Hey everybody,
I wonder if anybody is successfully using "forwarding-options helpers domain"
(DNS) [1] on branch SRX?
In my setup the client queries the srx which forwards the request to the dns
server.
The dns sends a reply that never passes the srx back to the client.
Client SRX DNS
192.168.200.105 -> 192.168.200.1 -> 10.100.1.20
x <-
Junos 11.4R3.7
pw@srx650-1# show forwarding-options helpers domain
server 10.100.1.20;
interface {
reth0.1052;
reth0.1053;
reth0.1051;
}
The reply from the dns server is dropped in the srx :-(
Jun 26 14:51:17
14:51:16.1467499:CID-1:RT:<10.100.1.20/53->192.168.200.105/51651;17> matched
filter dns_to_cli:
Jun 26 14:51:17 14:51:16.1467499:CID-1:RT:packet [68] ipid = 64549, @43e92fa4
Jun 26 14:51:17 14:51:16.1467700:CID-1:RT:---- flow_process_pkt: (thd 4):
flow_ctxt type 14, common flag 0x0, mbuf 0x43e92d80, rtbl_idx = 0
Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: flow process pak fast ifl 107 in_ifp
reth0.1051
Jun 26 14:51:17 14:51:16.1467700:CID-1:RT: find flow: table 0x51f8bd18, hash
42509(0xffff), sa 10.100.1.20, da 192.168.200.105, sp 53, dp 51651, proto 17,
tok 10
Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow got session.
Jun 26 14:51:17 14:51:16.1467768:CID-1:RT: flow fast tcp/udp session id 268027
Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: route lookup failed: dest-ip
192.168.200.105 orig ifp .local..0 output_ifp reth0.1052 fto 0x492786e8
orig-zone 2 out-zone 11 vsd 0
Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: packet dropped, pak dropped since
re-route failed
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 26 14:51:17 14:51:16.1467784:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc
-1)
Regards
flip
[1]
https://www.juniper.net/techpubs/en_US/junos11.4/topics/usage-guidelines/policy-configuring-dns-and-tftp-packet-forwarding.html
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
