Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Traffic policing over a IPsec (VPN) tunnel is not working

0

0

Article ID: KB34611 KB Last Updated: 30 Jun 2019Version: 1.0
Summary:
This article provides a solution to a configuration scenario where traffic policing through the tunnel is not working.
Symptoms:

Topology:

LAN1 ---- (10G)(reth0)SRX(reth1)(10G)--------IPsec---------(1G)FW(1G) ---- LAN2

Traffic blackholes as the FW side interfaces are 1G and SRX side is 10G. The requirement is to limit the traffic on the SRX side.

Note: This is an example setup or requirement; the idea is policing traffic for IPsec.
 

Configuration Used on SRX:

set interfaces reth1 unit 0 family inet filter input ON-DEMAND
set firewall family inet filter ON-DEMAND term 400m from destination-address 2.2.2.2/26
set firewall family inet filter ON-DEMAND term 400m then policer police400m
set firewall family inet filter ON-DEMAND term 400m then count ON-DEMAND_Count
set firewall family inet filter ON-DEMAND term last then accept
set firewall policer police400m if-exceeding bandwidth-limit 400m
set firewall policer police400m if-exceeding burst-size-limit 15000
set firewall policer police400m then discard

Where, "destination-address" is the subnet on the other side of the VPN.

The count shows that the policer is not working:

srx> show firewall filter ON-DEMAND
Filter: ON-DEMAND
Counters:
Name                                                      Bytes              Packets
ON-DEMAND_Count                                               0                    0
Policers:
Name                                                      Bytes              Packets
police400m-400m                                                                    0
Cause:
The possible solution is to create a firewall filter to police traffic on the SRX.

A question commonly asked is which interface to police the traffic:

  • On the st interface  OR
  • On the exit interface of the SRX OR
  • On the ingress interface of the SRX. 
Solution:
The answer is to configure the policing on the ingress interface, which is reth0 in this topology.

Run the following command to check that the policer is working.
srx> show firewall filter ON-DEMAND

Filter: ON-DEMAND
Counters:
Name                                                Bytes Packets
ON-DEMAND_Count                                1262565939 917764
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search