SRX Services Gateway
Highlighted
SRX Services Gateway

Incoming Destination NAT through VPN Tunnel

[ Edited ]
‎06-13-2019 08:37 AM

Web Server 10.0.0.2 ------(10.0.0.1) Site A SRX (1.1.1.1)---------------IPSEC VPN-----------------(2.2.2.2) Site B SRX (10.2.0.1)

 

I'm trying to setup a backup destination NAT for some servers. Since the ISP can't give us more external IPs for Site A, I want to use Site B's external IP to create a secondary 'entrance' for the HTTPS Server on Site A.

 

The VPN Tunnel works. (route based) 

I can reach 10.0.0.2 from 10.2.0.1.

The destination NAT works to 1.1.1.1:443 to reach 10.0.0.2:443.

 

I can't get destination NAT to work on site B, so I can reach 10:0.0.2:443 through 2.2.2.2:443.

 

I've tried all kinds of NATting possibilities to get from untrust Site B to trust Site A, but I must be doing something wrong.

I've only used source NAT and destination NAT so far (in all possible ways).

Do I need proxy-arp for this? Or static NAT?

 

I don't have much of a configuration I can show with attempts, since I rollbacked everytime.

 

Thanks!

6 REPLIES 6
SRX Services Gateway

Re: Incoming Destination NAT through VPN Tunnel

‎06-13-2019 11:17 AM

Hi datapex,

 

I believe we need to work this out with flow traceoptions on both SRXs.

 

Ideally it will work like this (Please share you config):

 

1. On SRXB we need a Dst NAT rule matching traffic to 2.2.2.2:443 and translate it to 10.0.0.2:443. At that point the SRXB will do a route-lookup to 10.0.0.2 and the st0 interface should be the next-hop (hence we need that route in place). Also a security-policy from zone "External-Interface" to zone "VPN-Interface" has to allow that traffic. No other NAT rule should affect this traffic.

 

2. The packet will flow over the VPN and reach SRXA. No Dst NAT has to affect this traffic and the packets will be forwarded to 10.0.0.2. A security policy has to allow this traffic as well. 10.0.0.2 will reply after that and the traffic should match an already existing session on SRXA and the traffic be permitted and sent over the VPN again.

 

3. SRXB will receive the traffic and match an existing session and send the traffic back to the external host.

 

In order to confirm the above behavior please configure flow traces on SRXB in the following way:

 

 

#set security flow traceoptions file SRXB
#set security flow traceoptions flag basic-datapath
#set security flow traceoptions packet-filter F1 destination-prefix 2.2.2.2 destination-port 443
#set security flow traceoptions packet-filter F2 source-prefix 10.0.0.2 source-port 443
# commit

Try the test and then check the file:

# run show log SRXB

 

On SRXA (and for the same test) try:

 

#set security flow traceoptions file SRXA
#set security flow traceoptions flag basic-datapath
#set security flow traceoptions packet-filter F1 destination-prefix 10.0.0.2 destination-port 443
#set security flow traceoptions packet-filter F2 source-prefix 10.0.0.2 source-port 443
# commit

Try the test and then check the file:

# run show log SRXA

 

Please attach the files so we can help you with the root cause. Also during the test capture the following commands to confirm if the sessions are created on both SRXs:

 

SRXB:

> show security flow session destination-prefix 2.2.2.2 destination-port 443

 

SRXA:

> show security flow session destination-prefix 10.0.0.2 destination-port 443

 

 

 

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: Incoming Destination NAT through VPN Tunnel

[ Edited ]
‎06-13-2019 01:36 PM

Hi stwardlp,

 

this is going to be a lot... 

 

A few sidenotes:

 

My tests to the webserver were done from 5.5.5.5 to 2.2.2.2:443

 

Every SRX is actually a cluster... I left out the ge-xxx which were made into rethx, and just kept the rethx for the sake of not overcomplicating too much.

 

SRXA and SRXB have

reth0.0 as trust

reth0.1 as untrust

st0.0 as VPN tunnel

 

1.1.1.254 is the SRXA's DSL router (exposed host to SRX IP 1.1.1.1)

2.2.2.254 is the SRXB's DSL router (exposed host to SRX IP 2.2.2.2)

 

I spent a bit of time cutting out and replacing a lot of IPs. I hope I didn't miss anything, for your legibility's sake Smiley Happy.

There's a monitoring server on the SRXA site, which unfortunately spammed the trace a bit. I replaced its IP with "ignorethisip". So, just ignore that IP and its sessions Smiley Wink.

 

SRXA

interfaces {
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            description trust;
            vlan-id 100;
            family inet {
                address 10.0.0.1/24;
            }
        }
        unit 1 {
            description untrust;
            vlan-id 99;
            family inet {
                address 1.1.1.1/24;
            }
        }
    st0 {
        unit 0 {
            description vpn-Site-B;
            family inet;
        }

routing-options {
    static {
            route 10.2.0.0/16 next-hop st0.0;
            route 0.0.0.0/0 next-hop 1.1.1.254; ----- dsl router exposed host to the SRX
          }
         }

security {
    ike {
        proposal ike-proposal-standard {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha-256;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ike-vpn-standard {
            mode main;
            proposals ike-proposal-standard;
            pre-shared-key ascii-text "snip"; ## SECRET-DATA
        }
        gateway gateway-2.2.2.2 {
            ike-policy ike-vpn-standard;
            address 2.2.2.2;
            dead-peer-detection;
            nat-keepalive 10;
            local-identity inet 1.1.1.1;
            remote-identity inet 2.2.2.2;
            external-interface reth0.1;
        }
    }

    ipsec {
        proposal ipsec-proposal-standard {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 7200;
        }
        policy ipsec-vpn-standard {
            perfect-forward-secrecy {
                keys group14;
            }
            proposals ipsec-proposal-standard;
        }
        vpn vpn-Site-B {
            bind-interface st0.0;
            ike {
                gateway gateway-2.2.2.2;
                ipsec-policy ipsec-vpn-standard;
            }
            establish-tunnels immediately;
        }
    }

    nat {
        source {
            rule-set untrust-out {
                from zone trust;
                to zone untrust;
                rule untrust-source-nat {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        destination {
            pool https-server {
                address 10.0.0.2/32 port 443;
            }
            rule-set untrust-destination-nat {
                from interface reth0.1;
                rule https-server-NAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port {
                            443;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                https-server;
                            }
                        }
                    }
                }

    policies {

          from-zone trust to-zone untrust {
              policy allow-all {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

          from-zone trust to-zone vpn-Site-B {
              policy allow-all {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

          from-zone vpn-Site-B to-zone trust {
              policy allow-all {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

          from-zone untrust to-zone trust {
              policy allow-https {
                  match {
                      source-address any;
                      destination-address https-server;
                      application junos-https;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

    zones {
        security-zone trust {
            address-book {
                address https-server 10.0.0.2/32;
            interfaces {
                reth0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            ike;
                            snmp;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                reth0.1 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            ike;
                            snmp;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone vpn-Site-B {
            interfaces {
                st0.0;
            }
        }







