy 7
No src xlate choose interface v1-untrust as outgoing phy if
session application type 6, name HTTP, nas_id 0, timeout 68400sec
service lookup identified service 0.
flow_first_final_check: in <v1-trust>, out <v1-untrust>
SM_RULE:0
existing vector list 13-26e3184c.
Session (id:306315) created for first pak
flow_first_install_session======>
xpt: cache src mac in session
xpt: cache dst mac in session
st_adj_sm_sess: sm_sess 0
Success installing work and forward sessions
flow got session.
flow session id 306315
skip ttl adjust for packet.
tcp proxy processing...
Cause:

Solution:
There are 3 workarounds:

Workaround 1:

Disable the Syn Flood Protection feature.

Workaround 2:

Enable the TCP SYN Proxy SYN Cookie feature in the flow command.

SCREENING -- FLOW -- TCP SYN PROXY SYN COOKIE

Note: The reason for the above is that ASIC supports the L2 mode SYN proxy; so enabling the flow command makes the CPU handle the same.

Workaround 3:

Upgrade the firmware to 6.3R10 or later, as the issue has been resolved.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search