SRX

Hi, really hoping someone can help me. I have a problem but I think it relates to this basic problem so rather than give the original problem with way too much configuration, can someone explain to me why I can't get a simple traceroute working between two Virtual Routers. I did a basic setup here:

 

Interfaces

 

[edit]
viet@srx220# show interfaces lt-0/0/0.100 
encapsulation ethernet;
peer-unit 101;
family inet {
    address 10.10.10.1/30;
}

[edit]
viet@srx220# show interfaces lt-0/0/0.101 
encapsulation ethernet;
peer-unit 100;
family inet {
    address 10.10.10.2/30;
}

 

Virtual Routers

 

[edit]
viet@srx220# show routing-instances TestRouter1  
description "Test Router 1";
instance-type virtual-router;
interface lt-0/0/0.100;

[edit]
viet@srx220# show routing-instances TestRouter2  
description "Test Router 2";
instance-type virtual-router;
interface lt-0/0/0.101;

 

Security Zones

 

[edit]
viet@srx220# show security zones security-zone TR1 
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    lt-0/0/0.100;
}

[edit]
viet@srx220# show security zones security-zone TR2 
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    lt-0/0/0.101;
}

 

Security Policies

 

[edit]
viet@srx220# show security policies from-zone TR1 to-zone TR2 
policy TR1-TR2 {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

[edit]
viet@srx220# show security policies from-zone TR2 to-zone TR1 
policy TR2-TR1 {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

 

Here are the route tables for both VR's:

 

[edit]
viet@srx220# run show route table TestRouter1.inet.0 

TestRouter1.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/30      *[Direct/0] 00:26:52
                    > via lt-0/0/0.100
10.10.10.1/32      *[Local/0] 00:26:52
                      Local via lt-0/0/0.100

[edit]
viet@srx220# run show route table TestRouter2.inet.0 

TestRouter2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/30      *[Direct/0] 00:27:02
                    > via lt-0/0/0.101
10.10.10.2/32      *[Local/0] 00:27:02
                      Local via lt-0/0/0.101

 

Now, from TestRouter1 I am able to ping TestRouter2, but I cannot do a traceroute to it.

 

[edit]
viet@srx220# run ping routing-instance TestRouter1 10.10.10.2 count 3 
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=2.347 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=2.564 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=2.314 ms

--- 10.10.10.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.314/2.408/2.564/0.111 ms

[edit]
viet@srx220# run traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
^C

 

But it works if I trace (from TestRouter1) with source interface lt-0/0/0.101 (which belongs to TestRouter2) ???

 

[edit]
viet@srx220# run traceroute routing-instance TestRouter1 10.10.10.2 interface lt-0/0/0.101 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  10.10.10.2 (10.10.10.2)  1.062 ms  0.990 ms  3.638 ms

 

That does not make sense? There is a route to 10.10.10.2 (10.10.10.0/30) in TestRouter1's table so I shouldn't have to specify which interface to do a traceroute from I thought.

 

Would be great if someone can help me. This has been bugging me for days.

Try changing the prefix lenght to 

family inet {
    address 10.10.10.1/27  or /24  on the tunnel interfaces

Thanks for your reply.

 

Changed it to /27. Still same problem.

 

Route tables:

 

viet@srx220> show route table TestRouter1.inet.0 

TestRouter1.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/27      *[Direct/0] 00:03:23
                    > via lt-0/0/0.100
10.10.10.1/32      *[Local/0] 00:03:23
                      Local via lt-0/0/0.100

viet@srx220> show route table TestRouter2.inet.0 

TestRouter2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/27      *[Direct/0] 00:03:29
                    > via lt-0/0/0.101
10.10.10.2/32      *[Local/0] 00:03:29
                      Local via lt-0/0/0.101

 

Ping/Traceroute:

 

viet@srx220> ping routing-instance TestRouter1 10.10.10.2 count 3 
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=3.476 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=2.435 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=2.620 ms

--- 10.10.10.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.435/2.844/3.476/0.453 ms

viet@srx220> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
^C

 

I've replicated this problem on my SRX100H, which I loaded default factory settings first.