 

SRXB

interfaces {
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            description trust;
            vlan-id 100;
            family inet {
                address 10.2.0.1/24;
            }
        }
        unit 1 {
            description untrust;
            vlan-id 99;
            family inet {
                address 2.2.2.2/24;
            }
        }
    st0 {
        unit 0 {
            description vpn-Site-A;
            family inet;
        }

routing-options {
    static {
            route 10.0.0.0/16 next-hop st0.0;
            route 0.0.0.0/0 next-hop 2.2.2.254; -----  dsl router exposed host to the SRX
          }
         }

security {
    ike {
        proposal ike-proposal-standard {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha-256;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ike-vpn-standard {
            mode main;
            proposals ike-proposal-standard;
            pre-shared-key ascii-text "snip"; ## SECRET-DATA
        }
        gateway gateway-1.1.1.1 {
            ike-policy ike-vpn-standard;
            address 1.1.1.1;
            dead-peer-detection;
            nat-keepalive 10;
            local-identity inet 2.2.2.2;
            remote-identity inet 1.1.1.1;
            external-interface reth0.1;
        }
    }

    ipsec {
        proposal ipsec-proposal-standard {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 7200;
        }
        policy ipsec-vpn-standard {
            perfect-forward-secrecy {
                keys group14;
            }
            proposals ipsec-proposal-standard;
        }
        vpn vpn-Site-A {
            bind-interface st0.0;
            ike {
                gateway gateway-1.1.1.1;
                ipsec-policy ipsec-vpn-standard;
            }
            establish-tunnels immediately;
        }
    }

    nat {
        source {
            rule-set untrust-out {
                from zone trust;
                to zone untrust;
                rule untrust-source-nat {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        destination {
            pool https-server-Site-A {
                address 10.0.0.2/32 port 443;
            }
            rule-set untrust-destination-nat {
                from interface reth0.1;
                rule https-server-Site-A-NAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port {
                            443;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                https-server-Site-A;
                            }
                        }
                    }
                }

    policies {

          from-zone trust to-zone untrust {
              policy allow-all {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

          from-zone trust to-zone vpn-Site-A {
              policy allow-all {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

          from-zone vpn-Site-A to-zone trust {
              policy allow-all {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

          from-zone untrust to-zone vpn-Site-A {
              policy allow-https-through-vpn {
                  match {
                      source-address any;
                      destination-address https-server-Site-A;
                      application junos-https;
                  }
                  then {
                      permit;
                      log {
                          session-init;
                      }
                  }
              }

    zones {
        security-zone trust {
            interfaces {
                reth0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            ike;
                            snmp;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                reth0.1 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            ike;
                            snmp;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone vpn-Site-A {
            address-book {
                address https-server-Site-A 10.0.0.2/32;
            interfaces {
                st0.0;
            }
        }







 

root@juniper-srv-a# run show log SRXA
Jun 13 22:10:03 22:10:02.576747:CID-2:RT:<5.5.5.5/53155->10.0.0.2/443;6> matched filter F1:

Jun 13 22:10:03 22:10:02.576747:CID-2:RT:packet [52] ipid = 23706, @0x439b0f50

Jun 13 22:10:03 22:10:02.576747:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 1, common flag 0x0, mbuf 0x439b0d00, rtbl_idx = 0

Jun 13 22:10:03 22:10:02.576747:CID-2:RT:flow process pak, mbuf 0x439b0d00, ifl 129, ctxt_type 1 inq type 6

Jun 13 22:10:03 22:10:02.576884:CID-2:RT: in_ifp <vpn-Site-B:st0.0>

Jun 13 22:10:03 22:10:02.576884:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148

Jun 13 22:10:03 22:10:02.576884:CID-2:RT:host inq check inq_type 0x6

Jun 13 22:10:03 22:10:02.576884:CID-2:RT:tifp st0.0

Jun 13 22:10:03 22:10:02.576884:CID-2:RT:pkt out of tunnel.Proceed normally

Jun 13 22:10:03 22:10:02.576884:CID-2:RT:  st0.0:5.5.5.5/53155->10.0.0.2/443, tcp, flag 2 syn

Jun 13 22:10:03 22:10:02.576884:CID-2:RT: find flow: table 0x52756b80, hash 17048(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53155, dp 443, proto 6, tok 14

Jun 13 22:10:03 22:10:02.576884:CID-2:RT:  no session found, start first path. in_tunnel - 0x55dbcda8, from_cp_flag - 0

Jun 13 22:10:03 22:10:02.577038:CID-2:RT:  Not a traffic-selector enabled tunnel. returing EOK

Jun 13 22:10:03 22:10:02.577067:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53155->10.0.0.2/443,6

Jun 13 22:10:03 22:10:02.577091:CID-2:RT:gate_search_specific_bucket: no gate found

Jun 13 22:10:03 22:10:02.577091:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53155->10.0.0.2/443,6

Jun 13 22:10:03 22:10:02.577091:CID-2:RT:gate_search_specific_bucket: no gate found

Jun 13 22:10:03 22:10:02.577144:CID-2:RT:search widecast gate for vpn-Site-B:5.5.5.5/53155->10.0.0.2/443,6

Jun 13 22:10:03 22:10:02.577144:CID-2:RT:gate_search_widecast_bucket: no gate found

Jun 13 22:10:03 22:10:02.577144:CID-2:RT:  flow_first_create_session

Jun 13 22:10:03 22:10:02.577185:CID-2:RT:First path alloc and instl pending session, natp=0x5a623ab8, id=153071

Jun 13 22:10:03 22:10:02.577185:CID-2:RT:  flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 10.0.0.2, sp 53155, dp 443

Jun 13 22:10:03 22:10:02.577185:CID-2:RT:  chose interface st0.0 as incoming nat if.

Jun 13 22:10:03 22:10:02.577283:CID-2:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.0.0.2(443)

Jun 13 22:10:03 22:10:02.577283:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp st0.0, out ifp N/A sp 53155, dp 443, ip_proto 6, tos 0

Jun 13 22:10:03 22:10:02.577283:CID-2:RT:Doing DESTINATION addr route-lookup

Jun 13 22:10:03 22:10:02.577362:CID-2:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x81, oifl 0x4d

Jun 13 22:10:03 22:10:02.577379:CID-2:RT:  routed (x_dst_ip 10.0.0.2) from vpn-Site-B (st0.0 in 0) to reth0.0, Next-hop: 10.0.0.2

Jun 13 22:10:03 22:10:02.577379:CID-2:RT:flow_first_policy_search: policy search from zone vpn-Site-B-> zone trust (0x0,0xcfa301bb,0x1bb)

Jun 13 22:10:03 22:10:02.577379:CID-2:RT:Policy lkup: vsys 0 zone(14:vpn-Site-B) -> zone(7:trust) scope:0

Jun 13 22:10:03 22:10:02.577379:CID-2:RT:             5.5.5.5/53155 -> 10.0.0.2/443 proto 6

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  policy has timeout 900

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  app 58, timeout 1800s, curr ageout 20s

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  permitted by policy allow-all(10)

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  packet passed, Permitted by policy.

