Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] DNS ALG cannot reassemble fragmented IPv6 packets with Jumbo frame enabled

0

0

Article ID: KB23193 KB Last Updated: 24 Mar 2019Version: 2.0
Summary:

This article describes the issue of DNS ALG being unable to re-assemble fragmented IPv6 packets, when Jumbo frame is enabled.

Symptoms:
  • With DNS ALG enabled, the IPv6 DNS fragments fail; with DNS ALG disabled, they pass.

  • For this test, the max-frame-size=3000 envar is much higher than the 2045 payload length.

With DNS ALG Enabled:

**st: <Untrust|ethernet2/2|Root|0> 8025b118: 2002::2/0->2001::2/0,44,1456
00293.0: ethernet2/2(i) len=1510:00003cd7c055->0010db885108/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=1456, hop limit=63
frag offset=0, id=0x680, more frag=1
udp:ports 53->58143, len=2045

****** 00293.0: <Untrust/ethernet2/2> packet received [v6/1456]******
flow_decap_vector_v6 ifp ethernet2/2
put packet(4f457dd0) into fragment queue.
get packet(4f457dd0) out from fragment queue.
**** fragment paket <2002::2>-><2001::2> id:1664.
first fragment find session first.
ethernet2/2:2002::2/53->2001::2/58143,17<Root>
existing session found. sess token 4
Start to defrag this fragment-v6
Handle fragment using frag session

**** jump to packet:2002::2->2001::2
flow_decap_vector_v6 ifp ethernet2/2
flow packet already have session.
flow session id 2000062
flow_main_body_vector_v6 v6 in ifp ethernet2/2 out ifp N/A
flow vector index v6 0x80, vector addr 0x5ae67cb4, orig vector 0x5ae67cb4
flow_ttl_vector_v6: ifp <ethernet2/2>
flow_l2prepare_xlate_vector_v6: in ifp <ethernet2/2> out ifp <ethernet2/1>
flow_l2prepare_xlate_vector_v6,922: l2 prepare ready.
post addr xlation: 2002::2->2001::2.
flow_fragging_vector_v6: ifp <ethernet2/2>
flow_send_vector_v6: in ifp <ethernet2/2> out ifp <ethernet2/1>
flow_send_vector_v6: packet src 2002::2, dst 2001::2
packet send out to 000003a40f0e (cached) through ethernet2/1
00293.0: ethernet2/1(o) len=1510:0010db885107->000003a40f0e/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=1456, hop limit=62
frag offset=0, id=0x680, more frag=1
udp:ports 53->58143, len=2045

**** pak processing end.
**st: <Untrust|ethernet2/2|Root|0> 8025d118: 2002::2/0->2001::2/0,44,605
00294.0: ethernet2/2(i) len=659:00003cd7c055->0010db885108/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=605, hop limit=63
frag offset=1448, id=0x680, more frag=0

****** 00294.0: <Untrust/ethernet2/2> packet received [v6/605]******
flow_decap_vector_v6 ifp ethernet2/2
put packet(4f457dd0) into fragment queue.
get packet(4f457dd0) out from fragment queue.

**** fragment paket <2002::2>-><2001::2> id:1664.
Start to defrag this fragment-v6
Handle fragment using reassemble-v6
Frag offset 1448, frag end 2045, more frag 0
packet dropped, flow defrag incomplete
 

With DNS ALG Disabled:


**st: <Untrust|ethernet2/2|Root|0> 80243118: 2002::2/0->2001::2/0,44,1456
00248.0: ethernet2/2(i) len=1510:00003cd7c055->0010db885108/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=1456, hop limit=63
frag offset=0, id=0x680, more frag=1
udp:ports 53->58143, len=2045

****** 00248.0: <Untrust/ethernet2/2> packet received [v6/1456]******
flow_decap_vector_v6 ifp ethernet2/2
put packet(4f457dd0) into fragment queue.
get packet(4f457dd0) out from fragment queue.

