ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 4
Registered: ‎07-26-2015
0 Kudos

Route based VPN - packet dropped, no route - problem

I have two Juniper SSG5 with the same firmware version 6.3.0r23.0.

 

A route based VPN set up between the two that is seemingly working.
SA - status is active and link is up. The tunnel is stable.

 

On both sites:
Ethernet0/0 is the outgoing interface that has access to the internet.
Ethernet0/0 is in the untrust zone (untrust-vr).
The tunnel interface is configured in a zone called VPN (trust-vr) and Ethernet0/4.
The zone named Config (trust-vr), configured on both sites is what the VPN shall interconnect.

 

SiteA
Ethernet0/0 is configured with a Static ip
Ethernet0/4 10.1.1.0/24
The tunnel interface is named tunnel.1
Config zone 10.238.135.96/24 GW 10.238.135.97 (manageable)

 

SiteB
Ethernet0/0 Dynamic IP behind a NAT
Ethernet0/4 172.16.10.0/24
The tunnel interface is named tunnel.2
Config zone 10.238.135.128/28 GW 10.238.135.129 (manageable)

 

 

I have followed a KB article (KB15075) to configure Route Based LAN to LAN VPN using pre shared secrets to remote site with dynamically assigned IP addresses.

 

I don’t have any hosts connected yet so I am only trying to pass traffic between the gateways and I am testing with http/https between the sites.

 

The problem I am having is that I get a “packet dropped, no route” on the other site when trying the access it’s gateway.

The below logs is from when I from SiteA, using http, to SiteB’s gateway, 10.238.135.129, from a laptop with IP 10.238.135.101.

 

The packet got all the way to SiteB, but is dropped because it cannot find a route.

As you can see below there should be a route, if I understand correctly there is no route loops.

I added the debug log from SiteA too at the bottom of the post.

 

The problem is the same both ways.

Could anyone help me shed some light on this, what is causing the “packet dropped, no route”?


SiteB - debug log:

****** packet decapsulated, type=ipsec, len=64******
ipid = 24716(608c), @038c2238
tunnel.2:10.238.135.101/49532->10.238.135.129/80,6<Root>
no session found
flow_first_sanity_check: in <tunnel.2>, out <N/A>
chose interface tunnel.2 as incoming nat if.
flow_first_routing: in <tunnel.2>, out <N/A>
search route to (tunnel.2, 10.238.135.101->10.238.135.129) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.238.135.129
no route to (10.238.135.101->10.238.135.129) in vr trust-vr/0
packet dropped, no route
first pak no session
**** pak processing end.

 

SiteB - Routing

 

SiteB-> get route ip 10.238.135.129
 Dest for 10.238.135.129
--------------------------------------------------------------------------------------
trust-vr       : => 10.238.135.129/32 (id=14) via 0.0.0.0 (vr: trust-vr)
                    Interface bgroup1 , metric 0

potential routes in other vrouters:

untrust-vr     : => 0.0.0.0/0 (id=31) via 192.168.2.1 (vr: untrust-vr)
                    Interface ethernet0/0 , metric 1



IPv4 Dest-Routes for <untrust-vr> (3 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        31          0.0.0.0/0         eth0/0     192.168.2.1   C    0      1     Root
*         1     192.168.2.0/24         eth0/0         0.0.0.0   C    0      0     Root
*         2   192.168.2.172/32         eth0/0         0.0.0.0   H    0      0     Root



IPv4 Dest-Routes for <trust-vr> (18 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        26          0.0.0.0/0            n/a      untrust-vr   S   20     10     Root
*        25   10.238.135.96/29          tun.2         0.0.0.0   S   20      1     Root
          1  10.238.135.104/30         eth0/1         0.0.0.0   C    0      0     Root
          2  10.238.135.105/32         eth0/1         0.0.0.0   H    0      0     Root
          9  10.238.135.108/30       eth0/3.3         0.0.0.0   C    0      0     Root
         10  10.238.135.109/32       eth0/3.3         0.0.0.0   H    0      0     Root
          3  10.238.135.112/30         eth0/2         0.0.0.0   C    0      0     Root
          4  10.238.135.113/32         eth0/2         0.0.0.0   H    0      0     Root
         12   10.238.135.65/32       eth0/3.4         0.0.0.0   H    0      0     Root
         11   10.238.135.64/27       eth0/3.4         0.0.0.0   C    0      0     Root
          8   10.238.135.33/32       eth0/3.2         0.0.0.0   H    0      0     Root
         23     172.16.10.0/24         eth0/4         0.0.0.0   C    0      0     Root
          7   10.238.135.32/27       eth0/3.2         0.0.0.0   C    0      0     Root
          6    10.238.135.1/32       eth0/3.1         0.0.0.0   H    0      0     Root
          5    10.238.135.0/27       eth0/3.1         0.0.0.0   C    0      0     Root
*        24     172.16.10.0/32         eth0/4         0.0.0.0   H    0      0     Root
*        14  10.238.135.129/32        bgroup1         0.0.0.0   H    0      0     Root
*        13  10.238.135.128/28        bgroup1         0.0.0.0   C    0      0     Root

 

 

SiteA - debug log:

***** 1988340.0: <Config/bgroup1> packet received [64]******
ipid = 61148(eedc), @03945790
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup1:10.238.135.101/49505->10.238.135.129/80,6<Root>
no session found
flow_first_sanity_check: in <bgroup1>, out <N/A>
chose interface bgroup1 as incoming nat if.
flow_first_routing: in <bgroup1>, out <N/A>
search route to (bgroup1, 10.238.135.101->10.238.135.129) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 29 for 10.238.135.129
[ Dest] 29.route 10.238.135.129->10.238.135.129, to tunnel.1
routed (x_dst_ip 10.238.135.129) from bgroup1 (bgroup1 in 0) to tunnel.1
policy search from zone 100-> zone 107
policy_flow_search policy search nat_crt from zone 100-> zone 107
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.238.135.129, port 80, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 12/1/0x9
Permitted by policy 12
No src xlate NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.238.135.129
matched tunnel-id <0x0000000f>
choose interface tunnel.1 as outgoing phy if
no loop on ifp tunnel.1.
session application type 6, name HTTP, nas_id 0, timeout 300sec
service lookup identified service 0.
flow_first_final_check: in <bgroup1>, out <tunnel.1>
existing vector list 107-30c6764.
Session (id:8045) created for first pak 107
flow_first_install_session======>
handle cleartext reverse route
search route to (tunnel.1, 10.238.135.129->10.238.135.101) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup1
cached route 20 for 10.238.135.101
[ Dest] 20.route 10.238.135.101->10.238.135.101, to bgroup1
route to 10.238.135.101
cached arp entry with MAC 0026b0e55c64 for 10.238.135.101
arp entry found for 10.238.135.101
ifp2 bgroup1, out_ifp bgroup1, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 8045
flow_main_body_vector in ifp bgroup1 out ifp tunnel.1
flow vector index 0x107, vector addr 0x30c6764, orig vector 0x30c6764
tcp head size = 44, opt_size=24
MSS found 0x05b4
adjust outbound vpn tcp mss.
tcp seq check.
Got syn, 10.238.135.101(49505)->10.238.135.129(80), nspflag 0x801801, 0x2800
post addr xlation: 10.238.135.101->10.238.135.129.
skipping pre-frag
going into tunnel 4000000f.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 0000000f
(vn2) doing ESP encryption and size =80
ESP-tunnel packet, set dscp to 0(tos 0)
ipsec encrypt prepare engine done
ipsec encrypt set engine done
POLL_DROP_PAK: vlist 0x30c6764, 0x30c6780
ipsec encrypt engine released
ipsec encrypt done
put packet(3c4e750) into flush queue.
remove packet(3c4e750) out from flush queue.

**** jump to packet:[SiteA—external-IP]>[SiteB-external-IP]
packet encapsulated, type=ipsec, len=136
ipid = 51190(c7f6), @03945764
going into tunnel c000000f.
flow_encrypt: enc vector=e3bef0.
packet encapsulated, type=natt, len=144
ipid = 51190(c7f6), @0394575c
out encryption tunnel c000000f gw:[SiteA-external-GW]
no more encapping needed
send out through normal path.
flow_ip_send: c7f6:[SiteA—external-IP]->[SiteB-external-IP],17 => ethernet0/0(144) flag 0x0, vlan 0
mac 00192fe607d9 in session
packet send out to 00192fe607d9 through ethernet0/0
**** pak processing end.

 

Trusted Contributor
Posts: 93
Registered: ‎03-31-2016
0 Kudos

Re: Route based VPN - packet dropped, no route - problem

Can you please get the below outputs from Site B:

 

1: ger toute id 14

2: get int tun.2

3: get inter  bgroup1

4: get flow

 

Thanks,

Vikas

Visitor
Posts: 4
Registered: ‎07-26-2015
0 Kudos

Re: Route based VPN - packet dropped, no route - problem

Hi Vikas

 

Thank you for your reply, below you can find the outputs you mentioned in your post.

 

SiteB-> get route id 14
route in trust-vr:
------------------------------------------------
id:                   14
IP address/mask:      10.238.135.129/32
next hop (gateway):   0.0.0.0
preference:           0
metric:               0
description:          
outgoing interface:   bgroup1
vsys name/id:         Root/0
tag:                  0
flag:                 34000000/00100000
type:                 host
status:               active (for 1 minutes 1 seconds)
SiteB-> get int tun.2
Interface tunnel.2:
  description tunnel.2
  number 20, if_info 1776, if_index 2, mode route
  if_signature 0x4e53434e
  sess token 25, flow flag 0x0 if flag 0x20c00200 flag2 0x0
  link up, admin status up
  vsys Root, zone VPN, vr trust-vr
  hwif tunnel flag 0xc00200 flag2 0x0 flag3 0x10000000, vsys Root
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 0.0.0.0/0  unnumbered, source interface ethernet0/4
  *manage ip 0.0.0.0
  bound vpn: 
    [SiteA.full.FQDN]

  Next-Hop Tunnel Binding table
  Flag Status Next-Hop(IP)    tunnel-id  VPN
        U           10.1.1.0  0x00000008 [SiteA.full.FQDN]

  pmtu-v4 disabled
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled

  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
SiteB-> get inter bgroup1
Interface bgroup1:
  description bgroup1
  number 12, if_info 1056, if_index 0, mode nat
  if_signature 0x4e53434e
  sess token 18, flow flag 0x0 if flag 0x11025200 flag2 0x0
  link up, phy-link up/full-duplex, admin status up
  status change:145, last change:11/02/2016 17:31:54
  vsys Root, zone Config, vr trust-vr
  hwif bgroup1 flag 0x10000200 flag2 0x0 flag3 0x10100000, vsys Root
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 10.238.135.129/28   mac 5c5e.ab93.4a0c
  *manage ip 10.238.135.129, mac 5c5e.ab93.4a0c
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet disabled, SSH enabled, SNMP disabled
  web enabled, ident-reset disabled, SSL enabled
  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server enabled, status on.

  Physical port information:
    ethernet0/5 is down
    ethernet0/6 is up, full duplex, speed is 100mbps
SiteB-> get flow
flow action flag: 0095
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets = 1350
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : YES
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : YES
Enable the strict SYN check: NO
Allow naked tcp reset pass through firewall: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check  unknown mac flooding : YES
Skip sequence number check in stateful inspection : NO
Drop embedded ICMP : NO
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
	high watermark = 100 (8064 sessions)
	low watermark  = 100 (8064 sessions)
	early ageout   = 2
	RST seq. chk OFF
MAC cache for management traffic: OFF
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
	clear-text or first packet going into tunnel: prefer reverse route (default)
	first packet from tunnel: always reverse route (default)
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO
Flow caches route and arp: YES, miss rate 8%
flow tcp session notification tuning value is 65536

 

Visitor
Posts: 4
Registered: ‎07-26-2015
0 Kudos

Re: Route based VPN - packet dropped, no route - problem

Should work and is working. The route to the gateway in question only become active when there is some host connected to the bgroup1. Since I was only using one laptop patching it back and forth there never was one host at each end keeping the route in each end active.

 

Thanks for listening Smiley Happy