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:flow_first_src_xlate:  incoming src port is : 53155.

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  dip id = 0/0, 5.5.5.5/53155->5.5.5.5/53155 protocol 0

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  choose interface reth0.0(P2P) as outgoing phy if

Jun 13 22:10:03 22:10:02.577509:CID-2:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.0.0.2, rtt_idx:0

Jun 13 22:10:03 22:10:02.577678:CID-2:RT:  check nsrp pak fwd: in_tun=0x20020005, VSD 1 for out ifp reth0.0

Jun 13 22:10:03 22:10:02.577678:CID-2:RT:  vsd 1 is active

Jun 13 22:10:03 22:10:02.577678:CID-2:RT:-jsf : Alloc sess plugin info for session 747324462575

Jun 13 22:10:03 22:10:02.577678:CID-2:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

Jun 13 22:10:03 22:10:02.577678:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.577678:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 747324462575, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:-jsf : no plugin interested for session 747324462575, free sess plugin info

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  service lookup identified service 58.

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  flow_first_final_check: in <st0.0>, out <reth0.0>

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:In flow_first_complete_session

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:flow_first_complete_session, pak_ptr: 0x52048c50, nsp: 0x5a623ab8, in_tunnel: 0x55dbcda8

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:construct v4 vector for nsp2

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  existing vector list 0x10026-0x4b4378f8.

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  Session (id:153071) created for first pak 10026

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:first pak processing successful

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  flow_first_install_session======> 0x5a623ab8

Jun 13 22:10:03 22:10:02.577833:CID-2:RT: nsp 0x5a623ab8, nsp2 0x5a623b48

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  make_nsp_ready_no_resolve()

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x81, oifl 0x46

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route lookup: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 orig-zone 14 out-zone 17 vsd 0

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route to 1.1.1.254

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:Installing s2c NP session wing

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8

Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8

Jun 13 22:10:03 22:10:02.578342:CID-2:RT:first path session installation succeeded

Jun 13 22:10:03 22:10:02.578342:CID-2:RT:  flow got session.

Jun 13 22:10:03 22:10:02.578342:CID-2:RT:  flow session id 153071

Jun 13 22:10:03 22:10:02.578342:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8

Jun 13 22:10:03 22:10:02.578653:CID-2:RT:  vsd 1 is active

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:tcp head size = 32, opt_size=12

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:MSS found 0x 4b0

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:flow_tcp_wsf_update: wsf 8

Jun 13 22:10:03 22:10:02.578664:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:  encap vector

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:  no more encapping needed

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:mbuf 0x439b0d00, exit nh 0x18063c2

Jun 13 22:10:03 22:10:02.578664:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52048c50 associated with mbuf 0x439b0d00

Jun 13 22:10:03 22:10:02.578664:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 22:10:03 22:10:02.579219:CID-2:RT:<10.0.0.2/443->5.5.5.5/53155;6> matched filter F2:

Jun 13 22:10:03 22:10:02.579248:CID-2:RT:packet [52] ipid = 13717, @0x439d1e24

Jun 13 22:10:03 22:10:02.579291:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x439d1c00, rtbl_idx = 0

Jun 13 22:10:03 22:10:02.579291:CID-2:RT: flow process pak fast ifl 77 in_ifp reth0.0

Jun 13 22:10:03 22:10:02.579291:CID-2:RT:  reth0.0:10.0.0.2/443->5.5.5.5/53155, tcp, flag 12 syn ack

Jun 13 22:10:03 22:10:02.579364:CID-2:RT: find flow: table 0x52756b80, hash 6025(0xffff), sa 10.0.0.2, da 5.5.5.5, sp 443, dp 53155, proto 6, tok 7

Jun 13 22:10:03 22:10:02.579380:CID-2:RT:Found: session id 0x255ef. sess tok 7

Jun 13 22:10:03 22:10:02.579380:CID-2:RT:  flow got session.

Jun 13 22:10:03 22:10:02.579380:CID-2:RT:  flow session id 153071

Jun 13 22:10:03 22:10:02.579380:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x0, oifl 0x46

Jun 13 22:10:03 22:10:02.579380:CID-2:RT:  route lookup failed: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 fto 0x4b40ac78 orig-zone 14 out-zone 17 vsd 0
Jun 13 22:10:03 22:10:02.579513:CID-2:RT:  readjust timeout to 6 s

Jun 13 22:10:03 22:10:02.579513:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.579513:CID-2:RT:  packet dropped,   pak dropped since re-route failed

Jun 13 22:10:03 22:10:02.579513:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 13 22:10:03 22:10:02.596433:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.596433:CID-2:RT:jsf sess close notify

Jun 13 22:10:03 22:10:02.596433:CID-2:RT:flow_ipv4_del_flow: sess 235848, in hash 32

Jun 13 22:10:03 22:10:02.596433:CID-2:RT:flow_ipv4_del_flow: sess 235848, in hash 32

Jun 13 22:10:03 22:10:02.596433:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:<5.5.5.5/53157->10.0.0.2/443;6> matched filter F1:

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:packet [52] ipid = 23709, @0x43b684d0

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 1, common flag 0x0, mbuf 0x43b68280, rtbl_idx = 0

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:flow process pak, mbuf 0x43b68280, ifl 129, ctxt_type 1 inq type 6

Jun 13 22:10:03 22:10:02.871979:CID-2:RT: in_ifp <vpn-Site-B:st0.0>

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:host inq check inq_type 0x6

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:tifp st0.0

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:pkt out of tunnel.Proceed normally

Jun 13 22:10:03 22:10:02.871979:CID-2:RT:  st0.0:5.5.5.5/53157->10.0.0.2/443, tcp, flag 2 syn

Jun 13 22:10:03 22:10:02.871979:CID-2:RT: find flow: table 0x52756b80, hash 33016(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53157, dp 443, proto 6, tok 14

Jun 13 22:10:03 22:10:02.872235:CID-2:RT:  no session found, start first path. in_tunnel - 0x55dbcda8, from_cp_flag - 0

Jun 13 22:10:03 22:10:02.872235:CID-2:RT:  Not a traffic-selector enabled tunnel. returing EOK

Jun 13 22:10:03 22:10:02.872286:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53157->10.0.0.2/443,6

Jun 13 22:10:03 22:10:02.872286:CID-2:RT:gate_search_specific_bucket: no gate found

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53157->10.0.0.2/443,6

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:gate_search_specific_bucket: no gate found

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:search widecast gate for vpn-Site-B:5.5.5.5/53157->10.0.0.2/443,6

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:gate_search_widecast_bucket: no gate found

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:  flow_first_create_session

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:First path alloc and instl pending session, natp=0x572ddb68, id=44676

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:  flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 10.0.0.2, sp 53157, dp 443

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:  chose interface st0.0 as incoming nat if.

