Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

SRX DNS Forwarding - helpers domain

  

 
nsp juniper RSS feed   Index | Next | Previous | View Threaded


flip at flipstar

Jun 26, 2012, 6:03 AM

Post #1 of 3 (593 views)
Permalink
SRX DNS Forwarding - helpers domain
Hey everybody,

I wonder if anybody is successfully using "forwarding-options helpers domain" (DNS) [1] on branch SRX?

In my setup the client queries the srx which forwards the request to the dns server.
The dns sends a reply that never passes the srx back to the client.

Client SRX DNS
192.168.200.105 -> 192.168.200.1 -> 10.100.1.20
x <-

Junos 11.4R3.7

pw [at] srx650-# show forwarding-options helpers domain
server 10.100.1.20;
interface {
reth0.1052;
reth0.1053;
reth0.1051;
}

The reply from the dns server is dropped in the srx :-(


Jun 26 14:51:17 14:51:16.1467499:CID-1:RT:<10.100.1.20/53->192.168.200.105/51651;17> matched filter dns_to_cli:
Jun 26 14:51:17 14:51:16.1467499:CID-1:RT:packet [68] ipid = 64549, @43e92fa4
Jun 26 14:51:17 14:51:16.1467700:CID-1:RT:---- flow_process_pkt: (thd 4): flow_ctxt type 14, common flag 0x0, mbuf 0x43e92d80, rtbl_idx = 0
Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: flow process pak fast ifl 107 in_ifp reth0.1051
Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: find flow: table 0x51f8bd18, hash 42509(0xffff), sa 10.100.1.20, da 192.168.200.105, sp 53, dp 51651, proto 17, tok 10
Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow got session.
Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow fast tcp/udp session id 268027
Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: route lookup failed: dest-ip 192.168.200.105 orig ifp .local..0 output_ifp reth0.1052 fto 0x492786e8 orig-zone 2 out-zone 11 vsd 0
Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: packet dropped, pak dropped since re-route failed
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Regards
flip


[1] https://www.juniper.net/techpubs/en_US/junos11.4/topics/usage-guidelines/policy-configuring-dns-and-tftp-packet-forwarding.html
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


xmin0s at gmail

Jun 26, 2012, 7:05 AM

Post #2 of 3 (577 views)
Permalink
Re: SRX DNS Forwarding - helpers domain [In reply to]
A quick search on that error message says it's a return routing issue.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21363&cat=JUNOS&actp=LIST


-Tim Eberhard

On Tue, Jun 26, 2012 at 8:03 AM, flip [at] flipstar <flip [at] flipstar> wrote:
> Hey everybody,
>
> I wonder if anybody is successfully using "forwarding-options helpers
> domain" (DNS) [1] on branch SRX?
>
> In my setup the client queries the srx which forwards the request to the dns
> server.
> The dns sends a reply that never passes the srx back to the client.
>
>      Client                   SRX                 DNS
> 192.168.200.105   ->      192.168.200.1   ->   10.100.1.20
>                        x                 <-
>
> Junos 11.4R3.7
>
> pw [at] srx650-# show forwarding-options helpers domain
> server 10.100.1.20;
> interface {
>    reth0.1052;
>    reth0.1053;
>    reth0.1051;
> }
>
> The reply from the dns server is dropped in the srx :-(
>
>
> Jun 26 14:51:17
> 14:51:16.1467499:CID-1:RT:<10.100.1.20/53->192.168.200.105/51651;17> matched
> filter dns_to_cli:
> Jun 26 14:51:17 14:51:16.1467499:CID-1:RT:packet [68] ipid = 64549,
> @43e92fa4
> Jun 26 14:51:17 14:51:16.1467700:CID-1:RT:---- flow_process_pkt: (thd 4):
> flow_ctxt type 14, common flag 0x0, mbuf 0x43e92d80, rtbl_idx = 0
> Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: flow process pak fast ifl 107
> in_ifp reth0.1051
> Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: find flow: table 0x51f8bd18, hash
> 42509(0xffff), sa 10.100.1.20, da 192.168.200.105, sp 53, dp 51651, proto
> 17, tok 10
> Jun 26 14:51:17 14:51:16.1467768:CID-1:RT:  flow got session.
> Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow fast tcp/udp session id
> 268027
> Jun 26 14:51:17 14:51:16.1467784:CID-1:RT:  route lookup failed: dest-ip
> 192.168.200.105 orig ifp .local..0 output_ifp reth0.1052 fto 0x492786e8
> orig-zone 2 out-zone 11 vsd 0
> Jun 26 14:51:17 14:51:16.1467784:CID-1:RT:  packet dropped,   pak dropped
> since re-route failed
>
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp
> rc -1)
>
>
> Regards
> flip
>
>
> [1]
> https://www.juniper.net/techpubs/en_US/junos11.4/topics/usage-guidelines/policy-configuring-dns-and-tftp-packet-forwarding.html
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


