Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Troubleshooting packet drop by SRX due to screen-options

0

0

Article ID: KB30698 KB Last Updated: 23 Dec 2016Version: 1.0
Summary:

This article explains how to Identify if a packet has been dropped by screen-options applied on a interface or a zone.

Solution:

Config was applied on a zone configured on SRX:

root@SRX-2# show security screen
ids-option dst-block {
    icmp {
        fragment;
        large;
    }
    ip {
        timestamp-option;
        spoofing;
        block-frag;
    }
    tcp {
        syn-flood {
            attack-threshold 3;
        }
    }
    limit-session {
        source-ip-based 100;
    }
}

 

Using the local logging / syslog facility and severity as shown in the configuration below, events generated for the packets dropped due to screen options are captured.

root@SRX-2# show system syslog
file test_screen {
    any warning; >>> facility and severity
}

If an appropiate packet filter is applied in the flow traceoptions using the log file, you can easily identify the reason of the packet dropped on SRX:

root@SRX-2# show security flow traceoptions
file icmp_block size 4m files 4;
flag basic-datapath;
flag packet-drops;
packet-filter pf1 {
    source-prefix 10.204.94.135/32;
}

Below are some logs captured from flow traceoptions and syslog server

Flow trace for ICMP large packets and ICMP fragments dropped due to Screen options:

Dec 10 06:49:55 06:49:54.1704962:CID-0:RT:<10.222.12.12/0->10.219.56.5/0;1> matched filter pf1:

Dec 10 06:49:55 06:49:54.1704966:CID-0:RT:packet [548] ipid = 13078, @0x49d0f6ce

Dec 10 06:49:55 06:49:54.1704968:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x49d0f480, rtbl_idx = 0

Dec 10 06:49:55 06:49:54.1704971:CID-0:RT: flow process pak fast ifl 69 in_ifp ge-0/0/0.0

Dec 10 06:49:55 06:49:54.1704997:CID-0:RT:  screen detection drop packet.

Dec 10 06:49:55 06:49:54.1704999:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Syslog event generated when packets dropped due to ICMP large packet and ICMP fragment options on screen:

Dec 10 06:49:55  SRX-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 10.222.12.12, destination: 10.219.56.5, zone name: trust, interface name: ge-0/0/0.0, action: drop
Dec 10 06:49:55  SRX-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 10.222.12.12, destination: 10.219.56.5, zone name: trust, interface name: ge-0/0/0.0, action: drop

Flow trace for IP Spoofing

Dec 27 21:51:12 21:51:12.703418:CID-0:RT:<10.204.94.135/42917->228.204.94.136/45577;17> matched filter pf1:

Dec 27 21:51:12 21:51:12.703434:CID-0:RT:packet [104] ipid = 0, @0x4a8e2fce

Dec 27 21:51:12 21:51:12.703438:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4a8e2d80, rtbl_idx = 0

Dec 27 21:51:12 21:51:12.703447:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0

Dec 27 21:51:12 21:51:12.703457:CID-0:RT:  ge-0/0/1.0:10.204.94.135/42917->228.204.94.136/45577, udp

Dec 27 21:51:12 21:51:12.703465:CID-0:RT: find flow: table 0x5be18400, hash 21065(0xffff), sa 10.204.94.135, da 228.204.94.136, sp 42917, dp 45577, proto 17, tok 6

Dec 27 21:51:12 21:51:12.703475:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Dec 27 21:51:12 21:51:12.703504:CID-0:RT:flow_ipv4_rt_lkup success 10.204.94.135, iifl 0x48, oifl 0x47

Dec 27 21:51:12 21:51:12.703578:CID-0:RT:  packet dropped, drop by spoofing check

Dec 27 21:51:12 21:51:12.703581:CID-0:RT:flow_initiate_first_path: first pak no session

Dec 27 21:51:12 21:51:12.703584:CID-0:RT:  flow find session returns error.

Dec 27 21:51:12 21:51:12.703587:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Syslog event for IP Spoofing

Dec 27 21:52:14  SRX-2 RT_IDS: RT_SCREEN_IP: IP spoofing! source: 10.204.94.135, destination: 228.204.94.136, protocol-id: 17, zone name: trust, interface name: ge-0/0/1.0, action: drop
Dec 27 21:52:14  SRX-2 RT_IDS: RT_SCREEN_IP: IP spoofing! source: 10.204.94.135, destination: 228.204.94.136, protocol-id: 17, zone name: trust, interface name: ge-0/0/1.0, action: drop

Flow trace for IP Fragmented Traffic

Dec 27 21:51:16 21:51:16.755736:CID-0:RT:<10.204.94.135/39316->228.204.94.136/46661;17> matched filter pf1:

Dec 27 21:51:16 21:51:16.755755:CID-0:RT:packet [1500] ipid = 11197, @0x49c1c8ce

Dec 27 21:51:16 21:51:16.755802:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x49c1c680, rtbl_idx = 0

Dec 27 21:51:16 21:51:16.755813:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0

Dec 27 21:51:16 21:51:16.755907:CID-0:RT:  screen detection drop packet.

Dec 27 21:51:16 21:51:16.755910:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Syslog event for IP fragmented traffic

Dec 27 21:52:11  SRX-2 RT_IDS: RT_SCREEN_IP: Fragmented traffic! source: 10.204.94.135, destination: 228.204.94.136, protocol-id: 17, zone name: trust, interface name: ge-0/0/1.0, action: drop

Flow trace and syslog event for Session Limit option
Refer to KB23639 - Troubleshooting packet drop by SRX with error message "drop due to firewall check"

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search