SRX Services Gateway
Highlighted
SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 03:52 AM

Do you want me to remove esp and add tcp or continue with out protocols ?

Highlighted
SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 04:07 AM

First of all there is no filter to match the flow 10.11.11.12/78->192.168.50.223 so please configure one if you initiate the same ping( Same source/destination IP) .

 

ALso, there are other filters which have ESP protocol, they  should not catch the clear text ping traffic matching with those IPs in the filter.

 

Thanks,

Vikas

Highlighted
SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 04:15 AM

could you please help me where do  i need to change ? in srx a or srx b , from below traceoption

where should i change ? srx A or srx b ?

 

srxA flow trace options (50.x , 10.11.11.11 st0.0)

    flow {
        traceoptions {
            file flow-trace size 1m files 2 world-readable;
            flag basic-datapath;
            packet-filter c2s {
                source-prefix 192.168.50.223/24;
                destination-prefix 192.168.200.0/24;
            }
            packet-filter s2c {
                source-prefix 192.168.200.0/24;
                destination-prefix 192.168.50.0/32;
            }
            packet-filter outgoing {
                source-prefix 192.168.200.0/24;
            }
            packet-filter MatchTraffic {
                source-prefix y.y.y.y/29;
                destination-prefix x,x,x,x/26;
            }
            packet-filter MatchTrafficReverse {
                source-prefix 192.168.50.223/24;
                destination-prefix 192.168.200.23/24;
            }
            packet-filter f1 {
                destination-prefix 192.168.200.0/24;
            }
            packet-filter filter1 {
                protocol esp;
                source-prefix 10.11.11.11/24;
                destination-prefix 10.11.11.12/24;
            }
            packet-filter filter2 {
                protocol esp;
                source-prefix 10.11.11.12/24;
                destination-prefix 10.11.11.11/24;
            }
            packet-filter filter3 {
                source-prefix 192.168.50.0/24;
                destination-prefix 192.168.200.0/24;
            }
            packet-filter filter4 {
                source-prefix 192.168.200.0/24;
                destination-prefix 192.168.50.0/24;
            }
        }
    }

 

srxB  (200.x n/w , 10.11.11.12 st0.0 )

 

flow {
        traceoptions {
            file trc-sec-flow size 30k files 3 world-readable;
            flag basic-datapath;
            flag packet-drops;
            packet-filter f2 {
                destination-prefix 192.168.50.0/24;
            }
            packet-filter filter1 {
                protocol esp;
                source-prefix 10.11.11.12/32;
                destination-prefix 10.11.11.11/32;
            }
            packet-filter filter2 {
                protocol esp;
                source-prefix 10.11.11.12/32;
                destination-prefix 10.11.11.11/32;
            }
            packet-filter filter3 {
                protocol tcp;
                destination-prefix y.y.y.y/32;
                destination-port ssh;
            }
            packet-filter filter4 {
                protocol tcp;
                source-prefix x.x.x.x/32;
                destination-port ssh;
            }
        }

Highlighted
SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 04:28 AM

changed srxA filter as follows

  packet-filter filter1 {
                protocol esp;
                source-prefix 192.168.50.223/24;
                destination-prefix 192.168.200.23/24;
            }
            packet-filter filter2 {
                protocol esp;
                source-prefix 192.168.200.23/24;
                destination-prefix 192.168.50.223/24;
            }
            packet-filter filter3 {
                source-prefix 192.168.50.0/24;
                destination-prefix 192.168.200.0/24;
            }
            packet-filter filter4 {
                source-prefix 192.168.200.0/24;
                destination-prefix 192.168.50.0/24;

 

