Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How Post and Pre fragment packets are recognized in the IPsec decrypting node

0

0

Article ID: KB34918 KB Last Updated: 23 Aug 2019Version: 1.0
Summary:

This article explains that how Post and Pre fragment packets are recognized in the IPsec decrypting node.

The technical documentation for the show security flow statistics command provides a description for 'Post fragments generated' and 'Pre fragments generated'.

Solution:

When the conditions match, we will see counter up for Post fragments or Pre fragments not only in the encrypting node, but also in the decrypting node.

For an explanation on the difference between "Post fragments" and "Pre fragments" packets received by decrypting node, refer to KB34784 - 'Post fragments generated' counter increasing

Ubuntu---SRX1--IPsec Tunnel---(ge-0/0/1)SRX2---PC
(Process packets capture in ge-0/0/1 of SRX2)

When Post fragments counter up in SRX2:

Post fragments generated: 4
ESP packets outer IP header
..1. .... = More fragments: Set  <-- For post fragment, MF bit is 'Set'

When Pre fragments counter up in SRX2:

Pre fragments generated: 4
ESP packets outer IP header
.0.. .... = Don't fragment: Not set <-- For pre fragment, it will check the decrypted packet inner IP header MF bit

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search