Hi,
My setup is the Juniper JSEC lab.
JNPR-SV(VR) -> SV ->INTERNET
I have been able to do a ping successfully from JNPR-SV to INTERNET, but not ftp. I can't even FTP from SV to JNPR-SV. I have enabled ftp on the system hosting JNPR-SV and enabled it (host-inbound) on the VR zone. I have monitored the packets and gathered some info with traceoptions. I know the ftp packets are getting to the destination and it is sending packets back. The problem appears to be on the return, going from SV to JNPR-SV. Is there something I need to do special between the SV zone and the VR zone? Maybe my code is completely wrong. Here is my security code. I also provided the traceoptions output below that.
inactive: flow {
traceoptions {
file flow-trace2;
flag basic-datapath;
packet-filter f0 {
source-prefix 172.20.101.10/32;
destination-prefix 172.31.15.1/32;
}
}
}
policies {
from-zone JNPR-SV to-zone untrust {
policy internet-JNPR-SV {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone JNPR-SV-VR to-zone JNPR-SV {
policy inter-JNPR-SV {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone JNPR-SV {
policy return-traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone JNPR-SV-VR to-zone untrust {
policy internet-traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone JNPR-SV to-zone JNPR-SV-VR {
policy traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone mgmt {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/3.0;
}
}
security-zone JNPR-SV {
host-inbound-traffic {
system-services {
ftp;
}
}
interfaces {
lt-0/0/0.101;
}
}
security-zone JNPR-SV-VR {
host-inbound-traffic {
system-services {
ping;
ftp;
}
}
interfaces {
lt-0/0/0.111;
}
}
}
Select traceoptions output...
Dec 3 18:28:47 18:28:46.843459:CID-0:RT:<172.31.15.1/21->172.20.101.10/55860;6> matched filter f0:
Dec 3 18:28:47 18:28:46.843464:CID-0:RT:packet [40] ipid = 0, @0x4dc7ccce
Dec 3 18:28:47 18:28:46.843465:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4dc7ca80, rtbl_idx = 0
Dec 3 18:28:47 18:28:46.843467:CID-0:RT: flow process pak fast ifl 73 in_ifp ge-0/0/3.0
Dec 3 18:28:47 18:28:46.843469:CID-0:RT: ge-0/0/3.0:172.31.15.1/21->172.20.101.10/55860, tcp, flag 14 rst
Dec 3 18:28:47 18:28:46.843472:CID-0:RT: find flow: table 0x5cb2e4f0, hash 49051(0xffff), sa 172.31.15.1, da 172.20.101.10, sp 21, dp 55860, proto 6, tok 7
Dec 3 18:28:47 18:28:46.843477:CID-0:RT:Found: session id 0x18e70. sess tok 7
Dec 3 18:28:47 18:28:46.843478:CID-0:RT: flow got session.
Dec 3 18:28:47 18:28:46.843478:CID-0:RT: flow session id 102000
Dec 3 18:28:47 18:28:46.843489:CID-0:RT: vector bits 0x8082 vector 0x589eae18
Dec 3 18:28:47 18:28:46.843493:CID-0:RT: ****jsf svc chain: sess id 102000, dir 2, nat_done 0, pak pid 9951944, first pid 27
Dec 3 18:28:47 18:28:46.843495:CID-0:RT: plugin name junos-tcp-clt-emul. action JSF_SESSION_ACTION_NONE, stbuf 0x577a0670
Dec 3 18:28:47 18:28:46.843503:CID-0:RT: jsf resume sess id 102000, direction 2
Dec 3 18:28:47 18:28:46.843504:CID-0:RT: jsf sess id timed close. sess 102000, pid 27
Dec 3 18:28:47 18:28:46.843506:CID-0:RT:PKT-PROC for plugin junos-tcp-clt-emul jbuf 0x66cf09ec, sess jsf flags 0x0, rc 9
Dec 3 18:28:47 18:28:46.843507:CID-0:RT: begin walk strm chain: sess id 102000, dir 2
Dec 3 18:28:47 18:28:46.843508:CID-0:RT: walk: pid 27, prev stbuf 0x0, curr stbuf 0x577a0670, ignore 0
Dec 3 18:28:47 18:28:46.843510:CID-0:RT: walk: pid 24, prev stbuf 0x577a0670, curr stbuf 0x577a0600, ignore 0
Dec 3 18:28:47 18:28:46.843513:CID-0:RT: jsf resume sess id 102000, direction 2
Dec 3 18:28:47 18:28:46.843514:CID-0:RT: jsf resume sess id 102000, direction 2
Dec 3 18:28:47 18:28:46.843516:CID-0:RT: Moved 0 bytes, rc=102. Prev tx empty[1], Curr Rx Empty[1], resume reqd[0]
Dec 3 18:28:47 18:28:46.843517:CID-0:RT: walk: pid 10, prev stbuf 0x577a0600, curr stbuf 0x577a0590, ignore 0
Dec 3 18:28:47 18:28:46.843520:CID-0:RT: jsf resume sess id 102000, direction 2
Dec 3 18:28:47 18:28:46.843523:CID-0:RT: jsf reinj pak pid 10, dir 2, jbuf 0x66cf0ae4, release hold 0
Dec 3 18:28:47 18:28:46.843525:CID-0:RT:jsf_inject_pkt_to_flow: Fill in flow_ctxt->rtbl_idx(0) based on natp, cos 0.
