Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Re: RT_ALG_WRN_CFG_NEED

$
0
0

Hi All,

1-) This time I performed the following modified traceoptions and its output has showed that there is no any deny traffic that sourced and destinated 10.10.3.29 on srx. 

set security flow traceoptions file alg_deny files 2 size 1m world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter packet_filter1 source-prefix 10.10.3.29
set security flow traceoptions packet-filter packet_filter2 destination-prefix 10.10.3.29

 

The following log is still generating every 8 seconds on the branch srx. I am not sure but when searching this log, many engineers in Juniper discussing board are pointing this traffic on MSRPC ALG is being blocked as the MSRPC ALG is enabled as default on srx. But traceoptions has just showed there is no any drop or denied traffic on MSRPC . You can have a look at the attached traceoptions files if I can attach...

 

>show security alg status | match msrpc
MSRPC : Enabled

 

junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.10.3.29/53835 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session

 

 

2-) From teh same traceoptions outputs I have accidently seen the following info related to fregmentation. This is another concern. Currently configured tcp mss value is 1450 on branch site. Can I ask please about fregmentation is being occurring or? If so, what should be done for establishing symetric mss value between end to end?

 

remote site network---ex-------srx(320)------Ipsec vpn------srx(datacentre)------

 

May 21 08:40:17 08:40:17.513197:CID-0:RT:MSS found 0x 5b4

May 21 08:40:17 08:40:17.513197:CID-0:RT: rewrite TCP MSS, new MSS: 1450, old MSS: 1460

 

> show configuration security flow | display set
set security flow tcp-mss all-tcp mss 1450
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check

 

Thanks 

Ar


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>