Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Error: Failed to build dop for policy

0

0

Article ID: KB35128 KB Last Updated: 07 Oct 2019Version: 1.0
Summary:

This article explains the supported configuration for security policies used in a Policy-Based VPN implementation to avoid the commit error: ​Failed to build dop for policy

For a better understanding of Policy-Based VPNs, see an explanation and configuration example in Policy-Based IPsec VPNs.

Symptoms:

Upon a commit of the following configuration an error message is displayed:

root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match source-address LOCAL-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match destination-address REMOTE-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match application junos-https
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel pair-policy REVERSE-POLICY

root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match source-address REMOTE-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match destination-address LOCAL-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match application junos-https
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel pair-policy MAIN-POLICY

root@SRX# commit check
error: Failed to build dop for policy MAIN-POLICY
error: configuration check-out failed
Cause:

In a Policy-Based VPN implementation, the matching criteria of the involved security policies must match in the reverse order. This is true in the above configuration example except for the use of the junos-https application which has the following configuration:

root@SRX# show groups junos-defaults applications application junos-https
protocol tcp;
destination-port 443;

The matching criteria of the above security policies can be seen in the following way:

MAIN-POLICY:          Traffic from LOCAL-SUBNET destined to REMOTE-SUBNET that is TCP with a destination-port of 443
REVERSE-POLICY:   Traffic from REMOTE-SUBNET destined to LOCAL-SUBNET that is TCP with a destination-port of 443  <<<< This should be source-port 443

It can be seen that the REVERSE-POLICY matching criteria is not the reverse of the MAIN-POLICY. This will trigger the "Failed to build dop for policy" message during the commit process.

Solution:

The Juniper supported configuration for security policies used on Policy-Based VPN implementations is to configure application "any" on both the main and the reverse policy.

If this requirement cannot be met, the work-around below can be implemented.

Work-around:

Create a custom application on the reverse policy that matches the reverse configuration of the application being used in the main policy. Example:

Note:  This only guarantees the flow of the traffic initiated from the TRUST zone and the reply to this traffic. HTTPS traffic initiated from the UNTRUST zone won't match this security-policy.

set applications application reverse-junos-https protocol tcp
set applications application reverse-junos-https source-port 443

root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match source-address LOCAL-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match destination-address REMOTE-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match application junos-https
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel pair-policy REVERSE-POLICY

root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match source-address REMOTE-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match destination-address LOCAL-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match application reverse-junos-https
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel pair-policy MAIN-POLICY

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search