Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: RT_ALG_WRN_CFG_NEED

May 19, 2019, 9:33 pm
$
0
0

Hi all,

I have persistent & consistent the following logs, it is being generating every 4 seconds. It seems that by default MSRPC is enabled.

In order to get some logs via traceoptions about denied the associated traffic (MSRPC ALG), I created the follwing traceoptions with packet filter but I couldn't see any deny in the whole log files -alg_deny. 

If this log -MSRPC being denied, I should be seeing a deny traffic. But not... Where is my mistake or where am I not doing correct troubleshooting? Any ideas please? 

 

May 20 14:07:33 VItSRX320 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/57624 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

 

VItSRX320> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Enabled
SCCP : Disabled
SIP : Disabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled

VItSRX320>

 

VItSRX320>show configuration security | display set | match alg
set security alg sccp disable
set security alg sip disable

 

My traceoptions with the filter:

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag all
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29

 

 

VItSRX320>file list detail /var/log/ | match alg
-rw-r--r-- 1 root wheel 767199 May 20 13:41 alg_deny
-rw-r--r-- 1 root wheel 84685 May 20 13:40 alg_deny.0.gz

Thanks

Arix

 

Search

Re: RT_ALG_WRN_CFG_NEED

May 19, 2019, 10:04 pm
$
0
0

Hello,

 

I would suggest to not use the flag all in the flow traceoptions. This logs a lot of background noise.

 

Use the traceoptions flag basic-datapath. Additionally, also setup the filter for anything destined to 10.10.3.29 as well.

 

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29

set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

 

Regards,

 

Vikas

Re: Can SRX series work with Shrew Soft VPN client?

May 20, 2019, 2:00 am
$
0
0

Hi to all,

I'm configuring this in a SRX345 and I'm not able to mantain the tunnel activated and enable... The tunnel is disabled in about 60 seconds... I have configured the times for ike and Ipsec (180 and 28800 seconds) how is said in the thread, but the tunnel is deactivated automatically...

In the Shrew VPN trace I can see " ii:received peer DELETE message" sended by the gateway (the SRX345 in this case) then the VPN client delete the ike phase 1.

I'm searching on Google, but I only get threads that talk about the times, but this does not solve my problem. Any ideas on this?

I have an SRX345 with 15.1X49-160.2 and Shrew VPN client 2.2.2 version.

Thanks in advance!!

Regards,

David

Re: Can SRX series work with Shrew Soft VPN client?

May 20, 2019, 2:51 am
$
0
0

I would start by changing the 180 ike timeout to something more usual like 3600.

I suspect the very short duration is at least part of the issue.

 

Re: SRX100 virtual instances routing to "wan"

May 20, 2019, 8:07 am
$
0
0

Hello h3xv3x,

 

Unfortunately,  NAT is security feature and is NOT supported in the "PACKET MODE".

 

Refer:-KB21697

 

If using NAT is the only possible solution in your environment, I will suggest you to use flow mode, with following settings: -

 

1. Create a single zone with "interfaces all".

e.g.

set security zones security-zone ALL interfaces all host-inbound-traffic system-services all
set security zones security-zone ALL interfaces all host-inbound-traffic protocols all

 

2. Use the default permit policy.

 

set security policies default-policy permit-all

 

3. Ignore default TCP checks.

 

set security flow tcp-session no-syn-check

set security flow tcp-session no-sequence-check

 

 

4. Now you can configure the source NAT as following: -

 

set security nat source rule-set WAN_NAT from zone ALL
set security nat source rule-set WAN_NAT to interface fe-0/0/0.0
set security nat source rule-set WAN_NAT rule INTERFACE match source-address 0.0.0.0/0
set security nat source rule-set WAN_NAT rule INTERFACE then source-nat interface

 

Hopefully this helps!

