Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

PFE_FW_SYSLOG_ETH_IP6_TCP_UDP reported in FPC shell logs

0

0

Article ID: KB34190 KB Last Updated: 13 Jul 2019Version: 1.0
Summary:

This article provides the overview of the messages logged in the FPC shell when a request for port 853 (DNS over TLS) is made.

Symptoms:

The following message is logged in the FPC shell. 

NPC10(ABC vty)# [Jan 23 18:19:30.858 LOG: Info] PFE_FW_SYSLOG_ETH_IP6_TCP_UDP: FW: irb.1053     D XXXX AA:BB:CC:AA::10 -|| 60:05:97:cc:00:28 tcp SA fdfb:5a66:3d5a:372e:: -> DA fdfb:5a66:3d4b:372e::  sport:44354 dport:  853 (1 packets)
[Jan 23 18:19:30.858 LOG: Info] PFE_FW_SYSLOG_ETH_IP6_TCP_UDP: FW: irb.1053     D XXXX 06:f4:26:00:10:10 -> 60:09:1b:0a:00:28 tc SA fdfb:5a66:3d5d:372e::/ -> DA fdfb:5a66:3d4b:372e::  sport:42516 dport:  853 (1 packets)


Steps to Reproduce

A TCP session is initiated from 2011:0301:1020:00::8 (client) to 2011:0301:1020:00::3 (DNS server).  

          --------------        ae0        ---------------
client    +     R1      +------------------+       R2    +  DNS server
          --------------                   ---------------   

In order to capture the TCP session activity, a filter is applied on outbound of ae0 on R1. Note that the keyword domain will only allow ICMP, port 53 traffic for TCP and UDP.

R1 -- ae0 -- R2

labroot@R8# show firewall family inet6 filter test 

term 1 {
    from {
        source-address {
            2011:0301:1020:00::8/128;
        }
        destination-address {
            2011:0301:1020:00::3/128;
        }
        next-header tcp;
        source-port 1-65535;
        destination-port domain;
    }
    then {
        count test;
        accept;
    }
}
term 2 {
    then {
        log;
        reject;
    }
}

labroot@R8# run file show /etc/services | match domain 

domain           53/tcp    #Domain Name Server
domain           53/udp    #Domain Name Server
 

After configuring the above filter, when a TCP session is initiated to both port 853 and port 53, the connection to port 853 is dropped.

[edit]

labroot@R8# run telnet 2011:0301:1020:00::3 source 2011:0301:1020:00::8 port 853    

Trying 2011:301:1020::3...
telnet: connect to address 2011:301:1020::3: Operation not permitted
telnet: Unable to connect to remote host

[edit]

labroot@R8# run telnet 2011:0301:1020:00::3 source 2011:0301:1020:00::8 port 53     

Trying 2011:301:1020::3...

labroot@R8# run show firewall log detail

Time of Log: 2019-01-23 05:44:10 PST, Filter: test, Filter action: accept, Name of interface: ae0.0
Name of protocol: TCP, Packet Length: 0, Source address: 2011:301:1020::8 Port 55087, Destination address: 2011:301:1020::3 Port 53
Time of Log: 2019-01-23 05:43:32 PST, Filter: test, Filter action: reject, Name of interface: ae0.0
Name of protocol: TCP, Packet Length: 0, Source address: 2011:301:1020::8 Port 64999, Destination address: 2011:301:1020::3 Port 853

 

Cause:

Port 853 is for DNS over TLS, which is not a currently supported caching DNS server in Junos OS. Therefore, packets with a dest port of 853 are get dropped. Junos OS currently supports packets sent to port 53 (DNS).

When the clients are not able to get a connection, they will fall back to using the normal DNS on port 53.

 

Solution:

The PFE_FW_SYSLOG_ETH_IP6_TCP_UDP message is informational. The packets destined to port 853 are dropped. However, when the clients initiate a request to port UDP/TCP 53, it will be permitted.
 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search