SRX Services Gateway
Highlighted
SRX Services Gateway

How to mapping the packet flow

‎05-08-2012 06:56 PM

Hey buddies,

How can I mapping the flow of the packet in SRX650 ?

Only using "security flow traceoption" ?

All this is because I have a problem to perform access through two zones where we have 2 differents interfaces and I have the following logs:

May 8 20:05:37 20:05:37.700038:CID-1:RT:<10.1.181.4/44499->10.1.140.81/1812;17> matched filter filtro05:
May 8 20:05:37 20:05:37.700122:CID-1:RT:packet [130] ipid = 7435, @43e3c61c
May 8 20:05:37 20:05:37.700122:CID-1:RT:---- flow_process_pkt: (thd 11): flow_ctxt type 13, common flag 0x0, mbuf 0x43e3c400, rtbl_idx = 0
May 8 20:05:37 20:05:37.700122:CID-1:RT: flow process pak fast ifl 97 in_ifp reth0.0
May 8 20:05:37 20:05:37.700122:CID-1:RT: find flow: table 0x561f29c8, hash 37078(0xffff), sa 10.1.181.4, da 10.1.140.81, sp 44499, dp 1812, proto 17, tok 6
May 8 20:05:37 20:05:37.700122:CID-1:RT: flow got session.
May 8 20:05:37 20:05:37.700122:CID-1:RT: flow fast tcp/udp session id 258125
May 8 20:05:37 20:05:37.700235:CID-1:RT: route lookup failed: dest-ip 10.1.140.81 orig ifp reth0.0 output_ifp reth4.0 fto 0x49765888 orig-zone 6 out-zone 10 vsd 1
May 8 20:05:37 20:05:37.700235:CID-1:RT: refreshing session
May 8 20:05:37 20:05:37.700235:CID-1:RT: packet dropped, pak dropped since re-route failed
May 8 20:05:37 20:05:37.700235:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

 

I see the routing table from server 10.1.181.4 and have only one gateway. I have performed a routing lookup from that gateway and it have only one way to go to 10.1.140.81.

 

But something is wrong because when I try a ping or a tcp connection it's done but I didn't saw the log using "security flow traceoptions" I see only that log.

 

I suspect the packet come from another interface but when I look to SRX650 routing table or to the interfaces IP address I didn't saw this.

I'm so confused about that.

 

Thanks for all!

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: How to mapping the packet flow

‎05-09-2012 02:34 AM

Hi Luiz,

 

This error only means that there is something wrong with routing but as you are saying that you have only one route to destination so this shouldnt be the case.

 

Can't you get output of first packet from the flow in traceoption as that will help alot to understand and troubleshoot the issue.

 

Also if you can provide your interfaces, zone and routing table information.

 

Regards,

Hassan

Highlighted
SRX Services Gateway

Re: How to mapping the packet flow

‎05-09-2012 05:42 AM

Hey Hassan, thanks for ur support!

 

Look the information:

### Interfaces configuration ###
interfaces {
    ge-2/0/0 {
        gigether-options {
            redundant-parent reth0;
        }
    }
   ge-11/0/0 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-2/0/6 {
        gigether-options {
            redundant-parent reth4;
        }
    }
    ge-11/0/6 {
        gigether-options {
            redundant-parent reth4;
        }
    }

    reth0 {
        description TRUST-REDE-FW; (CORE<->FIREWALL)
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.1.191.121/29;
            }
        }
    reth4 {
        description REDE-SERVIDORES;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.1.140.1/23;
            }
        }
    }
   reth6 {
        description REDE-WIFI;
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 1172;
            family inet {
                address 10.1.172.1/22;
            }
        }
        unit 1 {
            vlan-id 1168;
            family inet {
                address 10.1.168.1/22;
            }
        }
        unit 2 {
            vlan-id 1182;
            family inet {
                address 10.1.182.1/24;
            }
        }
    }
    inactive: reth7 {
        description TRUST-REDE-FW;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.1.191.113/29;
            }
        }

#### Routing table configuration #####

routing-options {
    static {
        route 10.1.128.0/18 next-hop 10.1.191.124;
        route 201.2.119.128/29 next-hop 10.1.191.124;
        route 10.1.190.0/24 next-hop 10.1.191.209;

#### Interfaces Zone Trust ####

           interfaces {
                reth0.0;
                inactive: reth7.0;
                reth6.2;
                reth6.1;
            }
        }

###

 

About the first packet from the flow, all what I see is that packet repeating sometimes.

 

Thanks again!

Feedback