Account Works in SSH but not HTTP after Firmware Upgrade

May 20, 2019, 11:29 am
$
0
0

This morning I upgraded our SRX100 firmware to the latest version available to us (12.1X46-D86).  The upgrade completed successfully, though afterward I could no longer sign into the GUI (the GUI loads, and when I input credentials, I get "Invalid username or password specified").  I can confirm that this username and password are accurate as I can still log in via serial and SSH connections.  I tried rebooting the system, and the behavior remains.  I also tried removing HTTP access then reinstating it, again with no improvement.  Lastly, I tried creating a new username and password via CLI (with super-user status) and that isn't working either.  Since the SRX100 passed into EOL 10 days ago, Juniper is unable to provide support.  Does anybody have recommendations on how to bring the SRX100 web interface back online?  Thanks in advance!

Zone_Communication

May 20, 2019, 12:11 pm
$
0
0

Hi All ,

 

I have some challenges with below setup kindly provide your valuable inputs to get going with the same 

 

Zone Name - Untrust Eth0/0

Zone Name - Trust Eth0/3 & below are configure as sub interfaces

            Vlan 100 - 192.168.1.1/24 and i have device on LAN i.e. 192.168.1.254/24 on Core Switch

            Vlan 105 - 192.168.2.1/24

Zone Name - Connector Eth0/5 on SSG5 

           ip : 192.168.3.1/24 on SSG5 and

           ip : 192.168.3.2/24 on router connecting to SSG5 on Eth0/5

           and on router LAN i have a device with ip 192.168.4.254/24 

           

 

Goal : Reachability between 192.168.1.254 and 192.168.4.254 but via 192.168.2.1 i.e. when i try to reach from 192.168.1.254 it should reach 192.168.4.254 as 192.168.2.2 and when 192.168.4.254 tries to reach 192.168.2.2 it should then NAT to 192.168.1.254 

 

in short NAT should work from 192.168.1.254 to 192.168.2.2 for outgoing traffic and 192.168.2.2 NATed to 192.168.1.254 for incoming traffic

 

Regards

Ziad

Re: Zone_Communication

May 20, 2019, 5:00 pm
$
0
0
Hello All ,

Any suggestions

Regards
Ziad
Search

Re: Zone_Communication

May 20, 2019, 5:11 pm
$
0
0

Hi shaan129,

 

Based on your explanation, and understanding you are using a SSG firewall, what you need to conifgure if MIP (static NAT):

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10923&actp=METADATA

 

You could follow that article, just need to see it in the following way: 

 

  • The Internal host mentioned on that article (192.168.1.100) will be 192.168.1.254 in your scenario.
  • The public interface and address mentioned in that article (eth0/0 and 1.1.1.250) will be interface  eth0/5 and address 192.168.2.2 in your scenario.
  • Zone Untrust in above article will be your Connector zone.
  • Dont forget you will need a secuirty-policy between zones Trust and Connector and vice versa  to allow these communications as shown on that article as well.

Please let me know if you have further questions.

 

Re: Zone_Communication

May 20, 2019, 5:33 pm
$
0
0

MIP (Static NAT) configuration will be similar to the following one:

 

 MIP Rule:

set interface "ethernet0/5" mip 192.168.2.2 host 192.168.1.254 netmask 255.255.255.255 vr "[Virtual_Router]"

 

Security-policy for allowing connections from 192.168.4.254 to 192.168.2.2 (eventually 192.168.1.254):

set policy from "Connector" to "Trust" "Any" "MIP(192.168.2.2)" "Any" permit

 

Security-policy for allowing connections from 192.168.1.254 to 192.168.4.254:

set policy from "Trust" to "Connector" "Any" "Any" "Any" permit

 

Dont forget the SSG has to have a route to reach 192.168.4.0/24 and that the remote router connected to eth0/5 also has to have a route to reach the 192.168.2.0/24 subnet.

 

I hope this helps you, please mark the post as Resolved if it applies.

 

 

Re: Why i hate srx and will replace it with fortigate soon

May 20, 2019, 9:52 pm
$
0
0

SRX is highly vulnerable to file system error (like file system unclean after reboot due to power failure) that stops the boot sequence.

