This article describes the issue of MSRPC traffic not working over a VPN tunnel, which is between SRX and ScreenOS devices. MSRPC traffic is configured to run over TCP port 135.
MSRPC traffic not working over a VPN tunnel, which is between SRX and ScreenOS devices.
- In this scenario, a site-to-site VPN tunnel is established between ScreenOS and SRX firewalls.
- The traffic on port 135 is not working.
To resolve this issue, perform the following procedure:
- Locate the configuration that uses port 135:
# show applications | display set | match 135
set applications application ms-rpc-tcp destination-port 135-135
- Configure traceoptions for port 135, as source-port as well as destination-port, in two separate filters to capture both directions. Run the flow and display the output of traceoption log:
Apr 4 15:46:40 15:14:13.170200:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:<199.134.184.133/135->10.200.32.15/50601;6> matched filter 2:
Apr 4 15:46:40 15:14:13.170242:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:packet [44] ipid = 8296, @7a0a990e
Apr 4 15:46:40 15:14:13.170263:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:---- flow_process_pkt: (thd 31): flow_ctxt type 21, common flag 0x800, mbuf 0xc56ce00, rtbl_idx = 0
Apr 4 15:46:40 15:14:13.170293:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:flow_encap_proc called with nsp_tunnel - 0x33d47674
Apr 4 15:46:40 15:14:13.170315:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: encap vector
Apr 4 15:46:40 15:14:13.170322:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: going into tunnel 131073 (nsp_tunnel=0x33d47674).
Apr 4 15:46:40 15:14:13.170343:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: flow_encrypt: tun 0x33d47674, type 1
Apr 4 15:46:40 15:14:13.170358:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:inline encapping is done. go to jexec
Apr 4 15:46:40 15:14:13.170378:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try <<<<<<<<<<<<<<<< Notice the error.
Apr 4 15:46:40 15:14:13.170387:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)
Apr 4 15:46:40 15:13:03.1259403:CID-01:FPC-08:PIC-00:THREAD_ID-23:RT:Forward packet to anchor SPU (11) for tunnel info 0x20020001 (tun id 131073)
SRX# run show log jtac | match failed
Apr 4 15:46:40 15:14:13.170378:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
Apr 4 15:46:41 15:14:14.170083:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
Apr 4 15:46:42 15:14:15.169729:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
Apr 4 15:46:43 15:14:16.169365:CID-01:FPC-11:PIC-00:THREAD_ID-08:RT:Flow failed to update nh, let jexec try
Apr 4 15:46:46 15:14:19.168394:CID-01:FPC-11:PIC-00:THREAD_ID-28:RT:Flow failed to update nh, let jexec try
Apr 4 15:46:48 15:14:21.167732:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
Apr 4 15:46:54 15:14:27.165714:CID-01:FPC-11:PIC-00:THREAD_ID-12:RT:Flow failed to update nh, let jexec try
The above error means that the next-hop is not found for the flow. This error is a hint that there may be a mismatch in the ALG status on peering devices.
- Check the health of the VPN tunnel, from which the flow was going through and make sure if the tunnels are up.
- Check the status of the MSRPC ALG:
SRX# run show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled <
- Look at the peering device, which is ScreenOS, for the configuration and find the status of MSRPC. In this case, it was disabled.
- Match the configuration on the SRX; that is disable the MSRPC ALG on the SRX device as well.
SRX# set security alg msrpc disable
SRX# commit
SRX# run show security alg status
# run show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Disabled <