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.0.0.2(443)

Jun 13 22:10:03 22:10:02.872328:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp st0.0, out ifp N/A sp 53157, dp 443, ip_proto 6, tos 0

Jun 13 22:10:03 22:10:02.872555:CID-2:RT:Doing DESTINATION addr route-lookup

Jun 13 22:10:03 22:10:02.872555:CID-2:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x81, oifl 0x4d

Jun 13 22:10:03 22:10:02.872555:CID-2:RT:  routed (x_dst_ip 10.0.0.2) from vpn-Site-B (st0.0 in 0) to reth0.0, Next-hop: 10.0.0.2

Jun 13 22:10:03 22:10:02.872555:CID-2:RT:flow_first_policy_search: policy search from zone vpn-Site-B-> zone trust (0x0,0xcfa501bb,0x1bb)

Jun 13 22:10:03 22:10:02.872555:CID-2:RT:Policy lkup: vsys 0 zone(14:vpn-Site-B) -> zone(7:trust) scope:0

Jun 13 22:10:03 22:10:02.872555:CID-2:RT:             5.5.5.5/53157 -> 10.0.0.2/443 proto 6

Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  policy has timeout 900

Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  app 58, timeout 1800s, curr ageout 20s

Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  permitted by policy allow-all(10)

Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  packet passed, Permitted by policy.

Jun 13 22:10:03 22:10:02.872788:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jun 13 22:10:03 22:10:02.872803:CID-2:RT:flow_first_src_xlate:  incoming src port is : 53157.

Jun 13 22:10:03 22:10:02.872803:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jun 13 22:10:03 22:10:02.872803:CID-2:RT:  dip id = 0/0, 5.5.5.5/53157->5.5.5.5/53157 protocol 0

Jun 13 22:10:03 22:10:02.872861:CID-2:RT:  choose interface reth0.0(P2P) as outgoing phy if

Jun 13 22:10:03 22:10:02.872861:CID-2:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.0.0.2, rtt_idx:0

Jun 13 22:10:03 22:10:02.872908:CID-2:RT:  check nsrp pak fwd: in_tun=0x20020005, VSD 1 for out ifp reth0.0

Jun 13 22:10:03 22:10:02.872908:CID-2:RT:  vsd 1 is active

Jun 13 22:10:03 22:10:02.872908:CID-2:RT:-jsf : Alloc sess plugin info for session 691489779332

Jun 13 22:10:03 22:10:02.872960:CID-2:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

Jun 13 22:10:03 22:10:02.872970:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.873013:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 22:10:03 22:10:02.873048:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 691489779332, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:-jsf : no plugin interested for session 691489779332, free sess plugin info

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:  service lookup identified service 58.

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:  flow_first_final_check: in <st0.0>, out <reth0.0>

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:In flow_first_complete_session

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:flow_first_complete_session, pak_ptr: 0x52048c50, nsp: 0x572ddb68, in_tunnel: 0x55dbcda8

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:construct v4 vector for nsp2

Jun 13 22:10:03 22:10:02.873078:CID-2:RT:  existing vector list 0x10026-0x4b4378f8.

Jun 13 22:10:03 22:10:02.873221:CID-2:RT:  Session (id:44676) created for first pak 10026

Jun 13 22:10:03 22:10:02.873221:CID-2:RT:first pak processing successful

Jun 13 22:10:03 22:10:02.873221:CID-2:RT:  flow_first_install_session======> 0x572ddb68

Jun 13 22:10:03 22:10:02.873221:CID-2:RT: nsp 0x572ddb68, nsp2 0x572ddbf8

Jun 13 22:10:03 22:10:02.873221:CID-2:RT:  make_nsp_ready_no_resolve()

Jun 13 22:10:03 22:10:02.873221:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x81, oifl 0x46

Jun 13 22:10:03 22:10:02.873323:CID-2:RT:  route lookup: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 orig-zone 14 out-zone 17 vsd 0

Jun 13 22:10:03 22:10:02.873323:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch

Jun 13 22:10:03 22:10:02.873323:CID-2:RT:  route to 1.1.1.254

Jun 13 22:10:03 22:10:02.873372:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.873372:CID-2:RT:get NULL sess plugin info 0x572ddb68

Jun 13 22:10:03 22:10:02.873414:CID-2:RT:get NULL sess plugin info 0x572ddb68

Jun 13 22:10:03 22:10:02.873436:CID-2:RT:Installing s2c NP session wing

Jun 13 22:10:03 22:10:02.873436:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.873436:CID-2:RT:get NULL sess plugin info 0x572ddb68

Jun 13 22:10:03 22:10:02.873481:CID-2:RT:get NULL sess plugin info 0x572ddb68

Jun 13 22:10:03 22:10:02.873502:CID-2:RT:get NULL sess plugin info 0x572ddb68

Jun 13 22:10:03 22:10:02.873715:CID-2:RT:first path session installation succeeded

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:  flow got session.

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:  flow session id 44676

Jun 13 22:10:03 22:10:02.873819:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:  vsd 1 is active

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:tcp head size = 32, opt_size=12

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:MSS found 0x 4b0

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:flow_tcp_wsf_update: wsf 8

Jun 13 22:10:03 22:10:02.873819:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 22:10:03 22:10:02.873819:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jun 13 22:10:03 22:10:02.873930:CID-2:RT:  encap vector

Jun 13 22:10:03 22:10:02.873930:CID-2:RT:  no more encapping needed

Jun 13 22:10:03 22:10:02.873930:CID-2:RT:mbuf 0x43b68280, exit nh 0x18063c2

Jun 13 22:10:03 22:10:02.873967:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52048c50 associated with mbuf 0x43b68280

Jun 13 22:10:03 22:10:02.873982:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 22:10:03 22:10:02.874206:CID-2:RT:<10.0.0.2/443->5.5.5.5/53157;6> matched filter F2:

Jun 13 22:10:03 22:10:02.874206:CID-2:RT:packet [52] ipid = 13719, @0x43c8d024

Jun 13 22:10:03 22:10:02.874280:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x43c8ce00, rtbl_idx = 0

Jun 13 22:10:03 22:10:02.874289:CID-2:RT: flow process pak fast ifl 77 in_ifp reth0.0

Jun 13 22:10:03 22:10:02.874289:CID-2:RT:  reth0.0:10.0.0.2/443->5.5.5.5/53157, tcp, flag 12 syn ack

Jun 13 22:10:03 22:10:02.874352:CID-2:RT: find flow: table 0x52756b80, hash 6031(0xffff), sa 10.0.0.2, da 5.5.5.5, sp 443, dp 53157, proto 6, tok 7

Jun 13 22:10:03 22:10:02.874352:CID-2:RT:Found: session id 0xae84. sess tok 7

Jun 13 22:10:03 22:10:02.874352:CID-2:RT:  flow got session.

Jun 13 22:10:03 22:10:02.874352:CID-2:RT:  flow session id 44676

Jun 13 22:10:03 22:10:02.874436:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x0, oifl 0x46

Jun 13 22:10:03 22:10:02.874436:CID-2:RT:  route lookup failed: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 fto 0x4b40ac78 orig-zone 14 out-zone 17 vsd 0
Jun 13 22:10:03 22:10:02.874474:CID-2:RT:  readjust timeout to 6 s

Jun 13 22:10:03 22:10:02.874503:CID-2:RT:ha_ifp: reth0.0

Jun 13 22:10:03 22:10:02.874503:CID-2:RT:  packet dropped,   pak dropped since re-route failed

Jun 13 22:10:03 22:10:02.874503:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 13 22:10:06 22:10:05.823933:CID-1:RT: find flow: table 0x52756be0, hash 64700(0xffff), sa ignorethisip, da 10.0.0.2, sp 33248, dp 443, proto 6, tok 7

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:-jsf : Alloc sess plugin info for session 932008041476

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:ha_ifp: reth0.0

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 932008041476, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:-jsf : no plugin interested for session 932008041476, free sess plugin info

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:get NULL sess plugin info 0x59f1ffb8

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:get NULL sess plugin info 0x59f1ffb8

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  existing vector list 0x22-0x4b4275c0.

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  existing vector list 0x22-0x4b4275c0.

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:no need update ha

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:Installing c2s NP session wing

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:Installing s2c NP session wing

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  make_nsp_ready_no_resolve()

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:flow_ipv4_rt_lkup success ignorethisip, iifl 0x54, oifl 0x54

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route lookup: dest-ip ignorethisip orig ifp reth0.5 output_ifp reth0.5 orig-zone 7 out-zone 7 vsd 1

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route to ignorethisip

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  make_nsp_ready_no_resolve()

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x4d, oifl 0x4d

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route lookup: dest-ip 10.0.0.2 orig ifp reth0.0 output_ifp reth0.0 orig-zone 7 out-zone 7 vsd 1

Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route to 10.0.0.2

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:<5.5.5.5/53155->10.0.0.2/443;6> matched filter F1:

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:packet [52] ipid = 23712, @0x43e632d0

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x43e63080, rtbl_idx = 0

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:flow process pak, mbuf 0x43e63080, ifl 129, ctxt_type 1 inq type 6

Jun 13 22:10:06 22:10:05.571853:CID-2:RT: in_ifp <vpn-Site-B:st0.0>

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:host inq check inq_type 0x6

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:tifp st0.0

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:pkt out of tunnel.Proceed normally

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  st0.0:5.5.5.5/53155->10.0.0.2/443, tcp, flag 2 syn

Jun 13 22:10:06 22:10:05.571853:CID-2:RT: find flow: table 0x52756b80, hash 17048(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53155, dp 443, proto 6, tok 14

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:Found: session id 0x255ef. sess tok 14

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  flow got session.

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  flow session id 153071

Jun 13 22:10:06 22:10:05.571853:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  vsd 1 is active

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:tcp head size = 32, opt_size=12

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:MSS found 0x 4b0

Jun 13 22:10:06 22:10:05.571853:CID-2:RT:flow_tcp_wsf_update: wsf 8

Jun 13 22:10:06 22:10:05.572202:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 22:10:06 22:10:05.572202:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jun 13 22:10:06 22:10:05.572202:CID-2:RT:  encap vector

Jun 13 22:10:06 22:10:05.572202:CID-2:RT:  no more encapping needed

Jun 13 22:10:06 22:10:05.572202:CID-2:RT:mbuf 0x43e63080, exit nh 0x18063c2

Jun 13 22:10:06 22:10:05.572202:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52028c50 associated with mbuf 0x43e63080

Jun 13 22:10:06 22:10:05.572202:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 22:10:06 22:10:05.573930:CID-2:RT:<5.5.5.5/53156->10.0.0.2/443;6> matched filter F1:

Jun 13 22:10:06 22:10:05.573930:CID-2:RT:packet [52] ipid = 23711, @0x43db4ed0

Jun 13 22:10:06 22:10:05.573930:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x43db4c80, rtbl_idx = 0

Jun 13 22:10:06 22:10:05.573930:CID-2:RT:flow process pak, mbuf 0x43db4c80, ifl 129, ctxt_type 1 inq type 6

Jun 13 22:10:06 22:10:05.574027:CID-2:RT: in_ifp <vpn-Site-B:st0.0>

Jun 13 22:10:06 22:10:05.574027:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148

Jun 13 22:10:06 22:10:05.574027:CID-2:RT:host inq check inq_type 0x6

Jun 13 22:10:06 22:10:05.574027:CID-2:RT:tifp st0.0

Jun 13 22:10:06 22:10:05.574027:CID-2:RT:pkt out of tunnel.Proceed normally

Jun 13 22:10:06 22:10:05.574027:CID-2:RT:  st0.0:5.5.5.5/53156->10.0.0.2/443, tcp, flag 2 syn

Jun 13 22:10:06 22:10:05.574126:CID-2:RT: find flow: table 0x52756b80, hash 41864(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53156, dp 443, proto 6, tok 14

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:Found: session id 0x2bfd7. sess tok 14

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  flow got session.

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  flow session id 180183

Jun 13 22:10:06 22:10:05.574174:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  vsd 1 is active

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:tcp head size = 32, opt_size=12

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:MSS found 0x 4b0

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:flow_tcp_wsf_update: wsf 8

Jun 13 22:10:06 22:10:05.574174:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  encap vector

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  no more encapping needed

Jun 13 22:10:06 22:10:05.574174:CID-2:RT:mbuf 0x43db4c80, exit nh 0x18063c2

Jun 13 22:10:06 22:10:05.574309:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52028c50 associated with mbuf 0x43db4c80

Jun 13 22:10:06 22:10:05.574309:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 22:10:06 22:10:05.582148:CID-2:RT:<10.0.0.2/443->5.5.5.5/53156;6> matched filter F2:

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:packet [52] ipid = 13720, @0x43e632a4

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43e63080, rtbl_idx = 0

Jun 13 22:10:06 22:10:05.582148:CID-2:RT: flow process pak fast ifl 77 in_ifp reth0.0

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  reth0.0:10.0.0.2/443->5.5.5.5/53156, tcp, flag 12 syn ack

Jun 13 22:10:06 22:10:05.582148:CID-2:RT: find flow: table 0x52756b80, hash 6024(0xffff), sa 10.0.0.2, da 5.5.5.5, sp 443, dp 53156, proto 6, tok 7

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:Found: session id 0x2bfd7. sess tok 7

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  flow got session.