Re: RT_ALG_WRN_CFG_NEED

May 20, 2019, 9:56 pm
$
0
0

Hi All,

1-) This time I performed the following modified traceoptions and its output has showed that there is no any deny traffic that sourced and destinated 10.10.3.29 on srx. 

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29
set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

 

The following log is still generating every 8 seconds on the branch srx. I am not sure but when searching this log, many engineers in Juniper discussing board are pointing this traffic on MSRPC ALG is being blocked as the MSRPC ALG is enabled as default on srx. But traceoptions has just showed there is no any drop or denied traffic on MSRPC . You can have a look at the attached traceoptions files if I can attach...

 

>show security alg status | match msrpc
MSRPC : Enabled

 

junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/53835 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

 

 

2-) From teh same traceoptions outputs I have accidently seen the following info related to fregmentation. This is another concern. Currently configured tcp mss value is 1450 on branch site. Can I ask please about fregmentation is being occurring or? If so, what should be done for establishing symetric mss value between end to end?

 

remote site network---ex-------srx(320)------Ipsec vpn------srx(datacentre)------

 

May 21 08:40:17 08:40:17.513197:CID-0:RT:MSS found 0x 5b4

May 21 08:40:17 08:40:17.513197:CID-0:RT: rewrite TCP MSS, new MSS: 1450, old MSS: 1460

 

> show configuration security flow | display set
set security flow tcp-mss all-tcp mss 1450
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check

 

Thanks 

Ar

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 20, 2019, 10:12 pm
$
0
0

Hi,

Its same as this , already reported .
 
https://forums.juniper.net/t5/SRX-Services-Gateway/Jweb-Incorrect-user-password-after-Junos-upgrade-on-SRX/m-p/462703#M53463

 

I see the same issue on an SRX running 12.1X46-D86. After upgrade, J-web login fails,while SSH works fine. J-Web shows the following message- Invalid username or password specified - both for root as well as non-root user login attempts.

 

May 18 10:21:19 SRX checklogin[1806]: warning: can't get client address: Bad file descriptor
May 18 10:21:19 SRX checklogin[1806]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username root)
May 18 10:21:35 SRX checklogin[1810]: warning: can't get client address: Bad file descriptor
May 18 10:21:35 SRX checklogin[1810]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username pradeep)
May 18 10:22:08 SRX sshd[1813]: unlink(): failed to delete .perm file: No such file or directory
May 18 10:22:08 SRX sshd[1811]: Accepted keyboard-interactive/pam for pradeep from 10.10.10.1 port 54074 ssh2
May 18 10:22:11 SRX mgd[1816]: UI_AUTH_EVENT: Authenticated user 'pradeep' at permission level 'j-operator'

Seems to be an issue with this particular Junos version. Will update this thread later, if there is any fix.

 

Re: RT_ALG_WRN_CFG_NEED

May 20, 2019, 10:22 pm
$
0
0

Hello,

 

Thanks for taking that. My observations

 

> The flow traceoptions ran for about 20mins and no drops seen

> Flow processing shows the traffic passed

> So definitely it is not dropped by the flow module which incidently also involved in ALG processing

> Prima facie the logs seem to be non impacting

> I would be interested in seeing a pcap of traffic in and out of the firewall to check if anything is really dropped

> You can do a pcap on ingress and egress interfaces to see what we get

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

 

Regards,

 

Vikas

 

PS: Be sure to delete traceoptions

 

Re: RT_ALG_WRN_CFG_NEED

May 20, 2019, 11:29 pm
$
0
0

Hi Arix,

 

I believe that the SRX is definitely dropping those packets, however Im not sure if you will see that in the flow traceoptions file. The SRX is reporting that in order to let the packets pass it needs extra configuration that is pretty much configuring the SRX to permit users connecting to UUIDs unknown to the SRX. You might configure MS-RPC traceoptions to dig further:

 

 

# set security alg ms-rpc traceoptions flag all
# set security alg traceoptions file MS-RPC-TRACE size 1g
# set security alg traceoptions level verbose
# commit
# run show log MS-RPC-TRACE

 

 

Also you could try using the flag "error" instead of the flag "basic-datapath" in the security flow traceoptions. You can upload the files when you post a coment.