 

I've attached a portion of my debug. Is it something to do with NATing? And why do I need NAT for a basic point-to-point connection.

This is the forwarding table on my SRX100H for the two virtual routers. Notice the strange next-hops:

 

Routing table: TestRouter1.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   567     1
0.0.0.0/32         perm     0                    dscd   565     1
10.10.10.0/30      intf     0                    rslv   553     1 lt-0/0/0.100
10.10.10.0/32      dest     0 10.10.10.0         recv   551     1 lt-0/0/0.100
10.10.10.1/32      intf     0 10.10.10.1         locl   552     2
10.10.10.1/32      dest     0 10.10.10.1         locl   552     2
10.10.10.2/32      dest     0 0.1.80.3.64.87.88.75.26.1.64.87.88.75.26.0.8.0
                                                 ucst   604     1 lt-0/0/0.100
10.10.10.3/32      dest     0 10.10.10.3         bcst   550     1 lt-0/0/0.100
224.0.0.0/4        perm     0                    mdsc   566     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   562     1
255.255.255.255/32 perm     0                    bcst   563     1

Routing table: TestRouter2.inet
Internet:                               
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   576     1
0.0.0.0/32         perm     0                    dscd   574     1
10.10.10.0/30      intf     0                    rslv   557     1 lt-0/0/0.101
10.10.10.0/32      dest     0 10.10.10.0         recv   555     1 lt-0/0/0.101
10.10.10.1/32      dest     0 0.3.80.3.64.87.88.75.26.0.64.87.88.75.26.1.8.0
                                                 ucst   605     1 lt-0/0/0.101
10.10.10.2/32      intf     0 10.10.10.2         locl   556     2
10.10.10.2/32      dest     0 10.10.10.2         locl   556     2
10.10.10.3/32      dest     0 10.10.10.3         bcst   554     1 lt-0/0/0.101
224.0.0.0/4        perm     0                    mdsc   575     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   571     1
255.255.255.255/32 perm     0                    bcst   572     1

 

And here's the security flow. What is interface local?

 

root# run show security flow session                            
Session ID: 11082, Policy name: self-traffic-policy/1, Timeout: 40, Valid
  In: 10.10.10.2/37897 --> 10.10.10.1/33434;udp, If: lt-0/0/0.100, Pkts: 1, Bytes: 40
  Out: 10.10.10.1/33434 --> 10.10.10.2/37897;udp, If: .local..5, Pkts: 0, Bytes: 0

Session ID: 11085, Policy name: self-traffic-policy/1, Timeout: 48, Valid
  In: 10.10.10.2/37899 --> 10.10.10.1/33434;udp, If: lt-0/0/0.100, Pkts: 1, Bytes: 40
  Out: 10.10.10.1/33434 --> 10.10.10.2/37899;udp, If: .local..5, Pkts: 0, Bytes: 0

Session ID: 11091, Policy name: self-traffic-policy/1, Timeout: 54, Valid
  In: 10.10.10.2/37900 --> 10.10.10.1/33434;udp, If: lt-0/0/0.100, Pkts: 1, Bytes: 40
  Out: 10.10.10.1/33434 --> 10.10.10.2/37900;udp, If: .local..5, Pkts: 0, Bytes: 0
Total sessions: 3

 

 route lookup: dest-ip 10.10.10.1 orig ifp lt-0/0/0.101 output_ifp lt-0/0/0.101 orig-zone 9 out-zone

In your case you have a routing configuration error. th eoutboud interface is the same as the inbound interface. And you don't need NAT for routing between the VRs using the direct route, neither do you need policies for that either.

I have tested the set up and it works correctly. 

Disable this firewall filter 

matched filter f0

Here is where the problem is:

May 27 01:49:58 01:49:58.017142:CID-0:RT:  packet dropped, no session found for embedded icmp pak
 
May 27 01:49:58 01:49:58.017142:CID-0:RT:  flow find session returns error.

Sorry, posted around same time you did so didn't read your last message 🙂

 

f0 was a filter used for traceoptions.

 

root# show security flow 
inactive: traceoptions {
    file debug01 size 5m files 2;
    flag all;
    packet-filter f0 {
        destination-prefix 10.10.10.2/32;
    }
}

 So I should delete all policies and NATs?

post your complete config. It should just work by simply creating the vrs and adding the interfaces. Nothing else need to be done. That is only for this test case though. NAT and the other security polices can be added later.

Okay, I just deleted NAT. same thing. I've attached my config.

 

root> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
^C
root> show security flow session 
Session ID: 4660, Policy name: TR2-self/10, Timeout: 40, Valid
  In: 10.10.10.1/37030 --> 10.10.10.2/33434;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33434 --> 10.10.10.1/37030;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4661, Policy name: TR2-self/10, Timeout: 44, Valid
  In: 10.10.10.1/37030 --> 10.10.10.2/33435;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33435 --> 10.10.10.1/37030;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4662, Policy name: TR2-self/10, Timeout: 50, Valid
  In: 10.10.10.1/37030 --> 10.10.10.2/33436;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33436 --> 10.10.10.1/37030;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4663, Policy name: TR2-self/10, Timeout: 54, Valid
  In: 10.10.10.1/37030 --> 10.10.10.2/33437;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33437 --> 10.10.10.1/37030;udp, If: .local..13, Pkts: 0, Bytes: 0
Total sessions: 4                       

 

TR2-self/ policy is creating havoc. deactivate it.

I deleted TR1-self accidentally instead of TR2-self which you asked, but then I also deleted TR2-self. Didn't work. Should i just delete ALL policies?

 

[edit]
root# delete security policies from-zone TR2 to-zone junos-host 

[edit]
root# show | compare 
[edit security policies]
-    from-zone TR2 to-zone junos-host {
-        policy TR2-self {
-            match {
-                source-address any;
-                destination-address any;
-                application any;
-            }
-            then {
-                permit;
-            }
-        }
-    }
[edit security zones]

[edit]
root# commit and-quit 
commit complete
Exiting configuration mode

root> clear security flow session all 
This command may terminate the current session too.
Continue? [yes,no] (no) yes 

0 active sessions cleared

root> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
^C
root> show security flow session 
Session ID: 4668, Policy name: self-traffic-policy/1, Timeout: 40, Valid
  In: 10.10.10.1/37079 --> 10.10.10.2/33434;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33434 --> 10.10.10.1/37079;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4669, Policy name: self-traffic-policy/1, Timeout: 44, Valid
  In: 10.10.10.1/37079 --> 10.10.10.2/33435;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33435 --> 10.10.10.1/37079;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4670, Policy name: self-traffic-policy/1, Timeout: 50, Valid
  In: 10.10.10.1/37079 --> 10.10.10.2/33436;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33436 --> 10.10.10.1/37079;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4671, Policy name: self-traffic-policy/1, Timeout: 54, Valid
  In: 10.10.10.1/37079 --> 10.10.10.2/33437;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33437 --> 10.10.10.1/37079;udp, If: .local..13, Pkts: 0, Bytes: 0
Total sessions: 4                  

 

hope you still have a backup of your configuration. I know you do.:) Anyways, I am not sure what is happening on your end. I just loaded your configuration on a router and tested it and it worked. None of the policies you have should be affecting this situation.

 

[edit]
lab@srxA-1# run traceroute routing-instance TestRouter1 10.10.10.2
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
1 10.10.10.2 (10.10.10.2) 2.479 ms 2.053 ms 1.936 ms

[edit]
lab@srxA-1# run traceroute routing-instance TestRouter2 10.10.10.1
traceroute to 10.10.10.1 (10.10.10.1), 30 hops max, 40 byte packets
1 10.10.10.1 (10.10.10.1) 2.403 ms 2.222 ms 2.047 ms

[edit]
lab@srxA-1#

That is so odd! I've deleted all my security policies. still same thing. What version JUNOs are you using?

