Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Application fails to pass through Firewall with IDP installed, even though IDP Policies are not configured

0

0

Article ID: KB9668 KB Last Updated: 04 Mar 2017Version: 4.0
Summary:
ISG Firewall has IDP Security Modules installed in the chassis.  There are no IDP policies configured, so it should not interfere with any traffic flow.  However, in some applications, like FTP and HTTP, these applications fail to pass through the firewall
Symptoms:
Some applications, like FTP and HTTP,  fail to pass through the firewall when the ISG has an IDP Security Module installed in the chassis.

Solution:
If IDP is installed, but not configured, and an application cannot pass traffic through the firewall, run a packet trace on the client sending the traffic.  Make sure there is no checksum errors in the TCP header.  If there is an incorrect TCP checksum, the IDP Security Module (SM) will silently drop this packet.

Example:
  The following is a sniffer trace of a single frame that exhibits an incorrect checksum:

No.     Time        Source                Destination           Protocol Info
     13 0.000115    10.166.251.140       10.157.45.226        FTP      Request: USER del5fr06

Frame 13 (81 bytes on wire, 81 bytes captured)
    Arrival Time: Mar 19, 2007 22:55:45.886299000
    Time delta from previous packet: 0.000115000 seconds
    Time since reference or first frame: 0.091972000 seconds
    Frame Number: 13
    Packet Length: 81 bytes
    Capture Length: 81 bytes
    Protocols in frame: eth:ip:tcp:ftp
Ethernet II, Src: CompaqHp_9b:96:2e (00:0b:cd:9b:96:2e), Dst: All-HSRP-routers_38 (00:00:0c:07:ac:38)
    Destination: All-HSRP-routers_38 (00:00:0c:07:ac:38)
    Source: CompaqHp_9b:96:2e (00:0b:cd:9b:96:2e)
    Type: IP (0x0800)
Internet Protocol, Src: 10.166.251.140 (10.166.251.140), Dst: 10.157.45.226 (10.157.45.226)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 67
    Identification: 0x9d7a (40314)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x6888 [correct]
        Good: True
        Bad : False
    Source: 10.166.251.140 (10.166.251.140)
    Destination: 10.157.45.226 (10.157.45.226)
Transmission Control Protocol, Src Port: 33126 (33126), Dst Port: ftp (21), Seq: 7, Ack: 109, Len: 15
    Source port: 33126 (33126)
    Destination port: ftp (21)
    Sequence number: 7    (relative sequence number)
    Next sequence number: 22    (relative sequence number)
    Acknowledgement number: 109    (relative ack number)
    Header length: 32 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 5840 (scaled)
    Checksum: 0x34e8 [incorrect, should be 0x6005]
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 3625582596, tsecr 2976191555
File Transfer Protocol (FTP)
    USER del5fr06\r\n
        Request command: USER
        Request arg: del5fr06



Check the client to make sure there are no driver incompatibilities with the PC's NIC; also verify the NIC is in good operational condition.  There have been some instances where a bad NIC can cause incorrect TCP checksum errors.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search