Knowledge Search


×
 

[SRX] Error: Failed to build dop for policy

  [KB35128] Show Article Properties


Summary:

This article explains the supported configuration for security policies used in a Policy-Based VPN implementation to avoid the commit error: ​Failed to build dop for policy

For a better understanding of Policy-Based VPNs, see an explanation and configuration example in Policy-Based IPsec VPNs.

Symptoms:

Upon a commit of the following configuration an error message is displayed:

root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match source-address LOCAL-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match destination-address REMOTE-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match application junos-https
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel pair-policy REVERSE-POLICY

root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match source-address REMOTE-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match destination-address LOCAL-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match application junos-https
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel pair-policy MAIN-POLICY

root@SRX# commit check
error: Failed to build dop for policy MAIN-POLICY
error: configuration check-out failed
Cause:

In a Policy-Based VPN implementation, the matching criteria of the involved security policies must match in the reverse order. This is true in the above configuration example except for the use of the junos-https application which has the following configuration:

root@SRX# show groups junos-defaults applications application junos-https
protocol tcp;
destination-port 443;

The matching criteria of the above security policies can be seen in the following way:

MAIN-POLICY:          Traffic from LOCAL-SUBNET destined to REMOTE-SUBNET that is TCP with a destination-port of 443
REVERSE-POLICY:   Traffic from REMOTE-SUBNET destined to LOCAL-SUBNET that is TCP with a destination-port of 443  <<<< This should be source-port 443

It can be seen that the REVERSE-POLICY matching criteria is not the reverse of the MAIN-POLICY. This will trigger the "Failed to build dop for policy" message during the commit process.

Solution:

The Juniper supported configuration for security policies used on Policy-Based VPN implementations is to configure application "any" on both the main and the reverse policy.

If this requirement cannot be met, the work-around below can be implemented.

Work-around:

Create a custom application on the reverse policy that matches the reverse configuration of the application being used in the main policy. Example:

Note:  This only guarantees the flow of the traffic initiated from the TRUST zone and the reply to this traffic. HTTPS traffic initiated from the UNTRUST zone won't match this security-policy.

set applications application reverse-junos-https protocol tcp
set applications application reverse-junos-https source-port 443

root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match source-address LOCAL-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match destination-address REMOTE-SUBNET
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY match application junos-https
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone TRUST to-zone UNTRUST policy MAIN-POLICY then permit tunnel pair-policy REVERSE-POLICY

root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match source-address REMOTE-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match destination-address LOCAL-SUBNET
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY match application reverse-junos-https
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel ipsec-vpn POLICY-BASED-VPN
root@SRX# set security policies from-zone UNTRUST to-zone TRUST policy REVERSE-POLICY then permit tunnel pair-policy MAIN-POLICY
Related Links: