Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  packet dropped: for self but not interested

    Posted 03-17-2011 04:04

    Hi,


    we don't receive any packet from this ip address 192.168.160.138, i do the "debug flow basic" and below the output


    please help to identify  the problem and resolve it !!

     

    Djezzy_DEB_FW2(M)-> get db stream
    **st: <DEB-TECH|ethernet2/1|Root|0> 4d9c118: acf:192.168.160.138/1478->10.16.8.207/0,1,84
    ****** 40015442.0: <DEB-TECH/ethernet2/1> packet received [84]******
      ipid = 2767(0acf), @04d9c118
      packet passed sanity check.
      ethernet2/1:192.168.160.138/0->10.16.8.207/5240,1(8/0)<Root>
      no session found
      flow_first_inline_vector: in <ethernet2/1>, out <N/A>
      chose interface ethernet2/1 as incoming nat if.
      flow_first_inline_vector: in <ethernet2/1>, out <N/A>
      search route to (ethernet2/1, 192.168.160.138->10.16.8.207) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 110.route 10.16.8.207->10.10.100.250, to ethernet1/1
      routed (x_dst_ip 10.16.8.207) from ethernet2/1 (ethernet2/1 in 0) to ethernet1/1
      policy search from zone 1001-> zone 1000
     policy_flow_search  policy search nat_crt from zone 1001-> zone 1000
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.16.8.207, port 3941, proto 1)
      No SW RPC rule match, search HW rule
    rs_search_ip: policy matched id/idx/action = 1757/857/0x9
      Permitted by policy 1757
      packet dropped: for self but not interested



  • 2.  RE: packet dropped: for self but not interested

    Posted 03-17-2011 05:22

    Hi,

     

    Take a closer look at this:

     

    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.16.8.207, port 3941, proto 1)
      No SW RPC rule match, search HW rule

     

    Gavrilo



  • 3.  RE: packet dropped: for self but not interested

    Posted 03-17-2011 05:36

    Hi Gavrilo,

     

    thanks for your repply

     

    so, i don't understand, normaly the packet is permitted on this policy 1757 and it's properly configured

     

    why the packet is dropped ?? Smiley Sad

     

    Regards



  • 4.  RE: packet dropped: for self but not interested

    Posted 03-17-2011 06:44

    Possibly because when your DHCP IP address changes, the new IP address is can be seen with a  'get interface' but the OLD IP address is seen with the 'get route' command.

     

    Gavrilo



  • 5.  RE: packet dropped: for self but not interested

    Posted 03-17-2011 06:55

    We dont use DHCP and the routing is correct Smiley Sad

     

    FW2(M)-> get route ip 10.16.8.207
     Dest for 10.16.8.207
    --------------------------------------------------------------------------------                                                                                                 ------
    trust-vr       : => 10.16.0.0/16 (id=110) via 10.10.100.250 (vr: trust-vr)
                        Interface ethernet1/1 , metric 1

    FW2(M)-> get route ip 192.168.160.138
     Dest for 192.168.160.138
    --------------------------------------------------------------------------------------
    trust-vr       : => 192.168.0.0/16 (id=111) via 192.168.150.201 (vr: trust-vr)
                        Interface ethernet2/1 , metric 1



  • 6.  RE: packet dropped: for self but not interested

    Posted 03-17-2011 09:17

    From memory "packet dropped: for self but not interested" usually means there is a route which is no longer valid. If you have management on 443 enabled system wide, but not enabled as the management service on the interface you would generate this message. Along with this service you also need to enable SSL service which is required for secure connection.

     

    Gavrilo



  • 7.  RE: packet dropped: for self but not interested

    Posted 03-17-2011 15:32

    packet dropped: for self but not interested:  Your sending traffic to an ip of the device self, but on the destination port is no service or access is prohibited by permited ip list.



  • 8.  RE: packet dropped: for self but not interested

    Posted 03-18-2011 02:39
    FYI, i have changed the ip address of the work station 10.16.8.207 --> 10.16.8.210, and it's working well and the packet is permitted by the same policy.
    What does mean ? Maybe routing issue !!


  • 9.  RE: packet dropped: for self but not interested
    Best Answer

    Posted 03-20-2011 06:58

    After checking the config, i could notice that there is a DIP configured on Eth2/1 with  this ip address 10.16.8.207

     

    set interface ethernet2/1 ext ip 10.16.8.207 255.255.255.255 dip 11 shift-from 10.16.12.251 to 10.16.8.207 10.16.8.207

     

    as this configuration is old and unused, i have removed the DIP et actually the problem is resolved

     

    thanks for all

     



  • 10.  RE: packet dropped: for self but not interested

    Posted 09-08-2011 07:32

    FYI, another cause for this message when you are trying to hit the management interface can be that you have a list of permitted IP's defined for management access, and your client IP/Range isn't in the list.



  • 11.  RE: packet dropped: for self but not interested

    Posted 08-31-2012 00:11

    Hey 

     

    I have nat policy from DIP

     

    KNFWC01(M)-> get pol id 24
    name:"none" (id 24), zone mio_ext -> mio_ext,action Permit, status "enabled"
    3 sources: "t-10.4.188.0/23-NGP", "t-10.4.56.0/23-ngp", "t-10.5.138.0/23-NGP"
    1 destination: "w-10.4.26.107-mmsvip"
    2 services: "PING", "tcp-8003"
    Rules on this VPN policy: 0
    nat dst map to 10.9.76.199, Web filtering disabled

     

     

    KNFWC01(M)-> get dip
    Dip Id Dip Low Dip High Interface Attribute Usage
    6 10.4.26.106 10.4.26.106 aggregate2.1903:5 port-xlate n/a
    7 10.4.26.107 10.4.26.107 aggregate2.1903:5 port-xlate n/a

     

    Now pinging give me errors

     

    " packet dropped: for self but not interested: 

     

    Now I cant remove dip as its needed for nat, how can I make this work?/

     

    PLs help