**** fragment paket <2002::2>-><2001::2> id:1664.
first fragment find session first.
ethernet2/2:2002::2/53->2001::2/58143,17<Root>
existing session found. sess token 4
Start to defrag this fragment-v6
Handle fragment using frag session

**** jump to packet:2002::2->2001::2
flow_decap_vector_v6 ifp ethernet2/2
flow packet already have session.
flow session id 2000063
flow_main_body_vector_v6 v6 in ifp ethernet2/2 out ifp N/A
flow vector index v6 0x0, vector addr 0x5ad00464, orig vector 0x5ad00464
flow_ttl_vector_v6: ifp <ethernet2/2>
flow_l2prepare_xlate_vector_v6: in ifp <ethernet2/2> out ifp <ethernet2/1>
flow_l2prepare_xlate_vector_v6,922: l2 prepare ready.
post addr xlation: 2002::2->2001::2.
flow_fragging_vector_v6: ifp <ethernet2/2>
flow_send_vector_v6: in ifp <ethernet2/2> out ifp <ethernet2/1>
flow_send_vector_v6: packet src 2002::2, dst 2001::2
packet send out to 000003a40f0e (cached) through ethernet2/1
00248.0: ethernet2/1(o) len=1510:0010db885107->000003a40f0e/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=1456, hop limit=62
frag offset=0, id=0x680, more frag=1
udp:ports 53->58143, len=2045

**** pak processing end.
**st: <Untrust|ethernet2/2|Root|0> 80244118: 2002::2/0->2001::2/0,44,605
00249.0: ethernet2/2(i) len=659:00003cd7c055->0010db885108/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=605, hop limit=63
frag offset=1448, id=0x680, more frag=0

****** 00249.0: <Untrust/ethernet2/2> packet received [v6/605]******
flow_decap_vector_v6 ifp ethernet2/2
put packet(4f457dd0) into fragment queue.
get packet(4f457dd0) out from fragment queue.
**** fragment paket <2002::2>-><2001::2> id:1664.
Start to defrag this fragment-v6
Handle fragment using frag session


**** jump to packet:2002::2->2001::2
flow_decap_vector_v6 ifp ethernet2/2
flow packet already have session.
flow session id 2000063
flow_main_body_vector_v6 v6 in ifp ethernet2/2 out ifp N/A
flow vector index v6 0x0, vector addr 0x5ad00464, orig vector 0x5ad00464
flow_ttl_vector_v6: ifp <ethernet2/2>
flow_l2prepare_xlate_vector_v6: in ifp <ethernet2/2> out ifp <ethernet2/1>
flow_l2prepare_xlate_vector_v6,922: l2 prepare ready.
post addr xlation: 2002::2->2001::2.
flow_fragging_vector_v6: ifp <ethernet2/2>
flow_send_vector_v6: in ifp <ethernet2/2> out ifp <ethernet2/1>
flow_send_vector_v6: packet src 2002::2, dst 2001::2
packet send out to 000003a40f0e (cached) through ethernet2/1
00249.0: ethernet2/1(o) len=659:0010db885107->000003a40f0e/86dd
2002::2 -> 2001::2/17
vfc=60, flow=60000000, plen=605, hop limit=62
frag offset=1448, id=0x680, more frag=0

**** pak processing end.
 

Firewall configuration:

set interface "ethernet2/1" ipv6 mode "host"
set interface "ethernet2/1" ipv6 ip 2001::1/64
set interface "ethernet2/1" ipv6 enable
set interface ethernet2/1 route
set interface "ethernet2/2" ipv6 mode "host"
set interface "ethernet2/2" ipv6 ip 2002::1/64
set interface "ethernet2/2" ipv6 enable
set interface ethernet2/2 route
set policy id 1 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit no-hw-sess
Cause:

DNS ALG does not support UDP IPV6 fragment. This is by design. 

Solution:

The workaround for this issue is to either disable ALG or upgrade the firmware to 6.3R6 or later.

Modification History:

2019-03-23: Article reviewed for accuracy. No changes made. Article is correct and complete.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search