Results : srx B

Jan 10 19:13:13 19:13:12.797924:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  dip id = 0/0, 10.11.11.12/81->10.11.11.12/81 protocol 0
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT: Found tunnel for if (non-vpn or vpn without nhtb) st0.0
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:flow_first_get_tun_info: tunnel out 0x603f6660, tun id 131074
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x603f6660, tun id 131074
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 192.168.50.223, rtt_idx:0
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf : Alloc sess plugin info for session 339302668506
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 140055540, impli mask(0x4f), post_nat cnt 252122 svc req(0x0)
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:-jsf : no plugin interested for session 339302668506, free sess plugin info
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:flow_first_service_lookup(): natp(0x5b497fb8): app_id, 0(0).
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  service lookup identified service 0.
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5090ec98, nsp: 0x5b497fb8, in_tunnel: 0x0
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:construct v4 vector for nsp2
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  existing vector list 0x204-0x49b21910.
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  Session (id:252122) created for first pak 204
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  flow_first_install_session======> 0x5b497fb8
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT: nsp 0x5b497fb8, nsp2 0x5b498038
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  make_nsp_ready_no_resolve()
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  route lookup: dest-ip 10.11.11.12 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  route to 10.11.11.12
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:no need update ha
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:Installing c2s NP session wing
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  flow got session.
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  flow session id 252122
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT: vector bits 0x204 vector 0x49b21910
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:ttl vector, out_tunnel = 0x603f6660
                                        
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  encap vector
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  going into tunnel 131074 (nsp_tunnel=0x603f6660).
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:  flow_encrypt: tun 0x603f6660, type 1
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:mbuf 0x4484de80, exit nh 0x390010
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x5090ec98 associated with mbuf 0x4484de80
 
Jan 10 19:13:13 19:13:12.797924:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
 
 
Jan 10 19:13:13 19:13:13.439494:CID-0:RT:jsf sess close notify
 
Jan 10 19:13:13 19:13:13.439494:CID-0:RT:flow_ipv4_del_flow: sess 477038, in hash 32
 
Jan 10 19:13:13 19:13:13.439494:CID-0:RT:flow_ipv4_del_flow: sess 477038, in hash 32
 
Jan 10 19:13:13 19:13:13.439494:CID-0:RT:jsf sess close notify
 
Jan 10 19:13:13 19:13:13.439494:CID-0:RT:flow_ipv4_del_flow: sess 428740, in hash 32
 
Jan 10 19:13:13 19:13:13.439494:CID-0:RT:flow_ipv4_del_flow: sess 428740, in hash 32
 
Jan 10 19:13:15 19:13:15.443178:CID-0:RT:jsf sess close notify
 
Jan 10 19:13:15 19:13:15.443178:CID-0:RT:flow_ipv4_del_flow: sess 402883, in hash 32
 
Jan 10 19:13:15 19:13:15.443178:CID-0:RT:flow_ipv4_del_flow: sess 402883, in hash 32
                                        
Jan 10 19:13:15 19:13:15.443178:CID-0:RT:jsf sess close notify

 

 

srx A result whin ping from B to 192.168.50.223

 

Jan 10 12:20:33 12:20:33.372160:CID-0:RT:<x.x.x.159.195/45128->x.x.x.219.249/15033;50,0x0> matched filter MatchTraffic:
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:packet [136] ipid = 46393, @0x43e1b71c
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e1b500, rtbl_idx = 0
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT: flow process pak fast ifl 73 in_ifp ge-0/0/0.0
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:  ge-0/0/0.0:x.x.x.159.195->x.x.x.219.249, 50
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT: find flow: table 0x52fa0fc0, hash 56870(0xffff), sa x.x.x.159.195, da x.x.x.219.249, sp 45128, dp 15033, proto 50, tok 10, conn-tag 0x00000000
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:Found: session id 0xb179. sess tok 10
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:  flow got session.
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:  flow session id 45433
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:  slb_rs: nsp2flag = 0xffffffff, nspflag = 0x100621
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:  spu local: nspflag = 0xffffffff
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:  flow_decrypt: tun 0x562a5568(flag 0x82), iif 73
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:lpak_init: lpak 0x511f7968, paksize 136, machdr 0x0, iphdr 0x43e1b71c
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:<x.x.x.159.195/45128->x.x.x.219.249/15033;50,0x0> matched filter MatchTraffic:
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT:packet [136] ipid = 46393, @0x43e1b71c
 
Jan 10 12:20:33 12:20:33.372160:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 0)
 