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  flow session id 180183

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x0, oifl 0x46

Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  route lookup failed: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 fto 0x4b40ac78 orig-zone 14 out-zone 17 vsd 0
Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  packet dropped,   pak dropped since re-route failed

Jun 13 22:10:06 22:10:05.582148:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 13 22:10:06 22:10:05.840896:CID-2:RT:<5.5.5.5/53157->10.0.0.2/443;6> matched filter F1:

Jun 13 22:10:06 22:10:05.840896:CID-2:RT:packet [52] ipid = 23713, @0x438c8450

Jun 13 22:10:06 22:10:05.840943:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x438c8200, rtbl_idx = 0

Jun 13 22:10:06 22:10:05.840974:CID-2:RT:flow process pak, mbuf 0x438c8200, ifl 129, ctxt_type 1 inq type 6

Jun 13 22:10:06 22:10:05.841007:CID-2:RT: in_ifp <vpn-Site-B:st0.0>

Jun 13 22:10:06 22:10:05.841007:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148

Jun 13 22:10:06 22:10:05.841037:CID-2:RT:host inq check inq_type 0x6

Jun 13 22:10:06 22:10:05.841037:CID-2:RT:tifp st0.0

Jun 13 22:10:06 22:10:05.841037:CID-2:RT:pkt out of tunnel.Proceed normally

Jun 13 22:10:06 22:10:05.841037:CID-2:RT:  st0.0:5.5.5.5/53157->10.0.0.2/443, tcp, flag 2 syn

Jun 13 22:10:06 22:10:05.841037:CID-2:RT: find flow: table 0x52756b80, hash 33016(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53157, dp 443, proto 6, tok 14

Jun 13 22:10:06 22:10:05.841132:CID-2:RT:Found: session id 0xae84. sess tok 14

Jun 13 22:10:06 22:10:05.841152:CID-2:RT:  flow got session.

Jun 13 22:10:06 22:10:05.841152:CID-2:RT:  flow session id 44676

Jun 13 22:10:06 22:10:05.841152:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8

Jun 13 22:10:06 22:10:05.841191:CID-2:RT:  vsd 1 is active

Jun 13 22:10:06 22:10:05.841191:CID-2:RT:tcp head size = 32, opt_size=12

Jun 13 22:10:06 22:10:05.841191:CID-2:RT:MSS found 0x 4b0

Jun 13 22:10:06 22:10:05.841191:CID-2:RT:flow_tcp_wsf_update: wsf 8

Jun 13 22:10:06 22:10:05.841191:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

 

 

 

root@juniper-srx-b# run show log SRXB
Jun 13 21:57:58 juniper-segl-pan clear-log[89373]: logfile cleared
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:<5.5.5.5/52827->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:packet [52] ipid = 23496, @0x43e8daa2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8d880, rtbl_idx = 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  reth0.1:5.5.5.5/52827->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: find flow: table 0x52ea02e8, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:check self-traffic on reth0.1, in_tunnel 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self: No handler function found for proto:6, dst-port:443, drop pkt

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:retcode: 0x1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self : proto 6, dst port 443, action 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_create_session

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:First path alloc and instl pending session, natp=0x567229c8, id=29409

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_in_dst_nat: in <reth0.1>, out <N/A> dst_adr 2.2.2.2, sp 52827, dp 443

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  chose interface reth0.1 as incoming nat if.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 2.2.2.2(443) to 10.0.0.2(443), rule/pool id 13/32771.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp reth0.1, out ifp N/A sp 52827, dp 443, ip_proto 6, tos 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x45, oifl 0x8e

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  routed (x_dst_ip 10.0.0.2) from untrust (reth0.1 in 1) to st0.0, Next-hop: 10.0.0.2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn-Site-A (0x110,0xce5b01bb,0x1bb)

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Policy lkup: vsys 0 zone(13:untrust) -> zone(10:vpn-Site-A) scope:0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:             5.5.5.5/52827 -> 10.0.0.2/443 proto 6

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  policy has timeout 900

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  app 58, timeout 1800s, curr ageout 20s

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  permitted by policy allow-https-through-vpn(30)

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  packet passed, Permitted by policy.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  incoming src port is : 52827.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  dip id = 0/0, 5.5.5.5/52827->5.5.5.5/52827 protocol 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Doing IPSec traffic-selector match for  5.5.5.5 -> 10.0.0.2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found IPSec nsp_tunnel 0x55941078 for bind-ifp st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_tun_info: tunnel out 0x55941078, tun id 131073

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_out_ifp: tunnel out 0x55941078, tun id 131073, tun if reth0.1, tun bind if st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  choose interface reth0.1(P2P) as outgoing phy if

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.0.0.2, rtt_idx:0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_check_ha_fwd: tunnel out 0x55941078, tun id 131073, tun if reth0.1, ha_ifp reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : Alloc sess plugin info for session 687194796769

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 687194796769, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : no plugin interested for session 687194796769, free sess plugin info

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  service lookup identified service 58.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_final_check: in <reth0.1>, out <reth0.1>

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_final_check: flow_set_xlate_vector.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:In flow_first_complete_session

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session: pak_ptr is xlated packet

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session, pak_ptr: 0x51f08ea8, nsp: 0x567229c8, in_tunnel: 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:construct v4 vector for nsp2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  existing vector list 0x11026-0x4b3ee7d0.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Session (id:29409) created for first pak 11026

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first pak processing successful

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_install_session======> 0x567229c8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: nsp 0x567229c8, nsp2 0x56722a58

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  make_nsp_ready_no_resolve()

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x45, oifl 0x45

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route lookup: dest-ip 5.5.5.5 orig ifp reth0.1 output_ifp reth0.1 orig-zone 13 out-zone 13 vsd 1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route to 80.150.68.233

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Installing c2s NP session wing

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first path session installation succeeded

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow got session.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow session id 29409

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_xlate_pak

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  encap vector

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:mbuf 0x43e8d880, exit nh 0x250010

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:14 21:58:14.604671:CID-1:RT:<5.5.5.5/52826->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:packet [52] ipid = 23495, @0x43d642a2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d64080, rtbl_idx = 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  reth0.1:5.5.5.5/52826->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: find flow: table 0x52ea02e8, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:check self-traffic on reth0.1, in_tunnel 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self: No handler function found for proto:6, dst-port:443, drop pkt

