Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

MSRPC traffic is not working over the VPN tunnel between SRX and ScreenOS devices

0

0

Article ID: KB24065 KB Last Updated: 28 May 2019Version: 2.0
Summary:
 This article describes the issue of MSRPC traffic not working over a VPN tunnel, which is between SRX and ScreenOS devices. MSRPC traffic is configured to run over TCP port 135.
Symptoms:
MSRPC traffic not working over a VPN tunnel, which is between SRX and ScreenOS devices.
Solution:
  • In this scenario, a site-to-site VPN tunnel is established between ScreenOS and SRX firewalls.
  • The traffic on port 135 is not working.


To resolve this issue, perform the following procedure:
  1. Locate the configuration that uses port 135:
    # show applications | display set | match 135
    set applications application ms-rpc-tcp destination-port 135-135

  2. Configure traceoptions for port 135, as source-port as well as destination-port, in two separate filters to capture both directions. Run the flow and display the output of traceoption log:
    Apr 4 15:46:40 15:14:13.170200:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:<199.134.184.133/135->10.200.32.15/50601;6> matched filter 2:

    Apr 4 15:46:40 15:14:13.170242:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:packet [44] ipid = 8296, @7a0a990e

    Apr 4 15:46:40 15:14:13.170263:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:---- flow_process_pkt: (thd 31): flow_ctxt type 21, common flag 0x800, mbuf 0xc56ce00, rtbl_idx = 0

    Apr 4 15:46:40 15:14:13.170293:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:flow_encap_proc called with nsp_tunnel - 0x33d47674

    Apr 4 15:46:40 15:14:13.170315:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: encap vector

    Apr 4 15:46:40 15:14:13.170322:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: going into tunnel 131073 (nsp_tunnel=0x33d47674).

    Apr 4 15:46:40 15:14:13.170343:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: flow_encrypt: tun 0x33d47674, type 1

    Apr 4 15:46:40 15:14:13.170358:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:inline encapping is done. go to jexec

    Apr 4 15:46:40 15:14:13.170378:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try <<<<<<<<<<<<<<<< Notice the error.

    Apr 4 15:46:40 15:14:13.170387:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)


    Apr 4 15:46:40 15:13:03.1259403:CID-01:FPC-08:PIC-00:THREAD_ID-23:RT:Forward packet to anchor SPU (11) for tunnel info 0x20020001 (tun id 131073)


    SRX# run show log jtac | match failed
    Apr 4 15:46:40 15:14:13.170378:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:41 15:14:14.170083:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:42 15:14:15.169729:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:43 15:14:16.169365:CID-01:FPC-11:PIC-00:THREAD_ID-08:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:46 15:14:19.168394:CID-01:FPC-11:PIC-00:THREAD_ID-28:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:48 15:14:21.167732:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:54 15:14:27.165714:CID-01:FPC-11:PIC-00:THREAD_ID-12:RT:Flow failed to update nh, let jexec try

    The above error means that the next-hop is not found for the flow. This error is a hint that there may be a mismatch in the ALG status on peering devices.

  3. Check the health of the VPN tunnel, from which the flow was going through and make sure if the tunnels are up.

  4. Check the status of the MSRPC ALG:
    SRX# run show security alg status
    ALG Status :
    DNS : Enabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Enabled

    MSRPC : Enabled < 

  5. Look at the peering device, which is ScreenOS, for the configuration and find the status of MSRPC. In this case, it was disabled.

  6. Match the configuration on the SRX; that is disable the MSRPC ALG on the SRX device as well.
    SRX# set security alg msrpc disable
    SRX# commit

    SRX# run show security alg status

    # run show security alg status
    ALG Status :
    DNS : Enabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Enabled

    MSRPC : Disabled <
Modification History:
2019-05-22: Content reviewed for accuracy.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search