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:<x.x.x.159.195/45128->x.x.x.219.249/15033;50,0x0> matched filter MatchTraffic:
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:packet [136] ipid = 46452, @0x43e3f91c
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e3f700, rtbl_idx = 0
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT: flow process pak fast ifl 73 in_ifp ge-0/0/0.0
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:  ge-0/0/0.0:x.x.x.159.195->x.x.x.219.249, 50
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT: find flow: table 0x52fa0fc0, hash 56870(0xffff), sa x.x.x.159.195, da x.x.x.219.249, sp 45128, dp 15033, proto 50, tok 10, conn-tag 0x00000000
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:Found: session id 0xb179. sess tok 10
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:  flow got session.
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:  flow session id 45433
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:  slb_rs: nsp2flag = 0xffffffff, nspflag = 0x100621
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:  spu local: nspflag = 0xffffffff
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:  flow_decrypt: tun 0x562a5568(flag 0x82), iif 73
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:lpak_init: lpak 0x511f7968, paksize 136, machdr 0x0, iphdr 0x43e3f91c
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:<x.x.x.159.195/45128->x.x.x.219.249/15033;50,0x0> matched filter MatchTraffic:
 
Jan 10 12:20:34 12:20:34.387857:CID-0:RT:packet [136] ipid = 46452, @0x43e3f91c
                                        
Jan 10 12:20:34 12:20:34.387857:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 0)
 
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:<x.x.x.159.195/45128->x.x.x.219.249/15033;50,0x0> matched filter MatchTraffic:
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:packet [136] ipid = 46495, @0x43df751c
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43df7300, rtbl_idx = 0
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT: flow process pak fast ifl 73 in_ifp ge-0/0/0.0
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:  ge-0/0/0.0:x.x.x.159.195->x.x.x.219.249, 50
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT: find flow: table 0x52fa0fc0, hash 56870(0xffff), sa x.x.x.159.195, da x.x.x.219.249, sp 45128, dp 15033, proto 50, tok 10, conn-tag 0x00000000
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:Found: session id 0xb179. sess tok 10
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:  flow got session.
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:  flow session id 45433
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:  slb_rs: nsp2flag = 0xffffffff, nspflag = 0x100621
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:  spu local: nspflag = 0xffffffff
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:  flow_decrypt: tun 0x562a5568(flag 0x82), iif 73
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:lpak_init: lpak 0x511f7968, paksize 136, machdr 0x0, iphdr 0x43df751c
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:<x.x.x.159.195/45128->x.x.x.219.249/15033;50,0x0> matched filter MatchTraffic:
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT:packet [136] ipid = 46495, @0x43df751c
 
Jan 10 12:20:35 12:20:35.404657:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 0)
 
 

Highlighted
SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 04:50 AM

Add below two filters on each SRX with /32 :

 

set security flow traceoptions packet-filter 1 source-prefix <ip you are pinging>/32
set security flow traceoptions packet-filter 2 destination-prefix <ip you are pinging>/32

 

You can delete other filters if not using to avoid unnecessary data in the logs.

 

Thanks,

Vikas

 

Highlighted
SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 08:25 AM

SRx A : traceflow  (Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  packet dropped, denied by policy ??? why it is ? )

 

 

Jan 10 15:52:16 15:52:16.908501:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 38654750702  implicit mask(0x0), service request(0x0)
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.11.11.12, x_dst_ip 192.168.50.223, in ifp st0.0, out ifp N/A sp 1603, dp 25809, ip_proto 1, tos 0
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:Doing DESTINATION addr route-lookup
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:flow_ipv4_rt_lkup success 192.168.50.223, iifl 0x4b, oifl 0x53
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  routed (x_dst_ip 192.168.50.223) from vpn (st0.0 in 0) to ge-0/0/1.0, Next-hop: 192.168.50.223
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:flow_first_policy_search: policy search from zone vpn-> zone Internal (0x0,0x64364d1,0x64d1)
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:Policy lkup: vsys 0 zone(6:vpn) -> zone(9:Internal) scope:0
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:             10.11.11.12/2048 -> 192.168.50.223/55003 proto 1
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:             10.11.11.12/2048 -> 192.168.50.223/55003 proto 1
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  packet dropped, denied by policy
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  denied by policy default-policy-logical-system-00(2), dropping pkt
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  packet dropped,  policy deny.
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:flow_initiate_first_path: first pak no session
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:  flow find session returns error.
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:flow_proc_rc: -1.
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50e24ec0 associated with mbuf 0x43e0a500
 
Jan 10 15:52:16 15:52:16.908501:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)
 