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:retcode: 0x1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self : proto 6, dst port 443, action 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_create_session

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:First path alloc and instl pending session, natp=0x55b68558, id=4616

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_in_dst_nat: in <reth0.1>, out <N/A> dst_adr 2.2.2.2, sp 52826, dp 443

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  chose interface reth0.1 as incoming nat if.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 2.2.2.2(443) to 10.0.0.2(443), rule/pool id 13/32771.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp reth0.1, out ifp N/A sp 52826, dp 443, ip_proto 6, tos 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x45, oifl 0x8e

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  routed (x_dst_ip 10.0.0.2) from untrust (reth0.1 in 1) to st0.0, Next-hop: 10.0.0.2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn-Site-A (0x110,0xce5a01bb,0x1bb)

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Policy lkup: vsys 0 zone(13:untrust) -> zone(10:vpn-Site-A) scope:0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:             5.5.5.5/52826 -> 10.0.0.2/443 proto 6

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  policy has timeout 900

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  app 58, timeout 1800s, curr ageout 20s

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  permitted by policy allow-https-through-vpn(30)

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  packet passed, Permitted by policy.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  incoming src port is : 52826.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  dip id = 0/0, 5.5.5.5/52826->5.5.5.5/52826 protocol 0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Doing IPSec traffic-selector match for  5.5.5.5 -> 10.0.0.2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found IPSec nsp_tunnel 0x55941078 for bind-ifp st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_tun_info: tunnel out 0x55941078, tun id 131073

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_out_ifp: tunnel out 0x55941078, tun id 131073, tun if reth0.1, tun bind if st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  choose interface reth0.1(P2P) as outgoing phy if

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.0.0.2, rtt_idx:0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_check_ha_fwd: tunnel out 0x55941078, tun id 131073, tun if reth0.1, ha_ifp reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : Alloc sess plugin info for session 416611832328

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: st0.0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 416611832328, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : no plugin interested for session 416611832328, free sess plugin info

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  service lookup identified service 58.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_final_check: in <reth0.1>, out <reth0.1>

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_final_check: flow_set_xlate_vector.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:In flow_first_complete_session

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session: pak_ptr is xlated packet

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session, pak_ptr: 0x51f08ea8, nsp: 0x55b68558, in_tunnel: 0x0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:construct v4 vector for nsp2

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  existing vector list 0x11026-0x4b3ee7d0.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Session (id:4616) created for first pak 11026

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first pak processing successful

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_install_session======> 0x55b68558

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: nsp 0x55b68558, nsp2 0x55b685e8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  make_nsp_ready_no_resolve()

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x45, oifl 0x45

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route lookup: dest-ip 5.5.5.5 orig ifp reth0.1 output_ifp reth0.1 orig-zone 13 out-zone 13 vsd 1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route to 80.150.68.233

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Installing c2s NP session wing

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first path session installation succeeded

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow got session.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow session id 4616

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_xlate_pak

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  encap vector

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:14 21:58:14.604671:CID-1:RT:mbuf 0x43d64080, exit nh 0x250010

Jun 13 21:58:14 21:58:14.604671:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:14 21:58:14.613762:CID-2:RT: find flow: table 0x51e84018, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : Alloc sess plugin info for session 597000497788

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 597000497788, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : no plugin interested for session 597000497788, free sess plugin info

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x56dddc88

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x56dddc88

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:no need update ha

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:Installing c2s NP session wing

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.613762:CID-2:RT: find flow: table 0x51e84018, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : Alloc sess plugin info for session 536870913450

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 536870913450, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : no plugin interested for session 536870913450, free sess plugin info

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x559e85a8

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x559e85a8

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:no need update ha

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:Installing c2s NP session wing

Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:<5.5.5.5/52828->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:packet [52] ipid = 23498, @0x43d5a122

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d59f00, rtbl_idx = 0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  reth0.1:5.5.5.5/52828->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: find flow: table 0x52ea02e8, hash 41773(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52828, dp 443, proto 6, tok 13

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:check self-traffic on reth0.1, in_tunnel 0x0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:pak_for_self: No handler function found for proto:6, dst-port:443, drop pkt

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:retcode: 0x1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:pak_for_self : proto 6, dst port 443, action 0x0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_create_session

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:First path alloc and instl pending session, natp=0x570a4f58, id=49512

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_in_dst_nat: in <reth0.1>, out <N/A> dst_adr 2.2.2.2, sp 52828, dp 443

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  chose interface reth0.1 as incoming nat if.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 2.2.2.2(443) to 10.0.0.2(443), rule/pool id 13/32771.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp reth0.1, out ifp N/A sp 52828, dp 443, ip_proto 6, tos 0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x45, oifl 0x8e

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  routed (x_dst_ip 10.0.0.2) from untrust (reth0.1 in 1) to st0.0, Next-hop: 10.0.0.2

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn-Site-A (0x110,0xce5c01bb,0x1bb)

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:Policy lkup: vsys 0 zone(13:untrust) -> zone(10:vpn-Site-A) scope:0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:             5.5.5.5/52828 -> 10.0.0.2/443 proto 6

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  policy has timeout 900

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  app 58, timeout 1800s, curr ageout 20s

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  permitted by policy allow-https-through-vpn(30)

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  packet passed, Permitted by policy.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_src_xlate:  incoming src port is : 52828.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  dip id = 0/0, 5.5.5.5/52828->5.5.5.5/52828 protocol 0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  Doing IPSec traffic-selector match for  5.5.5.5 -> 10.0.0.2

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

Jun 13 21:58:14 21:58:14.879241:CID-2:RT: find flow: table 0x51e84018, hash 41773(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52828, dp 443, proto 6, tok 13

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:-jsf : Alloc sess plugin info for session 609885410854

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.879241:CID-2:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 609885410854, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:-jsf : no plugin interested for session 609885410854, free sess plugin info

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get NULL sess plugin info 0x573275e8

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get NULL sess plugin info 0x573275e8

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:no need update ha

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:Installing c2s NP session wing

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT: Found IPSec nsp_tunnel 0x55941078 for bind-ifp st0.0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_get_tun_info: tunnel out 0x55941078, tun id 131073

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_get_out_ifp: tunnel out 0x55941078, tun id 131073, tun if reth0.1, tun bind if st0.0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  choose interface reth0.1(P2P) as outgoing phy if

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.0.0.2, rtt_idx:0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp st0.0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_check_ha_fwd: tunnel out 0x55941078, tun id 131073, tun if reth0.1, ha_ifp reth0.1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  vsd 1 is active

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:-jsf : Alloc sess plugin info for session 949187821928

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ha_ifp: st0.0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 949187821928, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:-jsf : no plugin interested for session 949187821928, free sess plugin info

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  service lookup identified service 58.