 

First question: how is the security-policy, that is allowing the communications, configured? Are you specifically referencing the MS-RPC application or you are just using "application any"?

 

MS-RPC is used by windows devices to communicate processes running on different devices; these remote processes are identified by UUIDs.

The device acting as the client will first establish a connection via port 135 and will ask for the dynamic port on which a specific service (UUID) is listening on the remote end. The device acting as the server will provide this information and the client will open a new session on that dynamic port (a high random port). Ideally we dont configure security-policies that permit traffic on all ports so when you reference the ms-rpc application on a security-policy it only permits port 135 and the SRX listens to the communications between the client the server in order to determine what is the high random port that will be used next, and the SRX allows communications from the client on that port only, blocking traffic on any other non-negotiated port. Thats pretty much the funtionality of the MS-RPC ALG. However is very common that from specific zones we dont need that much of security and sometimes we can have a security-policy allowing all the traffic from a specific zone to another zone.

 

Second question: Can you disable MS-RPC ALG? If your security policy is configured for "application any" I believe there should not be any problem on disabling the ALG:

 

 

# set security alg ms-rpc disable
# commit
# run show security alg status

 

Based on the logs the UUIDs not being recognized are related to:

 

MS-NETLOGON12345678-1234-abcd-ef00-01234567cffb     and      12345778-1234-abcd-ef00-0123456789ab

WMIC-Webm-Level1Login: f309ad18-d86a-11d0-a075-00c04fb68820

 

Refences: 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-rpc-alg.html

https://kb.juniper.net/InfoCenter/index?page=content&id=KB12057

 

 

Please share the following operational commands:

 

show security alg ms-rpc

show security resource-manager summary

show security resource-manager resource active

show security resource-manager group active

show security flow session resource-manger summary

 

If you can determine that the logs are cosmetic and that no packet drops are happening you could always avoid those logs from you being written to your log file:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382

 

Hope this helps. Please my mark my post a Solution if it applies.

 

 

Search

Re: RT_ALG_WRN_CFG_NEED

May 20, 2019, 11:33 pm
$
0
0

Forgot to mention that you could also configure the "junos-ms-rpc-any" application on your security-policy as the log states.

 

Hope this helps.

 

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 20, 2019, 11:51 pm
$
0
0

Hi pcamis,

 

I believe this is a bug so if you are able to open a JTAC case it will be great. For testing purposes can you confirm if you have the following line in your configuration. If not, please add it and try again.

 

set system syslog file messages any any

 

Also in the meantime you could downgrade the junos version so you dont run in to this issue. As stated you are not the only one seeing the problem so I guess it will be fixed soon. Please let us know.

 

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 20, 2019, 11:56 pm
$
0
0

Hi.

 

We see the same on a couple of SRX210 devices, both SRX210H and SRX210HE.

 

Is there only way to wait for a new firmware or is there some other way to solve this ?

 

 

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 21, 2019, 12:06 am
$
0
0

TRK,

 

The issue also started when upgraded to 12.1X46-D86? Can you confirm the information I requested in my previous comment?

 

As of now it looks like downgrading to previous junos version is the only option that has been mentioned. It will be great if someone can confirm if the issue gets fixed when downgraded to previous version.

 

Re: Zone_Communication

May 21, 2019, 2:05 am
$
0
0

Hi , 

 

The Routes are in place on both ends on End Router & also in SSG5 the only thing that is not happening is communication between 192.168.4.254 & 192.168.2.2(Actually 192.168.1.254) & 192.168.1.254(Actually 192.168.2.2) & 192.168.4.254.

 

The issue seems to be with NATing on the SSG5 .'

 

Attaching image for better understanding 

 

Regards

shaan129

Viewing all 17645 articles
Browse latest View live
Search