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:<10.11.11.11/2261->192.168.200.23/29794;1,0x0> matched filter f2:
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:packet [84] ipid = 30104, @0x45e9f5c1
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x45e9f380, rtbl_idx = 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow process pak, mbuf 0x45e9f380, ifl 0, ctxt_type 0 inq type 5
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: in_ifp <junos-host:.local..0>
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x5e2412e8
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:host inq check inq_type 0x5
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Using vr id from pfe_tag with value= 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Over-riding lpak->vsys with 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  .local..0:10.11.11.11->192.168.200.23, icmp, (8/0)
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: find flow: table 0x52fa0fc0, hash 4866(0xffff), sa 10.11.11.11, da 192.168.200.23, sp 2261, dp 29794, proto 1, tok 2, conn-tag 0x00000000
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow_first_create_session
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Save init hash spu id 0 to nsp and nsp2!
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:First path alloc and instl pending session, natp=0x5627acc8, id=45082
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 192.168.200.23, sp 2261, dp 29794
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  chose interface .local..0 as incoming nat if.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_rule_dst_xlate: packet 10.11.11.11->192.168.200.23 nsp2 0.0.0.0->192.168.200.23.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:-jsf : Alloc sess plugin info for session 38654750746
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 38654750746  implicit mask(0x0), service request(0x0)
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.11.11.11, x_dst_ip 192.168.200.23, in ifp .local..0, out ifp N/A sp 2261, dp 29794, ip_proto 1, tos 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Doing DESTINATION addr route-lookup
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_ipv4_rt_lkup success 192.168.200.23, iifl 0x0, oifl 0x4b
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Checking in-ifp from .local..0 to st0.0 for src: 10.11.11.11 in vr_id:0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  routed (x_dst_ip 192.168.200.23) from junos-host (.local..0 in 0) to st0.0, Next-hop: 192.168.200.23
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone vpn (0x0,0x8d57462,0x7462)
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(6:vpn) scope:0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:             10.11.11.11/2048 -> 192.168.200.23/5002 proto 1
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  permitted by policy self-traffic-policy(1)
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  packet passed, Permitted by policy.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_src_xlate:  incoming src port is : 2261.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  dip id = 0/0, 10.11.11.11/2261->10.11.11.11/2261 protocol 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:(flow_first_get_tun_info) Valid IP, using IP from session
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  Doing IPSec traffic-selector match for  10.11.11.11 -> 192.168.200.23
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: Found IPSec nsp_tunnel 0x562a5568 for bind-ifp st0.0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_get_tun_info: tunnel out 0x562a5568, tun id 131073
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x562a5568, tun id 131073, tun if ge-0/0/0.0, tun bind if st0.0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  choose interface ge-0/0/0.0(P2P) as outgoing phy if
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 192.168.200.23, rtt_idx:0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:[JSF]Normal interest check. regd plugins 31, enabled impl mask 0x0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 38654750746, impli mask(0x0), post_nat cnt 0 svc req(0x56d04640)
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:-jsf : no plugin interested for session 38654750746, free sess plugin info
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:[JSF]Releasing plugin info blocks
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_service_lookup(): natp(0x5627acc8): app_id, 0(0).
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  service lookup identified service 0.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:In flow_first_complete_session
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_first_complete_session, pak_ptr: 0x50e24d00, nsp: 0x5627acc8, in_tunnel: 0x0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:construct v4 vector for nsp2 and nsp
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  existing vector list 0x204-0x4b105040.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  existing vector list 0x204-0x4b105040.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  Session (id:45082) created for first pak 204
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:first pak processing successful
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow_first_install_session======> 0x5627acc8
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: nsp 0x5627acc8, nsp2 0x5627ad58
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  make_nsp_ready_no_resolve()
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_ipv4_rt_lkup success 10.11.11.11, iifl 0x0, oifl 0x0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  route lookup: dest-ip 10.11.11.11 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  route to 10.11.11.11
                                        
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:no need update ha
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:Installing c2s NP session wing
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:first path session installation succeeded
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow got session.
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow session id 45082
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: vector bits 0x204 vector 0x4b105040
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:ttl vector, out_tunnel = 0x562a5568
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  encap vector
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  going into tunnel 131073 (nsp_tunnel=0x562a5568).
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:  flow_encrypt: tun 0x562a5568, type 1
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:mbuf 0x45e9f380, exit nh 0x260010
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50e24d00 associated with mbuf 0x45e9f380
 
