Hi,
Sorry to bring this up again, we were forced to do some network changes by our provider which was a good thing, it gave us a far better connection (redundancy wise) to the internet, IP addresses have now changed. Whilst doing that change we also upgrade to the latest firmware on the Junipers (6.2r05 to 6.3r14) - mostly we wanted proxy arp.
This all went well or so I thought.
Unfortunately I can't loopback again from anything in the trusted zone to the untrust IP addresses on the interface.
We got the config working, and then I ran:
unset arp nat-dst
As this command is no longer recommended. The policies are the same, we have a trust to unstrust with src nat to the external IP for one of our webservers, and I've also got an untrust to untrust for nat-dst (also tried untrust to trust and having a route in place).
I just don't understand, DIP or proxy-arp don't seem to work at all - I get the same debug output regardless of what I use...
Testing with both proxy-arp enabled for that external IP, or with a DIP (which it's currently setup as) doesn't work:
get int eth0/8 dip
id = 4: ip range 5.5.184.184 ~ 5.5.184.184; (port-xlate)
Looking through the debug it looks like it can't resolve the ARP again. However I have no idea why now.
Here's a debug flow basic:
****** 153316.0: <Trust/ethernet0/9> packet received [48]******
ipid = 31681(7bc1), @1d6d0914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/9:10.61.20.20/4340->5.5.184.184/80,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/9>, out <N/A>
chose interface ethernet0/9 as incoming nat if.
flow_first_routing: in <ethernet0/9>, out <N/A>
search route to (ethernet0/9, 10.61.20.20->5.5.184.184) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 1.route 5.5.184.184->5.5.184.184, to ethernet0/8
routed (x_dst_ip 5.5.184.184) from ethernet0/9 (ethernet0/9 in 0) to ethernet0/8
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 5.5.184.184, port 80, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 25/0/0x1
Permitted by policy 25
src-nat dip id = 4, 10.61.20.20/4340->5.5.184.184/1999
choose interface ethernet0/8 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/8
vsd 0 is active
no loop on ifp ethernet0/8.
session application type 6, name HTTP, nas_id 0, timeout 300sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/9>, out <ethernet0/8>
existing vector list 123-40a47d4.
Session (id:45815) created for first pak 123
flow_first_install_session======>
route to 5.5.184.184
wait for arp rsp for 5.5.184.184
ifp2 ethernet0/8, out_ifp ethernet0/8, flag 10000800, tunnel ffffffff, rc 0
outgoing wing prepared, not ready
handle cleartext reverse route
search route to (ethernet0/8, 5.5.184.184->10.61.20.20) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/9
[ Dest] 3.route 10.61.20.20->10.61.20.20, to ethernet0/9
route to 10.61.20.20
arp entry found for 10.61.20.20
ifp2 ethernet0/9, out_ifp ethernet0/9, flag 00800801, tunnel ffffffff, rc 1
****** 153319.0: <Trust/ethernet0/9> packet received [48]******
ipid = 31741(7bfd), @1d6fe914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/9:10.61.20.20/4340->5.5.184.184/80,6<Root>
existing session found. sess token 3
flow got session.
flow session id 45815
flow_main_body_vector in ifp ethernet0/9 out ifp N/A
flow vector index 0x123, vector addr 0x40a47d4, orig vector 0x40a47d4
vsd 0 is active
tcp seq check.
Got syn, 10.61.20.20(4340)->5.5.184.184(80), nspflag 0x801801, 0x10000800
route to 5.5.184.184
wait for arp rsp for 5.5.184.184
ifp2 ethernet0/8, out_ifp ethernet0/8, flag 10000800, tunnel ffffffff, rc 0
I just don't get why proxy-arp or DIP isn't responding to the internal ARP request. It doesn't make sense at all.
Any further help would be very much appreciated.
Thanks in advance