Dec 3 18:28:47 18:28:46.843529:CID-0:RT: jsf sess id timed close. sess 102000, pid 10
Dec 3 18:28:47 18:28:46.843531:CID-0:RT: Moved 0 bytes, rc=102. Prev tx empty[1], Curr Rx Empty[1], resume reqd[0]
Dec 3 18:28:47 18:28:46.843533:CID-0:RT: total bytes moved 0, resume reqd 0
Dec 3 18:28:47 18:28:46.843534:CID-0:RT: after stream walk jb 0x66cf09ec, rc 9, ctx.jb 0x0
Dec 3 18:28:47 18:28:46.843535:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 5)
Dec 3 18:28:47 18:28:46.843541:CID-0:RT:<172.31.15.1/21->172.20.101.10/55860;6> matched filter f0:
Dec 3 18:28:47 18:28:46.843543:CID-0:RT:packet [40] ipid = 528, @0x52dda700
Dec 3 18:28:47 18:28:46.843544:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 28, common flag 0x800, mbuf 0x52dda480, rtbl_idx = 0
Dec 3 18:28:47 18:28:46.843550:CID-0:RT:flow process pak, mbuf 0x52dda480, ifl 0, ctxt_type 28 inq type 6
Dec 3 18:28:47 18:28:46.843551:CID-0:RT:change ifl to 0x49
Dec 3 18:28:47 18:28:46.843552:CID-0:RT: in_ifp <untrust:ge-0/0/3.0>
Dec 3 18:28:47 18:28:46.843554:CID-0:RT:setting rtt to:0x6aa98ff8 based on VR ID:0 carried over in flow ctxt, proto 2(ipv4)
Dec 3 18:28:47 18:28:46.843556:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6aa98ff8
Dec 3 18:28:47 18:28:46.843557:CID-0:RT: jsf reinj: ctxt flag 0 sess 102000 src pid 10 reinj flag 4
Dec 3 18:28:47 18:28:46.843559:CID-0:RT:host inq check inq_type 0x6
Dec 3 18:28:47 18:28:46.843560:CID-0:RT: flow session id 102000
Dec 3 18:28:47 18:28:46.843561:CID-0:RT: vector bits 0x8082 vector 0x589eae18
Dec 3 18:28:47 18:28:46.843563:CID-0:RT:****jsf svc chain: sess id 102000, dir 2. No more plugins
Dec 3 18:28:47 18:28:46.843564:CID-0:RT: tcp 3way refresh, is_half_open:0, is_fwauth:0
Dec 3 18:28:47 18:28:46.843565:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Dec 3 18:28:47 18:28:46.843567:CID-0:RT:mbuf 0x52dda480, exit nh 0x110010
Dec 3 18:28:47 18:28:46.843568:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0xbf97d738 associated with mbuf 0x52dda480
Dec 3 18:28:47 18:28:46.843570:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Dec 3 18:28:47 18:28:46.843577:CID-0:RT:<172.31.15.1/21->172.20.101.10/55860;6> matched filter f0:
Dec 3 18:28:47 18:28:46.843579:CID-0:RT:packet [40] ipid = 528, @0x52dda700
Dec 3 18:28:47 18:28:46.843581:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x52dda480, rtbl_idx = 5
Dec 3 18:28:47 18:28:46.843582:CID-0:RT: flow_process_pkt_exception mbuf 0x52dda480, ifd=76, ctxt_type=0, in_ifp <JNPR-SV-VR:lt-0/0/0.111>
Dec 3 18:28:47 18:28:46.843585:CID-0:RT: lt-0/0/0.111:172.31.15.1/21->172.20.101.10/55860, tcp, flag 14 rst
Dec 3 18:28:47 18:28:46.843588:CID-0:RT: find flow: table 0x5cb2e4f0, hash 49051(0xffff), sa 172.31.15.1, da 172.20.101.10, sp 21, dp 55860, proto 6, tok 20490
Dec 3 18:28:47 18:28:46.843592:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Dec 3 18:28:47 18:28:46.843594:CID-0:RT: packet dropped, first pak not sync
Dec 3 18:28:47 18:28:46.843595:CID-0:RT:flow_initiate_first_path: first pak no session
Dec 3 18:28:47 18:28:46.843596:CID-0:RT: flow find session returns error.
Dec 3 18:28:47 18:28:46.843597:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0xbf97d738 associated with mbuf 0x52dda480
Dec 3 18:28:47 18:28:46.843598:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)
Thanks!