Jan 10 15:52:17 15:52:17.468897:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

 

 

SRX B  , from srxA ping 192.168.200.23

 

Jan 10 23:12:00 23:11:57.441496:CID-0:RT: jsf sess destroy notify plugin id 22. rc 0
 
Jan 10 23:12:00 23:11:57.441496:CID-0:RT:jsf sess destroy notify
 
Jan 10 23:12:00 23:11:57.441496:CID-0:RT:[JSF] set ext handle 0x0 for plugin 22 on session 360777429824
 
Jan 10 23:12:00 23:11:57.441496:CID-0:RT: jsf sess destroy notify plugin id 22. rc 0
 
Jan 10 23:12:00 23:11:57.441496:CID-0:RT:jsf sess destroy notify
 
Jan 10 23:12:00 23:11:57.441496:CID-0:RT:[JSF] set ext handle 0x0 for plugin 22 on session 356482698312
 
Jan 10 23:12:00 23:11:57.441496:CID-0:RT: jsf sess destroy notify plugin id 22. rc 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:<192.168.200.19/54246->8.8.8.8/53;17> matched filter f1:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:packet [57] ipid = 20392, @0x4365119e
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43650f80, rtbl_idx = 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: find flow: table 0x5088de78, hash 33103(0xffff), sa 192.168.200.19, da 8.8.8.8, sp 54246, dp 53, proto 17, tok 6
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_create_session
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 8.8.8.8, sp 54246, dp 53
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(53)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.200.19, x_dst_ip 8.8.8.8, in ifp ge-0/0/1.0, out ifp N/A sp 54246, dp 53, ip_proto 17, tos 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Doing DESTINATION addr route-lookup
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  routed (x_dst_ip 8.8.8.8) from Internal (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: x.x.x.159.193
                                        
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_policy_search: policy search from zone Internal-> zone Internet (0x0,0xd3e60035,0x35)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Policy lkup: vsys 0 zone(6:Internal) -> zone(7:Internet) scope:0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:             192.168.200.19/54246 -> 8.8.8.8/53 proto 17
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  app 16, timeout 60s, curr ageout 60s
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  permitted by policy All_Internal_Internet(4)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  packet passed, Permitted by policy.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/2, pst_nat: False.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  dip id = 2/0, 192.168.200.19/54246->x.x.x.159.195/24766 protocol 17
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 8.8.8.8, rtt_idx:0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf : Alloc sess plugin info for session 360777428649
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: Allocating plugin info block for plugin(22)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF] set ext handle 0x49b85010 for plugin 22 on session 360777428649
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x4, impl mask 0x0. rc 3
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]Plugins(0x4, count 0) enabled for session = 4294967296, impli mask(0x54), post_nat cnt 175785 svc req(0x0)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]c2s order list:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:               22
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]s2c order list:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:               22
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  service lookup identified service 16.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5090f090, nsp: 0x59365870, in_tunnel: 0x0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:construct v4 vector for nsp2
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  existing vector list 0x9080-0x48bddd10.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  Session (id:175785) created for first pak 9080
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_install_session======> 0x59365870
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: nsp 0x59365870, nsp2 0x593658f0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  make_nsp_ready_no_resolve()
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  route lookup: dest-ip 192.168.200.19 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 6 out-zone 6 vsd 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  route to 192.168.200.19
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Doing jsf sess create notify
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf create notify: plugin id 22. rc 3
                                        
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x59365870): 0 SHORT_CIRCUITED: 0x00000000.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:no need update ha
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Installing c2s NP session wing
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Installing s2c NP session wing
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow got session.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: flow fast tcp/udp session id 175785
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: vector bits 0x9080 vector 0x48bddd10
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: ****jsf svc chain: sess id 175785, dir 1, nat_done 0, pak pid 0, first pid 22
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: plugin id 22. action 0, stbuf 0x0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: jsf reinj pak pid 22, dir 1, jbuf 0x62b1f0f8, release hold 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:jsf_inject_pkt_to_flow: Fill in flow_ctxt->rtbl_idx(0) based on natp, cos 0.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:PKT-PROC for plugin 22 jbuf 0x62b1fbf8, sess jsf flags 0x0, rc 7
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
 
