Free Juniper JN0-696 Practice Test & Real Exam Questions
You are asked to troubleshoot a user communication problem. Users connected to the Trust zone cannot communicate with other devices connected to the same zone. These users are able to communicate with other devices in all other zones.
How should you resolve this problem?
How should you resolve this problem?
Correct Answer: D
Vote an answer
-- Exhibit -user@host> show security flow session interface ge-0/0/10.0 Session ID. 29, Policy name: to-infrastructure/4, Timeout: 1250, Valid Resource information : FTP ALG, 1, 0
In: 10.1.1.213/61892 --> 10.2.2.20/21;tcp, If: ge-0/0/8.0, Pkts: 25, Bytes: 1242 Out: 10.2.2.20/21 --> 10.1.1.213/61892;tcp, If: ge-0/0/10.0, Pkts: 18, Bytes: 1278 Total sessions: 1
user@host> show interfaces ge-0/0/10 | match zone Security: Zone: infrastructure
user@host> show interfaces ge-0/0/8 | match zone Security: Zone: finance
user@host> show configuration security policies from-zone infrastructure to-zone finance
user@host> show log flow-traceoptions Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU received an event,type 112, common:3
Jun 13 14:44:01 14:44:01.059151:CID-0:RT:Rcv packet with rtbl idx 0, cos 0
Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU processing spu_flushed_pak, flag: 0x2, mbuf:0x423f6100
Jun 13 14:44:01 14:44:01.060343:CID-0:RT:10.2.2.20/20->10.1.1.213/64313;6> matched filter filter2:
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:packet [64] ipid = 1614, @423fd19c
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x423fcf80, rtbl_idx = 0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/10.0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: ge-0/0/10.0:10.2.2.20/20->10.1.1.213/64313, tcp, flag 2 syn
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: find flow: table 0x49175b08, hash 34391(0xffff), sa 10.2.2.20, da 10.1.1.213, sp 20, dp 64313, proto 6, tok 8
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: flow_first_create_session
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:-jsf : preset sess plugin info for session 31 Jun 13 14:44:01 14:44:01.060473:CID-0:RT: Allocating plugin info block for plugin(21)
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:[JSF] set ext handle 0x46389be8 for plugin 21 on session 31
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:asl_usp_get_l3_out_ifp_out_tunnel ASL IPV4 out_ifp = ge-0/0/8.0 for dst:10.1.1.213 in vr_id:0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:SPU invalid session id 00000000
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: jsf drop pak pid 21, jbuf 0x4fcd7038, release hold 0, sess_id 0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: After jsf gate hit. sid 0xfb39, pid 0, cookie 0x1f, jbuf 0x15. rc = 1
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:RM populated xlate info for nsp2: 10.1.1.213/64313>10.2.2.20/20out_ifp = ge-0/0/8.0, out_tunnel = 0x0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_in_dst_nat: in 0/10.0>, out 0/8.0> dst_adr 10.1.1.213, sp 20, dp 64313
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_in_dst_nat: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_rule_dst_xlate: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_routing: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_policy_search: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_reverse_mip: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_src_xlate: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_get_out_ifp: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/8.0, addr: 10.1.1.213, rtt_idx:0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:[JSF]Normal interest check. regd plugins 18, enabled impl mask 0x0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 21, svc_req 0x0, impl mask 0x0. rc 3
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 25, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 2
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 4294967296, impli mask(0x0), post_nat cnt 31 svc req(0x0)
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]c2s order list:
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: 21 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]s2c order list:
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: 21
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: service lookup identified service 79.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: flow_first_final_check: in 0/10.0>, out 0/8.0>
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:flow_first_complete_session, pak_ptr: 0x48ae5ba0, nsp: 0x4c38e248, in_tunnel: 0x0
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:construct v4 vector for nsp2
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 82-454e5c90.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: Session (id:31) created for first pak 82
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: flow_first_install_session======> 0x4c38e248
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: nsp 0x4c38e248, nsp2 0x4c38e2c8
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: make_nsp_ready_no_resolve()
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: route lookup: dest-ip 10.2.2.20 orig ifp ge-0/0/10.0 output_ifp ge-0/0/10.0 orig-zone 8 out-zone 8 vsd 0
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: route to 10.2.2.20 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Doing jsf sess create notify
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:flow_delete_gate: invoked for gate 0x4c077c24 [id 1000003]
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:gate_start_ageout: ageout started for gate 0x4c077c24
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore. sess 31, pid 21, dir 1, st_buf 0x0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore. sess 31, pid 21, dir 2, st_buf 0x0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:All plugins have ignored session :31
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 2-454ecbd0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 2-454ecbd0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf create notify: plugin id 21. rc 3
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x4c38e248): 0 SHORT_CIRCUITED. 0x00000000.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:no need update ha
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Installing c2s NP session wing
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Installing s2c NP session wing Jun 13 14:44:01 14:44:01.061475:CID-0:RT: flow got session.
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: flow session id 31
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: vector bits 0x2 vector 0x454ecbd0
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: tcp flags 0x2, flag 0x2
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: Got syn, 10.2.2.20(20)->10.1.1.213(64313), nspflag 0x1021, 0x20
Jun 13 14:44:01 14:44:01.061475:CID-0:RT:mbuf 0x423fcf80, exit nh 0xa0010
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
-- Exhibit -
Click the Exhibit button.
While troubleshooting a device, you see that it is permitting packets for which it appears there is no policy.
Using the information in the exhibit, what is causing this behavior?
In: 10.1.1.213/61892 --> 10.2.2.20/21;tcp, If: ge-0/0/8.0, Pkts: 25, Bytes: 1242 Out: 10.2.2.20/21 --> 10.1.1.213/61892;tcp, If: ge-0/0/10.0, Pkts: 18, Bytes: 1278 Total sessions: 1
user@host> show interfaces ge-0/0/10 | match zone Security: Zone: infrastructure
user@host> show interfaces ge-0/0/8 | match zone Security: Zone: finance
user@host> show configuration security policies from-zone infrastructure to-zone finance
user@host> show log flow-traceoptions Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU received an event,type 112, common:3
Jun 13 14:44:01 14:44:01.059151:CID-0:RT:Rcv packet with rtbl idx 0, cos 0
Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU processing spu_flushed_pak, flag: 0x2, mbuf:0x423f6100
Jun 13 14:44:01 14:44:01.060343:CID-0:RT:10.2.2.20/20->10.1.1.213/64313;6> matched filter filter2:
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:packet [64] ipid = 1614, @423fd19c
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x423fcf80, rtbl_idx = 0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/10.0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: ge-0/0/10.0:10.2.2.20/20->10.1.1.213/64313, tcp, flag 2 syn
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: find flow: table 0x49175b08, hash 34391(0xffff), sa 10.2.2.20, da 10.1.1.213, sp 20, dp 64313, proto 6, tok 8
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: flow_first_create_session
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:-jsf : preset sess plugin info for session 31 Jun 13 14:44:01 14:44:01.060473:CID-0:RT: Allocating plugin info block for plugin(21)
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:[JSF] set ext handle 0x46389be8 for plugin 21 on session 31
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:asl_usp_get_l3_out_ifp_out_tunnel ASL IPV4 out_ifp = ge-0/0/8.0 for dst:10.1.1.213 in vr_id:0
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:SPU invalid session id 00000000
Jun 13 14:44:01 14:44:01.060473:CID-0:RT: jsf drop pak pid 21, jbuf 0x4fcd7038, release hold 0, sess_id 0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: After jsf gate hit. sid 0xfb39, pid 0, cookie 0x1f, jbuf 0x15. rc = 1
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:RM populated xlate info for nsp2: 10.1.1.213/64313>10.2.2.20/20out_ifp = ge-0/0/8.0, out_tunnel = 0x0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_in_dst_nat: in 0/10.0>, out 0/8.0> dst_adr 10.1.1.213, sp 20, dp 64313
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_in_dst_nat: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_rule_dst_xlate: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_routing: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_policy_search: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_reverse_mip: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_src_xlate: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT: flow_first_get_out_ifp: bypassed by RM
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/8.0, addr: 10.1.1.213, rtt_idx:0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:[JSF]Normal interest check. regd plugins 18, enabled impl mask 0x0
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 21, svc_req 0x0, impl mask 0x0. rc 3
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 25, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 2
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 4
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 4294967296, impli mask(0x0), post_nat cnt 31 svc req(0x0)
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]c2s order list:
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: 21 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]s2c order list:
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: 21
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: service lookup identified service 79.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: flow_first_final_check: in 0/10.0>, out 0/8.0>
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:flow_first_complete_session, pak_ptr: 0x48ae5ba0, nsp: 0x4c38e248, in_tunnel: 0x0
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:construct v4 vector for nsp2
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 82-454e5c90.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: Session (id:31) created for first pak 82
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: flow_first_install_session======> 0x4c38e248
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: nsp 0x4c38e248, nsp2 0x4c38e2c8
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: make_nsp_ready_no_resolve()
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: route lookup: dest-ip 10.2.2.20 orig ifp ge-0/0/10.0 output_ifp ge-0/0/10.0 orig-zone 8 out-zone 8 vsd 0
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: route to 10.2.2.20 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Doing jsf sess create notify
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:flow_delete_gate: invoked for gate 0x4c077c24 [id 1000003]
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:gate_start_ageout: ageout started for gate 0x4c077c24
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore. sess 31, pid 21, dir 1, st_buf 0x0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore. sess 31, pid 21, dir 2, st_buf 0x0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:All plugins have ignored session :31
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 2-454ecbd0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 2-454ecbd0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf create notify: plugin id 21. rc 3
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x4c38e248): 0 SHORT_CIRCUITED. 0x00000000.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:no need update ha
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Installing c2s NP session wing
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Installing s2c NP session wing Jun 13 14:44:01 14:44:01.061475:CID-0:RT: flow got session.
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: flow session id 31
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: vector bits 0x2 vector 0x454ecbd0
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: tcp flags 0x2, flag 0x2
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: Got syn, 10.2.2.20(20)->10.1.1.213(64313), nspflag 0x1021, 0x20
Jun 13 14:44:01 14:44:01.061475:CID-0:RT:mbuf 0x423fcf80, exit nh 0xa0010
Jun 13 14:44:01 14:44:01.061475:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
-- Exhibit -
Click the Exhibit button.
While troubleshooting a device, you see that it is permitting packets for which it appears there is no policy.
Using the information in the exhibit, what is causing this behavior?
Correct Answer: C
Vote an answer
-- Exhibit --
user@host> show configuration
...
security {
nat {
destination {
pool server {
address 10.100.100.1/32 port 5555;
}
rule-set rule1 {
from zone UNTRUST;
rule 1 {
match {
destination-address 192.168.100.1/32;
destination-port 5000;
}
then {
destination-nat pool server;
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
192.168.100.1/32;
}
}
}
}
policies {
from-zone UNTRUST to-zone TRUST {
policy allow {
match {
source-address any;
destination-address any;
application [ junos-ping tcp-5000 ];
}
then {
permit;
}
}
}
}
zones {
security-zone TRUST {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone UNTRUST {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
applications { application tcp-5000 { protocol tcp; destination-port 5000; }
}
-- Exhibit -
Click the Exhibit button.
Your customer is attempting to reach a new server that should be accessible publicly using
192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You notice no sessions form when the customer attempts to access the server.
Referring to the exhibit, what will resolve this problem?
user@host> show configuration
...
security {
nat {
destination {
pool server {
address 10.100.100.1/32 port 5555;
}
rule-set rule1 {
from zone UNTRUST;
rule 1 {
match {
destination-address 192.168.100.1/32;
destination-port 5000;
}
then {
destination-nat pool server;
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
192.168.100.1/32;
}
}
}
}
policies {
from-zone UNTRUST to-zone TRUST {
policy allow {
match {
source-address any;
destination-address any;
application [ junos-ping tcp-5000 ];
}
then {
permit;
}
}
}
}
zones {
security-zone TRUST {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone UNTRUST {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
applications { application tcp-5000 { protocol tcp; destination-port 5000; }
}
-- Exhibit -
Click the Exhibit button.
Your customer is attempting to reach a new server that should be accessible publicly using
192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You notice no sessions form when the customer attempts to access the server.
Referring to the exhibit, what will resolve this problem?
Correct Answer: C
Vote an answer
-- Exhibit -user@host> show log ike-test ... Jun 13 10:36:52 ike_st_i_cr: Start Jun 13 10:36:52 ike_st_i_cert: Start Jun 13 10:36:52 ike_st_i_private: Start Jun 13 10:36:52 ike_st_o_iD. Start Jun 13 10:36:52 ike_st_o_hash: Start Jun 13 10:36:52 ike_find_pre_shared_key: Find pre shared key key for 172.168.100.2:500, id =
ipv4(udp:500,[0..3]=172.168.100.2) -> 192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52 ike_st_o_status_n: Start Jun 13 10:36:52 ike_st_o_private: Start Jun 13 10:36:52 ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking encryption for packet Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b 93a10c7c - c6c3a771 f0475656 } /
00000000, nego = -1
Jun 13 10:36:52 ike_send_packet: Start, send SA = { 86b8160b 93a10c7c - c6c3a771 f0475656},
nego = -1, src = 172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0
Jun 13 10:36:52 ike_get_sA. Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 } / 4cb03305,
remote = 192.168.101.2:500
Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 }
Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656}
Jun 13 10:36:52 ike_decode_packet: Start
Jun 13 10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656} /
4cb03305, nego = 0
Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..16]
= 86b8160b 93a10c7c ..., data[0..113] = 800c0001 80030081 ...
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c -
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c -
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c -
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0)
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
...
Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0
Jun 13 10:37:07 ike_free_negotiation: Start, nego = 0
Jun 13 10:37:07 ike_retransmit_callback: Start, retransmit SA = { 17ef27d0 508bc5db - 00000000
00000000}, nego = -1 Jun 13 10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing table id = 0 ... Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0 Jun 13 10:37:17 ike_free_negotiation: Start, nego = 0 Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f a67dbcf3 - 00000000 00000000 } / 00000000,
remote = 192.168.103.2:500 Jun 13 10:37:19 ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d } Jun 13 10:37:19 ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19 ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d} /
00000000, nego = -1 Jun 13 10:37:19 ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2 Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 ... Jun 13 10:37:19 ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 27bab5dc 01ea0760 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = cd604643 35df21f8 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 90cb8091 3ebb696e ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f ...
Jun 13 10:37:19 ike_st_i_sa_proposal: Start
Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start
Jun 13 10:37:19 ike_st_i_cert: Start
Jun 13 10:37:19 ike_st_i_private: Start
Jun 13 10:37:19 ike_st_o_sa_values: Start
Jun 13 10:37:19 172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 -
a8307123 9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
Jun 13 10:37:19 ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}
Jun 13 10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 - a8307123 9c0e1f9d } /
1a8c665d, nego = 0
Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst = 192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d},
nego = 0 -- Exhibit -
Click the Exhibit button.
You are asked to set up an IPsec tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the show security ike security-associations output that the destination stays in a down state.
Referring to exhibit, what is causing the problem?
ipv4(udp:500,[0..3]=172.168.100.2) -> 192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52 ike_st_o_status_n: Start Jun 13 10:36:52 ike_st_o_private: Start Jun 13 10:36:52 ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking encryption for packet Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b 93a10c7c - c6c3a771 f0475656 } /
00000000, nego = -1
Jun 13 10:36:52 ike_send_packet: Start, send SA = { 86b8160b 93a10c7c - c6c3a771 f0475656},
nego = -1, src = 172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0
Jun 13 10:36:52 ike_get_sA. Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 } / 4cb03305,
remote = 192.168.101.2:500
Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 }
Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656}
Jun 13 10:36:52 ike_decode_packet: Start
Jun 13 10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656} /
4cb03305, nego = 0
Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..16]
= 86b8160b 93a10c7c ..., data[0..113] = 800c0001 80030081 ...
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c -
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c -
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c -
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0)
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
...
Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0
Jun 13 10:37:07 ike_free_negotiation: Start, nego = 0
Jun 13 10:37:07 ike_retransmit_callback: Start, retransmit SA = { 17ef27d0 508bc5db - 00000000
00000000}, nego = -1 Jun 13 10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing table id = 0 ... Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0 Jun 13 10:37:17 ike_free_negotiation: Start, nego = 0 Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f a67dbcf3 - 00000000 00000000 } / 00000000,
remote = 192.168.103.2:500 Jun 13 10:37:19 ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d } Jun 13 10:37:19 ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19 ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d} /
00000000, nego = -1 Jun 13 10:37:19 ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2 Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 ... Jun 13 10:37:19 ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 27bab5dc 01ea0760 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = cd604643 35df21f8 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 90cb8091 3ebb696e ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f ...
Jun 13 10:37:19 ike_st_i_sa_proposal: Start
Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start
Jun 13 10:37:19 ike_st_i_cert: Start
Jun 13 10:37:19 ike_st_i_private: Start
Jun 13 10:37:19 ike_st_o_sa_values: Start
Jun 13 10:37:19 172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 -
a8307123 9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
Jun 13 10:37:19 ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}
Jun 13 10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 - a8307123 9c0e1f9d } /
1a8c665d, nego = 0
Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst = 192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d},
nego = 0 -- Exhibit -
Click the Exhibit button.
You are asked to set up an IPsec tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the show security ike security-associations output that the destination stays in a down state.
Referring to exhibit, what is causing the problem?
Correct Answer: B
Vote an answer