 

root# delete security policies 

[edit]
root# commit and-quit 
commit complete
Exiting configuration mode

root> clear security flow session 
0 active sessions cleared

root> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
^C
root> show security flow session 
Session ID: 4672, Policy name: self-traffic-policy/1, Timeout: 38, Valid
  In: 10.10.10.1/37113 --> 10.10.10.2/33434;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33434 --> 10.10.10.1/37113;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4673, Policy name: self-traffic-policy/1, Timeout: 42, Valid
  In: 10.10.10.1/37113 --> 10.10.10.2/33435;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33435 --> 10.10.10.1/37113;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4674, Policy name: self-traffic-policy/1, Timeout: 48, Valid
  In: 10.10.10.1/37113 --> 10.10.10.2/33436;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33436 --> 10.10.10.1/37113;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4675, Policy name: self-traffic-policy/1, Timeout: 52, Valid
  In: 10.10.10.1/37113 --> 10.10.10.2/33437;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33437 --> 10.10.10.1/37113;udp, If: .local..13, Pkts: 0, Bytes: 0
Total sessions: 4 

 

Load the same config you just posted. enter "commit full" instead of commit and quit, then reboot.

I don't have commit full? Running latest software. (12.1R6.5)

 

[edit]
root# commit ?
Possible completions:
  <[Enter]>            Execute this command
  and-quit             Quit configuration mode if commit succeeds
  at                   Time at which to activate configuration changes
  check                Check correctness of syntax; do not apply changes
  comment              Message to write to commit log
  confirmed            Automatically rollback if not confirmed
  |                    Pipe through a command

 

Oh nevermind. hidden command. doing it now 🙂

Bad news. commit full , rebooted. same thing.

 

root> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
^C
root> show security flow session 
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 38, Valid
  In: 10.10.10.1/34121 --> 10.10.10.2/33434;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33434 --> 10.10.10.1/34121;udp, If: .local..5, Pkts: 0, Bytes: 0

Session ID: 2, Policy name: self-traffic-policy/1, Timeout: 44, Valid
  In: 10.10.10.1/34121 --> 10.10.10.2/33435;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33435 --> 10.10.10.1/34121;udp, If: .local..5, Pkts: 0, Bytes: 0

Session ID: 3, Policy name: self-traffic-policy/1, Timeout: 48, Valid
  In: 10.10.10.1/34121 --> 10.10.10.2/33436;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33436 --> 10.10.10.1/34121;udp, If: .local..5, Pkts: 0, Bytes: 0

Session ID: 4, Policy name: self-traffic-policy/1, Timeout: 54, Valid
  In: 10.10.10.1/34121 --> 10.10.10.2/33437;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33437 --> 10.10.10.1/34121;udp, If: .local..5, Pkts: 0, Bytes: 0
Total sessions: 4 

 Is your config exactly like mine, and are you in flow mode?

 

root> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off

 

I've attached the debug of my traceroute. keep in mind i have NO security policies/NAT at all now.

 

 

Seems as though I'm not the only one with this problem.

 

http://www.gossamer-threads.com/lists/nsp/juniper/45047

 

Someone in that thread suggested enabling "allow-icmp-without-flow", which I did but it didn't do anything. That's because it's on by default.

 

http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/configuration-statement/security-edit-allow-icmp-without-flow.html

 

Wondering if I should bother raising this with JTAC. Seems like it should only affect ICMP/traceroute, while other routing should work as normal. I think.

Thank you very much for your help lyndidon but it really is an issue with ICMP traffic only I believe, as somehow traceroute has problems with the SRX's security flow feature.

