MSRPC traffic is not working over the VPN tunnel between SRX and ScreenOS devices

  [KB24065] Show Article Properties


Summary:
 This article describes the issue of MSRPC traffic not working over a VPN tunnel, which is between SRX and ScreenOS devices. MSRPC traffic is configured to run over TCP port 135.
Symptoms:
MSRPC traffic not working over a VPN tunnel, which is between SRX and ScreenOS devices.
Solution:
  • In this scenario, a site-to-site VPN tunnel is established between ScreenOS and SRX firewalls.
  • The traffic on port 135 is not working.


To resolve this issue, perform the following procedure:
  1. Locate the configuration that uses port 135:
    # show applications | display set | match 135
    set applications application ms-rpc-tcp destination-port 135-135

  2. Configure traceoptions for port 135, as source-port as well as destination-port, in two separate filters to capture both directions. Run the flow and display the output of traceoption log:
    Apr 4 15:46:40 15:14:13.170200:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:<199.134.184.133/135->10.200.32.15/50601;6> matched filter 2:

    Apr 4 15:46:40 15:14:13.170242:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:packet [44] ipid = 8296, @7a0a990e

    Apr 4 15:46:40 15:14:13.170263:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:---- flow_process_pkt: (thd 31): flow_ctxt type 21, common flag 0x800, mbuf 0xc56ce00, rtbl_idx = 0

    Apr 4 15:46:40 15:14:13.170293:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:flow_encap_proc called with nsp_tunnel - 0x33d47674

    Apr 4 15:46:40 15:14:13.170315:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: encap vector

    Apr 4 15:46:40 15:14:13.170322:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: going into tunnel 131073 (nsp_tunnel=0x33d47674).

    Apr 4 15:46:40 15:14:13.170343:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: flow_encrypt: tun 0x33d47674, type 1

    Apr 4 15:46:40 15:14:13.170358:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:inline encapping is done. go to jexec

    Apr 4 15:46:40 15:14:13.170378:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try <<<<<<<<<<<<<<<< Notice the error.

    Apr 4 15:46:40 15:14:13.170387:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)


    Apr 4 15:46:40 15:13:03.1259403:CID-01:FPC-08:PIC-00:THREAD_ID-23:RT:Forward packet to anchor SPU (11) for tunnel info 0x20020001 (tun id 131073)


    SRX# run show log jtac | match failed
    Apr 4 15:46:40 15:14:13.170378:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:41 15:14:14.170083:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:42 15:14:15.169729:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:43 15:14:16.169365:CID-01:FPC-11:PIC-00:THREAD_ID-08:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:46 15:14:19.168394:CID-01:FPC-11:PIC-00:THREAD_ID-28:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:48 15:14:21.167732:CID-01:FPC-11:PIC-00:THREAD_ID-31:RT:Flow failed to update nh, let jexec try
    Apr 4 15:46:54 15:14:27.165714:CID-01:FPC-11:PIC-00:THREAD_ID-12:RT:Flow failed to update nh, let jexec try

    The above error means that the next-hop is not found for the flow. This error is a hint that there may be a mismatch in the ALG status on peering devices.

  3. Check the health of the VPN tunnel, from which the flow was going through and make sure if the tunnels are up.

  4. Check the status of the MSRPC ALG:
    SRX# run show security alg status
    ALG Status :
    DNS : Enabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Enabled

    MSRPC : Enabled < 

  5. Look at the peering device, which is ScreenOS, for the configuration and find the status of MSRPC. In this case, it was disabled.

  6. Match the configuration on the SRX; that is disable the MSRPC ALG on the SRX device as well.
    SRX# set security alg msrpc disable
    SRX# commit

    SRX# run show security alg status

    # run show security alg status
    ALG Status :
    DNS : Enabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Enabled

    MSRPC : Disabled <
Modification History:
2019-05-22: Content reviewed for accuracy.
Related Links: