Urgent MS RPC + ALG - iisreset through firewall using UUIDs



  • Guys,

    First post on here so please be nice  :roll:

    Basically I have what should be an extremely basic issue with a pair of Netscreen 208 boxes running 5.3.0r3. The issue is with Microsoft RPC traffic and the fact that the dynamic port negotiated between the server + client is NOT created magically and added to the policy as I understood it should be. I have windows boxes attached to two networks on different interfaces of the firewall with each interface in the trust-vr. The routing is correct and a quick Any/Any rule with logging shows everything working and that is just fine.

    If I disable the Any/Any rule for a moment and add a new rule including all of the standard MS protocol groups including MS-RPC-EPM and MS-RPC-ANY from ethernet1 to ethernet2 I find I can do most things through the box including loading up file shares on servers behind ethernet2 etc. My issue turns up when I try to run an ‘iisreset’ through the firewall from a PC behind ethernet1 to a server behind ethernet2. This time I get this message…

    C:\Documents and Settings\rich.lowton>iisreset webserver1  /restart

    Attempting stop…
    Restart attempt failed.
    The RPC server is unavailable. (2147944122, 800706ba)

    If I enable the Any/Any rule again the command completes and the log shows a random brand new high port (gt 1024) was used between the client and the server - which of course is what RPC does and is what I hoped the MSRPC ALG was supposed to do on my behalf.

    I have had a call open with Netscreen for about 48hrs now but heard nothing so far so thought I’d drop you guys a line and hopefully you might be able to point me in the right direction.

    I’ve also gone further and tried packet decodes on the RPC traffic to glean the UUID’s for the transaction. I am now armed with about five or six UUID’s and have put them into an object called W3SVC under Objects - Services - MS RPC. But this doesn’t do anything I can see. The policy to permit the traffic Any/Any with Protocol S3SVC has also had the Application set to MS_RPC-EPM is this necessary? How does the netscreen put these automagic rules into the policy?

    Regards
    Rich



  • Hey i am having similar issues. Can you post your solution here please?



  • I have had a call open with Netscreen for about 48hrs now but heard nothing so far

    Rich, I can’t answer your question, but you should probably make contact with your local Juniper SE. JTAC for Netscreen isn’t always the most responsive and most of the time tickets have to be escalated. It is unfortunate, but that’s how it works.

    I will mention that 5.3, all releases have various bugs. This appears to be a painful release for everyone  😞



  • Quote from posting…

    But this doesn’t do anything I can see. The policy to permit the traffic Any/Any with Protocol S3SVC has also had the Application set to MS_RPC-EPM is this necessary? How does the netscreen put these automagic rules into the policy?

    Cheer Frac but I already mentioned that the Application (MS_RPC-EPM) had been set (I’ve tried it on and off) - the ALG does still not open this magical port - maybe I’m missing something basic here and if so please accept my appology.

    I have also done a debug on the console for the msrpc traffic and it shows up the UUID’s but even with those added under the MSRPC Service it still doesn’t work.

    Any ideas?

    msrpc debug below…

    2006-05-18 11:49:52 : msrpc_alg_handler: new cookie (id 512) created

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 0

    2006-05-18 11:49:52 : msrpc_co_parse_packet: do not handle fragmented TCP message (size 0)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 0

    2006-05-18 11:49:52 : msrpc_co_parse_packet: do not handle fragmented TCP message (size 0)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 0

    2006-05-18 11:49:52 : msrpc_co_parse_packet: do not handle fragmented TCP message (size 0)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 1380

    2006-05-18 11:49:52 : msrpc_co_parse_packet: frag length (1595) does not match tcp data length (1380)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 215

    2006-05-18 11:49:52 : msrpc_co_parse_packet: not interested in this ptype (107)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 0

    2006-05-18 11:49:52 : msrpc_co_parse_packet: do not handle fragmented TCP message (size 0)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 334

    2006-05-18 11:49:52 : msrpc_co_parse_packet: not interested in this ptype (12)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 177

    2006-05-18 11:49:52 : msrpc_co_parse_packet: ptype 14, flags 3, frag_len 177, call_id 7

    2006-05-18 11:49:52 : msrpc_co_parse_bind: max_xmit 5840

    2006-05-18 11:49:52 : msrpc_co_parse_bind: max_recv 5840

    2006-05-18 11:49:52 : msrpc_co_parse_bind: assoc_group_id 0

    2006-05-18 11:49:52 : msrpc_co_parse_bind: n_ctx_items 1

    2006-05-18 11:49:52 : msrpc_co_parse_bind: ctx_id 1

    2006-05-18 11:49:52 : msrpc_co_parse_bind: n_trans_items 1

    2006-05-18 11:49:52 : MSRPC_GET_UUID_STR: uuid 000001a0-0000-0000-c000-000000000046

    2006-05-18 11:49:52 : msrpc_co_parse_bind: ifid_map -1

    2006-05-18 11:49:52 : msrpc_add_ctx_to_list: list size 1

    2006-05-18 11:49:52 : msrpc_co_parse_bind: version 0.0

    2006-05-18 11:49:52 : MSRPC_GET_UUID_STR: uuid 8a885d04-1ceb-11c9-9fe8-08002b104860

    2006-05-18 11:49:52 : msrpc_co_parse_bind: trans_ver 2

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 73

    2006-05-18 11:49:52 : msrpc_co_parse_packet: not interested in this ptype (15)

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 820

    2006-05-18 11:49:52 : msrpc_co_parse_packet: ptype 0, flags 3, frag_len 820, call_id 7

    2006-05-18 11:49:52 : msrpc_co_parse_rqst: alloc_hint 784

    2006-05-18 11:49:52 : msrpc_co_parse_rqst: ctx_id 1

    2006-05-18 11:49:52 : msrpc_co_parse_rqst: opnum 4

    2006-05-18 11:49:52 : msrpc_co_parse_rqst: found ifid_map from context list: -1

    2006-05-18 11:49:52 : msrpc_add_call_to_list:

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 1096

    2006-05-18 11:49:52 : msrpc_co_parse_packet: ptype 2, flags 3, frag_len 1096, call_id 7

    2006-05-18 11:49:52 : msrpc_co_parse_resp: alloc_hint 1072

    2006-05-18 11:49:52 : msrpc_co_parse_resp: ctx_id 1

    2006-05-18 11:49:52 : msrpc_co_parse_resp: cancel_count 0

    2006-05-18 11:49:52 : msrpc_find_call: found call, index 0, call_id 7

    2006-05-18 11:49:52 : msrpc_alg_handler: existing cookie (id 512) found

    2006-05-18 11:49:52 : msrpc_alg_handler: cookiep 0x4abda30, cookiep->show 0x4ace80, ctx 0x4abda3c

    2006-05-18 11:49:52 : msrpc_co_parse_packet: TCP data len 0

    2006-05-18 11:49:52 : msrpc_co_parse_packet: do not handle fragmented TCP message (size 0)


  • Engineer

    hi,

    i nerver played with that, but i gues you need to specify the application. (under the service tab). Because then the ALG will get enabled and he will create the dynamic port openings.

    greetZ,
    Frac


 

44
Online

38.5k
Users

12.7k
Topics

44.5k
Posts