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:<192.168.200.19/17489->8.8.8.8/53;17> matched filter f1:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:packet [57] ipid = 20393, @0x4362be9e
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4362bc80, rtbl_idx = 0
                                        
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: find flow: table 0x5088de78, hash 58183(0xffff), sa 192.168.200.19, da 8.8.8.8, sp 17489, dp 53, proto 17, tok 6
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_create_session
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 8.8.8.8, sp 17489, dp 53
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(53)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.200.19, x_dst_ip 8.8.8.8, in ifp ge-0/0/1.0, out ifp N/A sp 17489, dp 53, ip_proto 17, tos 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Doing DESTINATION addr route-lookup
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  routed (x_dst_ip 8.8.8.8) from Internal (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: x.x.x.159.193
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_policy_search: policy search from zone Internal-> zone Internet (0x0,0x44510035,0x35)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Policy lkup: vsys 0 zone(6:Internal) -> zone(7:Internet) scope:0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:             192.168.200.19/17489 -> 8.8.8.8/53 proto 17
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  app 16, timeout 60s, curr ageout 60s
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  permitted by policy All_Internal_Internet(4)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  packet passed, Permitted by policy.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/2, pst_nat: False.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  dip id = 2/0, 192.168.200.19/17489->x.x.x.159.195/4315 protocol 17
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 8.8.8.8, rtt_idx:0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf : Alloc sess plugin info for session 356482804594
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
                                        
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: Allocating plugin info block for plugin(22)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF] set ext handle 0x49b00618 for plugin 22 on session 356482804594
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x4, impl mask 0x0. rc 3
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]Plugins(0x4, count 0) enabled for session = 4294967296, impli mask(0x53), post_nat cnt 519026 svc req(0x0)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]c2s order list:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:               22
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:[JSF]s2c order list:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:               22
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  service lookup identified service 16.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5090f090, nsp: 0x628a9e78, in_tunnel: 0x0
                                        
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:construct v4 vector for nsp2
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  existing vector list 0x9080-0x48bddd10.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  Session (id:519026) created for first pak 9080
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_install_session======> 0x628a9e78
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: nsp 0x628a9e78, nsp2 0x628a9ef8
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  make_nsp_ready_no_resolve()
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  route lookup: dest-ip 192.168.200.19 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 6 out-zone 6 vsd 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  route to 192.168.200.19
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Doing jsf sess create notify
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf create notify: plugin id 22. rc 3
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x628a9e78): 0 SHORT_CIRCUITED: 0x00000000.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:no need update ha
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Installing c2s NP session wing
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Installing s2c NP session wing
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow got session.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: flow fast tcp/udp session id 519026
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: vector bits 0x9080 vector 0x48bddd10
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: ****jsf svc chain: sess id 519026, dir 1, nat_done 0, pak pid 0, first pid 22
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: plugin id 22. action 0, stbuf 0x0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: jsf reinj pak pid 22, dir 1, jbuf 0x62b1f1f8, release hold 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:jsf_inject_pkt_to_flow: Fill in flow_ctxt->rtbl_idx(0) based on natp, cos 0.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:PKT-PROC for plugin 22 jbuf 0x62b1fcf8, sess jsf flags 0x0, rc 7
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
 
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:<192.168.200.19/29940->8.8.8.8/53;17> matched filter f1:
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:packet [57] ipid = 20394, @0x4362d81e
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4362d600, rtbl_idx = 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT: find flow: table 0x5088de78, hash 11337(0xffff), sa 192.168.200.19, da 8.8.8.8, sp 29940, dp 53, proto 17, tok 6
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_create_session
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 8.8.8.8, sp 29940, dp 53
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(53)
                                        
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.200.19, x_dst_ip 8.8.8.8, in ifp ge-0/0/1.0, out ifp N/A sp 29940, dp 53, ip_proto 17, tos 0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Doing DESTINATION addr route-lookup
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  routed (x_dst_ip 8.8.8.8) from Internal (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: x.x.x.159.193
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_policy_search: policy search from zone Internal-> zone Internet (0x0,0x74f40035,0x35)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:Policy lkup: vsys 0 zone(6:Internal) -> zone(7:Internet) scope:0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:             192.168.200.19/29940 -> 8.8.8.8/53 proto 17
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  app 16, timeout 60s, curr ageout 60s
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  permitted by policy All_Internal_Internet(4)
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  packet passed, Permitted by policy.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/2, pst_nat: False.
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  dip id = 2/0, 192.168.200.19/29940->x.x.x.159.195/15707 protocol 17
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 8.8.8.8, rtt_idx:0
 
