Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] AppFW Application System Cache not refreshed

0

0

Article ID: KB35591 KB Last Updated: 21 Mar 2020Version: 1.0
Summary:

After Application System Cache (ASC) lookup enabled in Application-identification, it is noted that ASC entry does not refresh despite traffic hitting the session.  

Symptoms:

The following tests enable ASC Cache lookup in Junos 18.2 but ASC does not refresh.  The test uses UDP traffic to illustrate ASC timeout behavior and it is done using SRX4600 running Junos 18.2R1.  

It is noted that ASC timeout after 10 minutes despite a new session hitting the ASC created at 9th mins.  Thus, ASC does not appear to be refreshed.

root@SRX4600> show configuration services application-identification

application-system-cache-timeout 600;
application-system-cache {
    security-services;
}
  1. Start UDP traffic, create UDP session/ASC entry

    root@SRX4600> show security flow session 
    Nov 15 14:15:18 
    Session ID: 12441976, Policy name: USER-to-INTERNET/5, Timeout: 52, Valid 
    In: 50.0.0.1/1024 --> 10.0.0.1/2048;udp, Conn Tag: 0x0, If: xe-1/1/1.0, Pkts: 331131, Bytes: 164240976, 
    Out: 10.0.0.1/2048 --> 50.0.0.1/1024;udp, Conn Tag: 0x0, If: xe-1/1/0.0, Pkts: 0, Bytes: 0, 
    Total sessions: 1 
    
    root@SRX4600> show services application-identification application-system-cache 
    Nov 15 14:15:21 
    Application System Cache Configurations: 
    application-cache: on 
    Cache lookup for security-services: on 
    Cache lookup for miscellaneous-services: on 
    cache-entry-timeout: 600 seconds 
    pic: 0/0 
    Logical system name: 0 
    IP address: 10.0.0.1 Port: 2048 Protocol: UDP 
    Application: UNKNOWN Encrypted: No 
    Classification Path: IP:UDP:UNKNOWN 
  2. Stop UDP traffic and UDP session timeout. Then wait 9 minutes:

    root@SRX4600> show services application-identification application-system-cache 
    Nov 15 14:23:50 
    Application System Cache Configurations: 
    application-cache: on 
    Cache lookup for security-services: on 
    Cache lookup for miscellaneous-services: on 
    cache-entry-timeout: 600 seconds 
    pic: 0/0 
    Logical system name: 0 
    IP address: 10.0.0.1 Port: 2048 Protocol: UDP 
    Application: UNKNOWN Encrypted: No 
    Classification Path: IP:UDP:UNKNOWN 
  3. Start UDP Traffic and create new UDP session:

    root@SRX4600> show security flow session 
    Nov 15 14:24:15 
    Session ID: 12441977, Policy name: USER-to-INTERNET/5, Timeout: 54, Valid 
    In: 50.0.0.1/1024 --> 10.0.0.1/2048;udp, Conn Tag: 0x0, If: xe-1/1/1.0, Pkts: 559399, Bytes: 277461904, 
    Out: 10.0.0.1/2048 --> 50.0.0.1/1024;udp, Conn Tag: 0x0, If: xe-1/1/0.0, Pkts: 0, Bytes: 0, 
    Total sessions: 1 
    
    SRX@SRX4600> show services application-identification application-system-cache 
    Nov 15 14:24:18 
    Application System Cache Configurations: 
    application-cache: on 
    Cache lookup for security-services: on 
    Cache lookup for miscellaneous-services: on 
    cache-entry-timeout: 600 seconds 
    pic: 0/0 
    Logical system name: 0 
    IP address: 10.0.0.1 Port: 2048 Protocol: UDP 
    Application: UNKNOWN Encrypted: No 
    Classification Path: IP:UDP:UNKNOWN 
  4. At 10th minutes, ASC entry for UDP traffic time-out are not refreshed:

    root@SRX4600> show services application-identification application-system-cache 
    Nov 15 14:25:26 
    Application System Cache Configurations: 
    application-cache: on 
    Cache lookup for security-services: on 
    Cache lookup for miscellaneous-services: on 
    cache-entry-timeout: 600 seconds
Cause:
Below is another example using SRX300 running 18.2R1-S2 with junos:RDP to verify. Note that ASC timeout is 300 seconds.
  1. RDP Session generated and ASC created.

    user@router> show security flow session 
    Nov 16 15:08:59
    Session ID: 18454, Policy name: unified-pol/5, Timeout: 1798, Valid
      In: 192.168.200.99/4812 --> 172.27.6.14/3389;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 155, Bytes: 29753, 
      Out: 172.27.6.14/3389 --> 172.27.6.25/27330;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 161, Bytes: 22210, 
    
    user@router> show services application-identification application-system-cache 
    Nov 16 15:09:10
    Application System Cache Configurations:
      application-cache: on
        Cache lookup for security-services: on
        Cache lookup for miscellaneous-services: on
      cache-entry-timeout: 300 seconds
    pic: 0/0
    Logical system name: 0                                          
    IP address: 172.27.6.14                              Port: 3389   Protocol: TCP 
    Application: COTP:RDP                                Encrypted: No   
    Classification Path: IP:TCP:COTP:RDP
  2. Stop RDP and RDP session timeout. Then wait around 3-4 mins.

    user@router> show services application-identification application-system-cache       
    Nov 16 15:12:37
    Application System Cache Configurations:
      application-cache: on
        Cache lookup for security-services: on
        Cache lookup for miscellaneous-services: on
      cache-entry-timeout: 300 seconds
    pic: 0/0
    Logical system name: 0                                          
    IP address: 172.27.6.14                              Port: 3389   Protocol: TCP 
    Application: COTP:RDP                                Encrypted: No   
    Classification Path: IP:TCP:COTP:RDP
  3. Create new RDP session:

    user@router> show security flow session  
    Nov 16 15:12:49
    Session ID: 18472, Policy name: unified-pol/5, Timeout: 1800, Valid
      In: 192.168.200.99/4815 --> 172.27.6.14/3389;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 56, Bytes: 25798, 
      Out: 172.27.6.14/3389 --> 172.27.6.25/4244;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 62, Bytes: 16595, 
    
    user@router> show services application-identification application-system-cache  
    Nov 16 15:12:57
    Application System Cache Configurations:
      application-cache: on
        Cache lookup for security-services: on
        Cache lookup for miscellaneous-services: on
      cache-entry-timeout: 300 seconds
    pic: 0/0
    Logical system name: 0                                          
    IP address: 172.27.6.14                              Port: 3389   Protocol: TCP 
    Application: COTP:RDP                                Encrypted: No   
    Classification Path: IP:TCP:COTP:RDP
  4. ASC entry for RDP timeout after around 5 mins.

    user@router> show services application-identification application-system-cache   | refresh 10 
    Nov 16 15:13:12
    ---(refreshed at 2018-11-16 15:13:12 HKT)---
    Application System Cache Configurations:
      application-cache: on
        Cache lookup for security-services: on
        Cache lookup for miscellaneous-services: on
      cache-entry-timeout: 300 seconds
Solution:

The application system cache entry will not be refreshed for cache hit.  This behavior of ASC is by design due to the security concerns surrounding the use of ASC. 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search