flip at flipstar

Jun 26, 2012, 11:17 PM

Post #3 of 3 (568 views)
Permalink
Re: SRX DNS Forwarding - helpers domain [In reply to]
Thanks for the hint Tim.

The workaround is not to practical in my case - hope this
gets fixed soon.

Regards
flip

On 26.06.2012 16:05, Tim Eberhard wrote:
> A quick search on that error message says it's a return routing issue.
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB21363&cat=JUNOS&actp=LIST
>
>
> -Tim Eberhard
>
> On Tue, Jun 26, 2012 at 8:03 AM, flip [at] flipstar<flip [at] flipstar> wrote:
>> Hey everybody,
>>
>> I wonder if anybody is successfully using "forwarding-options helpers
>> domain" (DNS) [1] on branch SRX?
>>
>> In my setup the client queries the srx which forwards the request to the dns
>> server.
>> The dns sends a reply that never passes the srx back to the client.
>>
>> Client SRX DNS
>> 192.168.200.105 -> 192.168.200.1 -> 10.100.1.20
>> x<-
>>
>> Junos 11.4R3.7
>>
>> pw [at] srx650-# show forwarding-options helpers domain
>> server 10.100.1.20;
>> interface {
>> reth0.1052;
>> reth0.1053;
>> reth0.1051;
>> }
>>
>> The reply from the dns server is dropped in the srx :-(
>>
>>
>> Jun 26 14:51:17
>> 14:51:16.1467499:CID-1:RT:<10.100.1.20/53->192.168.200.105/51651;17> matched
>> filter dns_to_cli:
>> Jun 26 14:51:17 14:51:16.1467499:CID-1:RT:packet [68] ipid = 64549,
>> @43e92fa4
>> Jun 26 14:51:17 14:51:16.1467700:CID-1:RT:---- flow_process_pkt: (thd 4):
>> flow_ctxt type 14, common flag 0x0, mbuf 0x43e92d80, rtbl_idx = 0
>> Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: flow process pak fast ifl 107
>> in_ifp reth0.1051
>> Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: find flow: table 0x51f8bd18, hash
>> 42509(0xffff), sa 10.100.1.20, da 192.168.200.105, sp 53, dp 51651, proto
>> 17, tok 10
>> Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow got session.
>> Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow fast tcp/udp session id
>> 268027
>> Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: route lookup failed: dest-ip
>> 192.168.200.105 orig ifp .local..0 output_ifp reth0.1052 fto 0x492786e8
>> orig-zone 2 out-zone 11 vsd 0
>> Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: packet dropped, pak dropped
>> since re-route failed
>>
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp
>> rc -1)
>>
>>
>> Regards
>> flip
>>
>>
>> [1]
>> https://www.juniper.net/techpubs/en_US/junos11.4/topics/usage-guidelines/policy-configuring-dns-and-tftp-packet-forwarding.html
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.