Jan 10 23:12:00 23:11:57.466460:CID-0:RT:-jsf : Alloc sess plugin info for session 360777284328
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:flow_first_policy_search: policy search from zone Internal-> zone Internet (0x0,0xb6b80035,0x35)
                                        
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:Policy lkup: vsys 0 zone(6:Internal) -> zone(7:Internet) scope:0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:             192.168.200.19/46776 -> 8.8.8.8/53 proto 17
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  app 16, timeout 60s, curr ageout 60s
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  permitted by policy All_Internal_Internet(4)
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  packet passed, Permitted by policy.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/2, pst_nat: False.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  dip id = 2/0, 192.168.200.19/46776->x.x.x.159.195/28546 protocol 17
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 8.8.8.8, rtt_idx:0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf : Alloc sess plugin info for session 356482678341
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: Allocating plugin info block for plugin(22)
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:[JSF] set ext handle 0x49b43040 for plugin 22 on session 356482678341
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x4, impl mask 0x0. rc 3
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:[JSF]Plugins(0x4, count 0) enabled for session = 4294967296, impli mask(0x53), post_nat cnt 392773 svc req(0x0)
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:[JSF]c2s order list:
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:               22
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:[JSF]s2c order list:
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:               22
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  service lookup identified service 16.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5090f090, nsp: 0x5f1c2650, in_tunnel: 0x0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:construct v4 vector for nsp2
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  existing vector list 0x9080-0x48bddd10.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  Session (id:392773) created for first pak 9080
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  flow_first_install_session======> 0x5f1c2650
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: nsp 0x5f1c2650, nsp2 0x5f1c26d0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  make_nsp_ready_no_resolve()
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  route lookup: dest-ip 192.168.200.19 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 6 out-zone 6 vsd 0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  route to 192.168.200.19
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:Doing jsf sess create notify
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:-jsf create notify: plugin id 22. rc 3
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x5f1c2650): 0 SHORT_CIRCUITED: 0x00000000.
                                        
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:no need update ha
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:Installing c2s NP session wing
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:Installing s2c NP session wing
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  flow got session.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: flow fast tcp/udp session id 392773
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: vector bits 0x9080 vector 0x48bddd10
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: ****jsf svc chain: sess id 392773, dir 1, nat_done 0, pak pid 1738063392, first pid 22
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: plugin id 22. action 0, stbuf 0x0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: jsf reinj pak pid 22, dir 1, jbuf 0x62b3c078, release hold 0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:jsf_inject_pkt_to_flow: Fill in flow_ctxt->rtbl_idx(0) based on natp, cos 0.
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:PKT-PROC for plugin 22 jbuf 0x62b3abf8, sess jsf flags 0x0, rc 7
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
 
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:<192.168.200.19/16172->8.8.8.8/53;17> matched filter f1:
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:packet [57] ipid = 20710, @0x435cf79e
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x435cf580, rtbl_idx = 0
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0
                                        
Jan 10 23:12:00 23:11:58.624697:CID-0:RT: find flow: table 0x5088de78, hash 35820(0xffff), sa 192.168.200.19, da 8.8.8.8, sp 16172, dp 53, proto 17, tok 6
 
Jan 10 23:12:00 23:11:58.624697:CID-0:RT:  flow_first_create_session
 
Rotating trace files

 

Highlighted
SRX Services Gateway

Re: 2 vpns issue

[ Edited ]
‎01-10-2019 09:05 AM

Hi thnx for you help, as you mentioned i have added trace flow and found that  SrxA " denied by policy default-policy-logical-system-00(2), dropping pkt " and googled , then i have added Internal-Internal policy  in both srxA & B , immediatly st0.0 interface started pinging and st0.2 (second vpn working as unstable... ipsec sa going down and coming back, its not stable )

     why its happening , can't i use both at a same time ? 

SRX Services Gateway

Re: 2 vpns issue

‎01-10-2019 11:07 AM

Hi ,

    

    First vpn is up but second vpn gone, it is unstable ? ipsec sa is up but going down and coming back, its unstable

Feedback