Hi all, This post relates to a previous post of mine on asymmetrically routed UDP traffic: https://puck.nether.net/pipermail/juniper-nsp/2012-December/024878.html
It seems as though a J/SRX in flow mode will drop ICMP packets such as unreachable and ttl-exceeded if, after consulting the session table, an entry corresponding to the header embedded in the ICMP packet is not found. In other words, "I'm gonna drop any ICMP packets[1] I see if I didn't handle the associated conversation". Assume I send a UDP packet between hosts "A" and "D" and it's routed outbound via SRX "B", and for whatever reason an ICMP unreachable or ttl-exceeded is generated (think traceroute). If that ICMP packet is sent towards host "D" not via SRX "B" but via SRX "C", SRX "C" drops it: (src/dst IPs replaced with "A" and "D") Jan 23 14:53:45 14:53:44.938394:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: st0.1033:"D"->"A", icmp, (3/3) Jan 23 14:53:45 14:53:44.938424:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: find flow: table 0x63ce7688, hash 494060(0x7ffff), sa "D", da "A", sp 33438, dp 47488, proto 17, tok 7 Jan 23 14:53:45 14:53:44.938483:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: packet dropped, no session found for embedded icmp pak Jan 23 14:53:45 14:53:44.938495:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: flow find session returns error. Seems like perfectly reasonable behaviour for a firewall, right? Right, except when it's not :-) Can this behaviour be modified without fully or selectively running in packet mode? I'm running JUNOS 10.4R11. Cheers, Dale [1] Well, any ICMP packets that include a copy of the original datagram's header: echo request/reply are forwarded (subject to being permitted by security policy, of course). _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp