Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Handling of Ident Packets

0

0

Article ID: KB6184 KB Last Updated: 25 Aug 2010Version: 3.0
Summary:
Handling of Ident Packets
Symptoms:
Server on trust side sends ident request
Internal server has MIP and policy assigned to it

Client tries to access a server' on trusted side of' the NetScreen.

IDENT-reset option is enabled on the untrust interface
Delay of 30 seconds when contacting a server behind the NetScreen
Note: In the case of where the client is on the trusted side' and the server is on the untrusted side of the NetScreen, and the client initiates a' session,' the server sends back an ident. The' IDENT-reset will be resolved on the untrusted interface of the NetScreen. This behaviour is identical to that of' ' a PC when it communicates with an ident server.

Solution:

Some services, like IRC Chat and some Mail servers send identification requests in the initial TCP communications. These are referred to as IDENT packets.

In NAT mode, when a NetScreen device receives an IDENT packet, it will not respond back to the IDENT packet. After about 30 seconds, the originator will give up on the IDENT request, and just send the packet over. Resolve this issue by enabling IDENT-RESET on the Untrust interface. After this is enabled, an IDENT-RESET will be sent back to the originator, and the originator will go ahead and send packets as usual. 

If the packet comes into a Mapped IP (MIP) from a client, the destination of the Mapped IP will receive the IDENT packet (and not the untrusted interface of the NetScreen). The NetScreen will require a policy allowing traffic to port 113 through the NetScreen.

If the NetScreen is in Route mode, an incoming policy is required allowing traffic to port 113 to the destination host.

Here is the problem or goal:

  • Delay of 30 seconds when contacting a server behind the NetScreen

Problem Environment:

  • Server on trust side sends ident request
  • Internal server has MIP and policy assigned to it
  • Client tries to access a server on trusted side of the NetScreen.
  • IDENT-reset option is enabled on the untrust interface

Additional Information:

Note: In the case of where the client is on the trusted side and the server is on the untrusted side of the NetScreen, and the client initiates a session, the server sends back an ident. The IDENT-reset will be resolved on the untrusted interface of the NetScreen. This behavior is identical to that of  a PC when it communicates with an ident server.

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000

Applicable ScreenOS:

  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.1.0
  • 4.0.0
  • 4.0.0-DIAL
  • 4.0.0-DIAL2
  • 4.0.1
  • 4.0.1-SBR
  • 4.0.2
  • 4.0.3
  • 5.0.0
  • 5.0.0 A/V


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search