Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Troubleshooting packet drop by SRX with error message "drop due to firewall check"

0

0

Article ID: KB23639 KB Last Updated: 21 Dec 2016Version: 2.0
Summary:

Configuring a traceoptions shows that the packet is dropped due to firewall check.

Symptoms:

Setup used:

[SRX A] (10.0.34.12)---- [SRX B] ---- [ISP Cloud] ----(216.45.23.56) [SRX C]

SRX B is used as a NAT device to translate 10.0.34.12 into a public IP: 206.25.34.12.
SRX C initiates a continuous ping session to IP 206.25.34.12.

In order to verify the flow, we have configured flow traceoptions. For more information, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.

Traceoptions show the following packet flow at SRX B:

Apr 20 16:21:03 16:21:02.1001581:CID-1:RT:<216.45.23.56/2->206.25.34.12/1;1> matched filter foo:
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT:packet [60] ipid = 26393, @4234c324
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 13, common flag 0x0, mbuf 0x4234c100, rtbl_idx = 6
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT: flow process pak fast ifl 92 in_ifp ge-0/0/0.0
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT: ge-0/0/0.0:216.45.23.56->206.25.34.12, icmp, (8/0)
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT: find flow: table 0x4bbd5760, hash 26478(0xffff), sa 216.45.23.56, da 206.25.34.12, sp 2, dp 1, proto 1, tok 36870
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT: packet dropped, drop by firewall check
Apr 20 16:21:03 16:21:02.1001581:CID-1:RT: flow find session returns error.


Ping to the external interface of SRX A fails. As a result, VPN between SRX A and SRX C also does not come up.

Why is the firewall dropping this packet?
Solution:
The message indicates that the Screen being configured on the device is getting hit.

root@SRX-B # show security screens | display set
set security screens ids-option 4096-limit limit-session destination-ip-based 100

root@SRX-B # show security zones security-zone untrust | display set | match screen
set security zones security-zone untrust screen 4096-limit

root@SRX-B # run show security screen statistics zone untrust
Screen statistics:
IDS attack type                                     Statistics
ICMP flood                                          0
UDP flood                                           0
TCP winnuke                                         0
TCP port scan                                       0
ICMP address sweep                                  0
IP tear drop                                        0
TCP SYN flood                                       0
IP spoofing                                         0
ICMP ping of death                                  0
IP source route option                              0
TCP land attack                                     0
TCP SYN fragment                                    0
TCP no flag                                         0
IP unknown protocol                                 0
IP bad options                                      0
IP record route option                              0
IP timestamp option                                 0
IP security option                                  0
IP loose source route option                        0
IP strict source route option                       0
IP stream option                                    0
ICMP fragment                                       0
ICMP large packet                                   0
TCP SYN FIN                                         0
TCP FIN no ACK                                      0
Source session limit                                0
TCP SYN-ACK-ACK proxy                               0
IP block fragment                                   0
Destination Session Limit :                 156743567 <<-- This counter is increasing each time the packet is received on SRX-B

When the packets are dropped due to screens, an event would be generated on the SRX for those packet drops. If the Syslog config is present on the SRX, it can be easily captured and identified whether the packet has been dropped due to which screen options.

root@SRX-2 # show system syslog
file test_screen {
    any warning; >>> facility and severity

}

Syslog Messages

Apr 20 16:21:03 SRX-2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 206.25.34.12, zone name: trust, interface name: ge-0/0/0.0, action: drop
Apr 20 16:21:03 SRX-2 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 206.25.34.12, zone name: trust, interface name: ge-0/0/0.0, action: drop


To stop the packet being dropped due to firewall check, either adjust the session limit or remove this configuration from screens.

If the traffic that triggers the screens is illegitimate traffic, either keep SRX to drop the traffic, or the preferrable setup to access control list / packet filter on the upstream router to stop further triggers on SRX.

This could be one possible reason, but this message as an indication of screening options being hit, you should check the screen stats to see the relevant counters increasing and adjust those parameters.  The syslog messages logged should have the suffix, "RT_IDS" and with "action: drop" in the content.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search