ScreenOS Firewalls (NOT SRX)
Reply
Visitor
homealone
Posts: 6
Registered: ‎11-20-2007
0

pkt not xfred to h/w

Simple src nat appears to be failing. Can see a policy pass in the debug... any clues?

 

**st: <pr|ethernet2/1.5|Root|28> e00d811c: 49b6:10.124.33.27/f23d->203.91.64.203/16,6,48
****** 22273504.0: <pr/ethernet2/1.5> packet received [48]******
  ipid = 18870(49b6), @e00d811c
  packet passed sanity check.
  ethernet2/1.5:10.124.33.27/62013->203.91.64.203/22,6<Root>
  flow_first_inline_vector: in <ethernet2/1.5>, out <N/A>
  chose interface ethernet2/1.5 as incoming nat if.
  flow_first_inline_vector: in <ethernet2/1.5>, out <N/A>
  search route to (ethernet2/1.5, 10.124.33.27->203.91.64.203) in vr ndc-vr for vsd-0/flag-0/ifp-null
  [ Dest] 84.route 203.91.64.203->10.176.65.1, to ethernet2/3.1
  routed (x_dst_ip 203.91.64.203) from ethernet2/1.5 (ethernet2/1.5 in 0) to ethernet2/3.1
  policy search from zone 3007-> zone 3001
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 203.91.64.203, port 22, proto 6)
  No SW RPC rule match, search HW rule
  Permitted by policy 975
  dip id = 11, 10.124.33.27/62013->202.124.66.5/1141
  choose interface ethernet2/3.1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet2/3.1
  vsd 0 is active
  no loop on ifp ethernet2/3.1.
  session application type 22, name None, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_inline_vector: in <ethernet2/1.5>, out <ethernet2/3.1>
  existing vector list 23-29b9fcd0.
  Session (id:898220) created for first pak 23
  flow_first_install_session======>
  route to 10.176.65.1
  arp entry found for 10.176.65.1
  nsp2 wing prepared, ready
cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (null, 0.0.0.0->10.124.33.27) in vr ndc-vr for vsd-0/flag-3000/ifp-ethernet2/1.5
  [ Dest] 149.route 10.124.33.27->10.176.40.2, to ethernet2/1.5
  route to 10.176.40.2
Success installing work and forward sessions
  nsrp msg sent.
  flow got session.
  flow session id 898220
  vsd 0 is active
  Got syn, 10.124.33.27(62013)->203.91.64.203(22), nspflag 0x801805, 0x800804
pkt not xfred to h/w. session flags: 0x40000400

 

Any ideas?

 

Thanks

Visitor
homealone
Posts: 6
Registered: ‎11-20-2007
0

Re: pkt not xfred to h/w

A bit more additional information.

 

The NAT'd address is a secondary address on E2/3.1

 

There appears to be no route in the VR for the NAT'd IP. I added one, but it still fails 'cannot transfer to hardware'

 

Any clues? :smileysad:

Visitor
homealone
Posts: 6
Registered: ‎11-20-2007
0

Re: pkt not xfred to h/w

So i've used an IP from the interfaces primary range, and it works... Can anyone tell me the restrictions with Src NAT using secondary addresses on an interface? I cant get it to work :smileysad: Works fine using IP's from the primary subnet though..
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.