 

I do believe the only workaround is to enable ICMP traffic to be packet-based, and so I've configured "Selective Stateless Packet-Based Services" just for traceroute and it's working. Here's my config:

 

root# show firewall 
family inet {
    filter Traceroute {
        term 1 {
            from {
                icmp-type [ echo-request echo-reply unreachable time-exceeded ];
            }
            then {
                packet-mode;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

root# show interfaces 
lt-0/0/0 {
    unit 100 {
        encapsulation ethernet;
        peer-unit 101;
        family inet {
            filter {
                input Traceroute;
            }
            address 10.10.10.1/30;
        }
    }
    unit 101 {
        encapsulation ethernet;
        peer-unit 100;
        family inet {
            filter {
                input Traceroute;
            }
            address 10.10.10.2/30;
        }
    }
}

 And the traceroutes:

 

root> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  10.10.10.2 (10.10.10.2)  4.512 ms  4.487 ms  3.964 ms

root> traceroute routing-instance TestRouter2 10.10.10.1    
traceroute to 10.10.10.1 (10.10.10.1), 30 hops max, 40 byte packets
 1  10.10.10.1 (10.10.10.1)  4.403 ms  4.482 ms  3.957 ms

 Only annoying thing with this is if you have lots of virtual-routers and interfaces, then you gotta enable it on every interface. But I'm sure it only affects traceroute/ICMP because I'm running virtual routers and dual-ISP and it's working fine otherwise.

Thanks for the update! I came to that opinion are a whole night testing. Thanks for giving me the opportunity to stay up late:) I was considering opening a tricket with JTAC. I may still do so. I just wondered why and could not find an explanation. Good jod.

Thanks again 😉 bad luck about the lack of sleep lol but it too was keeping me up too. I'm gonna leave it as it is before I find more problems haha

Awesome. Thanks for posting the config. If anyone else have the issue, I hope they search the forum and find your solution. Thanks again. Haha!

I realize this is a three-year old thread, but here I am doing up what I hope is the first of many SRXes for CPE with management in a Virtual Router and I can't ping the **bleep** thing. I copied your "then packet-mode" firewall and it worked like a charm! Funny/sad that I'm running the latest JTAC recommended software!

 

Thanks again! Ended two very frustrating hours!

no. It was not. So I reloaded, rebooted and now I can figure out what is happening. Let me look at it and will post results later.

I have not been able to test it as yet, but I am thinking it needs a loopback interface. That is just a guess from me at this time. Try adding loopback interfaces to both vrs and then test. add lo0.1 and lo0.2 to both respectively. Commit then test.

That didn't work. Are the loopbacks meant to be routable? Usually they are /32. 

 

Also, just can't understand why it keeps trying to use lt-0/0/0.101 when I traceroute from TestRouter1. That interface belongs to TestRouter2.

 

root> show route 

TestRouter1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[Direct/0] 00:07:45
                    > via lo0.1
10.10.10.0/30      *[Direct/0] 00:20:57
                    > via lt-0/0/0.100
10.10.10.1/32      *[Local/0] 00:20:57
                      Local via lt-0/0/0.100

TestRouter2.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[Direct/0] 00:07:45
                    > via lo0.2
10.10.10.0/30      *[Direct/0] 00:20:57
                    > via lt-0/0/0.101
10.10.10.2/32      *[Local/0] 00:20:57
                      Local via lt-0/0/0.101

root> traceroute routing-instance TestRouter1 10.10.10.2 
traceroute to 10.10.10.2 (10.10.10.2), 30 hops max, 40 byte packets
 1  * * *
^C
root> show security flow session 
Session ID: 4656, Policy name: TR2-self/10, Timeout: 40, Valid
  In: 10.10.10.1/36994 --> 10.10.10.2/33434;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33434 --> 10.10.10.1/36994;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4657, Policy name: TR2-self/10, Timeout: 46, Valid
  In: 10.10.10.1/36994 --> 10.10.10.2/33435;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33435 --> 10.10.10.1/36994;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4658, Policy name: TR2-self/10, Timeout: 50, Valid
  In: 10.10.10.1/36994 --> 10.10.10.2/33436;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33436 --> 10.10.10.1/36994;udp, If: .local..13, Pkts: 0, Bytes: 0

Session ID: 4659, Policy name: TR2-self/10, Timeout: 56, Valid
  In: 10.10.10.1/36994 --> 10.10.10.2/33437;udp, If: lt-0/0/0.101, Pkts: 1, Bytes: 40
  Out: 10.10.10.2/33437 --> 10.10.10.1/36994;udp, If: .local..13, Pkts: 0, Bytes: 0
Total sessions: 4