Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Host-inbound traffic going through lt-0/0/0 interface closes abruptly

0

0

Article ID: KB28644 KB Last Updated: 21 Feb 2020Version: 2.0
Summary:

Host-inbound-traffic going through an lt-0/0/0 interface times out. This article describes a procedure to configure a firewall filter on both lt-0/0/0 interface peer units.

Symptoms:

Configuration

system {
    host-name 100-4;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
    }
}
interfaces {
    lt-0/0/0 {
        unit 1 {
            encapsulation frame-relay;
            dlci 100;
            peer-unit 2;
            family inet;
        }
        unit 2 {
            encapsulation frame-relay;
            dlci 100;
            peer-unit 1;
            family inet;
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.2.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 192.168.2.1/32 next-hop lt-0/0/0.2;
    }
}
security {
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone mgmt {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/5.0;
                lt-0/0/0.2;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                lt-0/0/0.1;
            }
        }
    }
}
routing-instances {
    trust {
        instance-type virtual-router;
        interface lt-0/0/0.1;
        interface lo0.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop lt-0/0/0.1;
            }
        }
    }
}

An attempt is made through SSH to reach 192.168.2.1, which is in routing-instance trust. Traffic enters the device through fe-0/0/5, which is in default routing-instance. The routing-instances have a logical tunnel interface lt-0/0/0, and 192.168.2.1 is reachable with lt-0/0/0.2 as next-hop. Note that the SSH connection is established, but shortly thereafter it is closed abruptly.

Cause:
When an SSH connection to 192.168.2.1 is initiated, the following TCP sessions are seen on the device:
root@100-4# run show security flow session protocol tcp | no-more    
Session ID: 13260, Policy name: default-policy-00/2, Timeout: 1795, Valid
  In: 172.27.199.125/50067 --> 192.168.2.1/22;tcp, If: fe-0/0/5.0, Pkts: 71, Bytes: 5088
  Out: 192.168.2.1/22 --> 172.27.199.125/50067;tcp, If: lt-0/0/0.2, Pkts: 118, Bytes: 13137

Session ID: 13262, Policy name: default-policy-00/2, Timeout: 10, Valid
  In: 172.27.199.125/50067 --> 192.168.2.1/22;tcp, If: lt-0/0/0.1, Pkts: 71, Bytes: 5088
  Out: 192.168.2.1/22 --> 172.27.199.125/50067;tcp, If: .local..5, Pkts: 0, Bytes: 0
Total sessions: 2

Two sessions are formed when the packet goes through the lt-0/0/0 interface, one having an egress interface at lt-0/0/0.x and another when the packet leaves the logical tunnel. A new session will be formed for this packet with the incoming interface at lt-0/0/0.x:

root@100-4# run show security flow session protocol tcp | no-more
Session ID: 13260, Policy name: default-policy-00/2, Timeout: 1798, Valid >>>>>>>Timeout value increased
  In: 172.27.199.125/50067 --> 192.168.2.1/22;tcp, If: fe-0/0/5.0, Pkts: 73, Bytes: 5220
  Out: 192.168.2.1/22 --> 172.27.199.125/50067;tcp, If: lt-0/0/0.2, Pkts: 120, Bytes: 13321

Session ID: 13262, Policy name: default-policy-00/2, Timeout: 6, Valid >>>>>>>>>>Still decreasing
  In: 172.27.199.125/50067 --> 192.168.2.1/22;tcp, If: lt-0/0/0.1, Pkts: 73, Bytes: 5220
  Out: 192.168.2.1/22 --> 172.27.199.125/50067;tcp, If: .local..5, Pkts: 0, Bytes: 0
Total sessions: 2

The timeout values above show only the timeout of the first session increasing; the timeout of the second session keeps on decreasing. Note also that the timeout value of the second session is very low, though both are TCP sessions. The second session is in fact a pseudo session, which is created during the TCP handshake; once the handshake is complete the timeout value is increased to 1800. But even though some TCP handshakes are completed, any packets that are generated from the device or routing engine (as it is host-inbound-traffic) intended for lt-0/0/0 will bypass the flow. Syn-ack packets sent from SRX in a TCP handshake will not be seen by the security flow session. Since syn-ack packets are not seen, it is assumed that the TCP handshake is not complete. Thus when the psuedo-session times out, the SSH traffic also ends abruptly.

Solution:

Configure a firewall filter on both lt-0/0/0 interface peer units using the following set commands:

set firewall filter bypass-flow term t1 from destination-port ssh
set firewall filter bypass-flow term t1 then packet-mode
set firewall filter bypass-flow term t1 then accept
set firewall filter bypass-flow term t2 then accept

set interfaces lt-0/0/0 unit 1 family inet filter input bypass-flow
set interfaces lt-0/0/0 unit 2 family inet filter input bypass-flow
commit
After making the above changes host-inbound-traffic will work without any issues. 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search