Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Stream Control Transmission Protocol (SCTP) traffic is dropped randomly

1

0

Article ID: KB31567 KB Last Updated: 09 Jun 2017Version: 2.0
Summary:

The requirements for passing Stream Control Transmission Protocol (SCTP) traffic changed after the release of SCTP Inspection feature. After upgrading to the code that supports this feature, users may experience impact on their SCTP traffic forwarding, both when they apply SCTP Inspection profile and when they do not. 

Symptoms:

SCTP traffic is being dropped randomly. The General Packet Radio Service (GPRS) SCTP association​ is created, but the traffic is being dropped. In some cases, messages similar to the following are seen in the flow trace:

PKT-PROC for plugin junos-gprs jbuf 0x96028948, sess jsf flags 0x0, rc 7

Cause:

Even when SCTP Inspection is not used, there are certain requirements for the configuration for all platforms/releases that support the SCTP Inspection feature. If the SCTP Inspection is used, additional requirements apply. 

Solution:

There are two new requirements that apply even when the SCTP Inspection is not used:

  1. Bi-directional security policies: Security policies are now needed in both directions, so that separate SCTP flow sessions can be created in both directions. The INIT and INIT-ACK each now create their own session.

  2. SCTP ALG: SCTP ALG is now required, so "application-protocol ignore" statement should NOT be used for any SCTP-passing application in security policies. 

Please refer to the technical documentation, Understanding Stream Control Transmission Protocol.

However, for the case where the gprs-sctp-profile is used, even after applying the above configuration, the issue might persist.
In the failure scenario described below, both ingress and egress interface were at the same security zone.
A single policy was used to allow both directions of the SCTP traffic:

from-zone zone_A to-zone zone_A {
            policy SCTP {
                match {
                    source-address [ <Add_set_A> <Add_set_B> ];
                    destination-address [ <Add_set_A> <Add_set_B> ];
                    application junos-gprs-sctp;
                }
                then {
                    permit {
                        application-services {
                            gprs-sctp-profile <name>;
                        }
                    }
                    count;
                }
            }


 

To resolve the issue, the single policy above should be split into two policies:

​from-zone zone_A to-zone zone_A {

            policy SCTP_A-to-B {
                match {
                    source-address <Add_set_A>;
                    destination-address <Add_set_B>;
                    application junos-gprs-sctp;
                }
                then {
                    permit {
                        application-services {
                            gprs-sctp-profile <name>;
                        }
                    }
                    count;
                }

            policy SCTP_B-to-A {
                match {
                    source-address <Add_set_B>;
                    destination-address <Add_set_A>;
                    application junos-gprs-sctp;
                }
                then {
                    permit {
                        application-services {
                            gprs-sctp-profile <name>;
                        }
                    }
                    count;
                }

            }

Modification History:

2017-05-30: Reworded the summary and solution for clarity.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search