Jun 13 21:58:14 21:58:14.879241:CID-2:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_final_check: in <reth0.1>, out <reth0.1>

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_final_check: flow_set_xlate_vector.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:In flow_first_complete_session

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_complete_session: pak_ptr is xlated packet

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_complete_session, pak_ptr: 0x51f08ea8, nsp: 0x570a4f58, in_tunnel: 0x0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:construct v4 vector for nsp2

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  existing vector list 0x11026-0x4b3ee7d0.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  Session (id:49512) created for first pak 11026

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:first pak processing successful

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_install_session======> 0x570a4f58

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: nsp 0x570a4f58, nsp2 0x570a4fe8

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  make_nsp_ready_no_resolve()

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x45, oifl 0x45

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  route lookup: dest-ip 5.5.5.5 orig ifp reth0.1 output_ifp reth0.1 orig-zone 13 out-zone 13 vsd 1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  route to 80.150.68.233

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:Installing c2s NP session wing

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ha_ifp: reth0.1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:first path session installation succeeded

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow got session.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow session id 49512

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  vsd 1 is active

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_xlate_pak

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:14 21:58:14.872803:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  encap vector

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:14 21:58:14.872803:CID-1:RT:mbuf 0x43d59f00, exit nh 0x250010

Jun 13 21:58:14 21:58:14.872803:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:17 21:58:17.638686:CID-1:RT:<5.5.5.5/52827->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:packet [52] ipid = 23502, @0x43e8daa2

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8d880, rtbl_idx = 0

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  reth0.1:5.5.5.5/52827->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: find flow: table 0x52ea02e8, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:Found: session id 0x72e1. sess tok 13

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow got session.

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow session id 29409

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  vsd 1 is active

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_xlate_pak

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  encap vector

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:mbuf 0x43e8d880, exit nh 0x250010

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:17 21:58:17.638686:CID-1:RT:<5.5.5.5/52826->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:packet [52] ipid = 23503, @0x43cdfe22

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43cdfc00, rtbl_idx = 0

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  reth0.1:5.5.5.5/52826->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: find flow: table 0x52ea02e8, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:Found: session id 0x1208. sess tok 13

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow got session.

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow session id 4616

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  vsd 1 is active

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_xlate_pak

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.638686:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  encap vector

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:17 21:58:17.638686:CID-1:RT:mbuf 0x43cdfc00, exit nh 0x250010

Jun 13 21:58:17 21:58:17.638686:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:17 21:58:17.860804:CID-1:RT:<5.5.5.5/52828->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:packet [52] ipid = 23504, @0x43c971a2

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43c96f80, rtbl_idx = 0

Jun 13 21:58:17 21:58:17.860804:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  reth0.1:5.5.5.5/52828->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:17 21:58:17.860804:CID-1:RT: find flow: table 0x52ea02e8, hash 41773(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52828, dp 443, proto 6, tok 13

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:Found: session id 0xc168. sess tok 13

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  flow got session.

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  flow session id 49512

Jun 13 21:58:17 21:58:17.860804:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.860804:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  vsd 1 is active

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.860804:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.860804:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:17 21:58:17.860804:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:flow_xlate_pak

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:17 21:58:17.860804:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:17 21:58:17.860804:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  encap vector

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:17 21:58:17.860804:CID-1:RT:mbuf 0x43c96f80, exit nh 0x250010

Jun 13 21:58:17 21:58:17.860804:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:23 21:58:23.604988:CID-1:RT:<5.5.5.5/52827->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:packet [52] ipid = 23505, @0x43d3d622

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d3d400, rtbl_idx = 0

Jun 13 21:58:23 21:58:23.604988:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  reth0.1:5.5.5.5/52827->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:23 21:58:23.604988:CID-1:RT: find flow: table 0x52ea02e8, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:Found: session id 0x72e1. sess tok 13

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  flow got session.

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  flow session id 29409

Jun 13 21:58:23 21:58:23.604988:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:23 21:58:23.604988:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  vsd 1 is active

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:23 21:58:23.604988:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:23 21:58:23.604988:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:23 21:58:23.604988:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:flow_xlate_pak

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:23 21:58:23.604988:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:23 21:58:23.604988:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  encap vector

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:23 21:58:23.604988:CID-1:RT:mbuf 0x43d3d400, exit nh 0x250010

Jun 13 21:58:23 21:58:23.604988:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jun 13 21:58:23 21:58:23.609002:CID-1:RT:<5.5.5.5/52826->2.2.2.2/443;6> matched filter F1:

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:packet [52] ipid = 23506, @0x43ca92a2

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43ca9080, rtbl_idx = 0

Jun 13 21:58:23 21:58:23.609002:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  reth0.1:5.5.5.5/52826->2.2.2.2/443, tcp, flag 2 syn

Jun 13 21:58:23 21:58:23.609002:CID-1:RT: find flow: table 0x52ea02e8, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:Found: session id 0x1208. sess tok 13

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  flow got session.

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  flow session id 4616

Jun 13 21:58:23 21:58:23.609002:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:23 21:58:23.609002:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  vsd 1 is active

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:ttl vector, out_tunnel = 0x55941078

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:tcp head size = 32, opt_size=12

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:MSS found 0x 5b4

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:23 21:58:23.609002:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:23 21:58:23.609002:CID-1:RT:flow_tcp_wsf_update: wsf 8

Jun 13 21:58:23 21:58:23.609002:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:flow_xlate_pak

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:out_ifp reth0.1 not tunnel if
Jun 13 21:58:23 21:58:23.609002:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
Jun 13 21:58:23 21:58:23.609002:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  encap vector

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1

Jun 13 21:58:23 21:58:23.609002:CID-1:RT:mbuf 0x43ca9080, exit nh 0x250010

Jun 13 21:58:23 21:58:23.609002:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

 

 

So from what I can tell (I could be wrong here), ist that SRXA is trying to send it back through its reth0.1 (untrust) interface back to 5.5.5.5, instead of through the st0.0.

At least from this tiny snip from the SRXA flow trace

 

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x81, oifl 0x46

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route lookup: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 orig-zone 14 out-zone 17 vsd 0

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch

Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route to 1.1.1.254

Thanks a lot!

SRX Services Gateway
Solution
Accepted by topic author datapex
‎06-13-2019 09:58 PM

Re: Incoming Destination NAT through VPN Tunnel

‎06-13-2019 02:04 PM

Datapex,

 

Thats exactly what we needed. The problem that SRXA is having is that it has a route to reach 5.5.5.5 via reth1 (because its a public address) however it received the traffic via st0. From SRXA perspective, a packet from 5.5.5.5 should have come via reth1 because it faces internet.

 

I think you could use Src NAT on SRXB before sending these packets to SRXA. This way we can use a fake subnet and hide the real 5.5.5.5 address to SRXA. Then SRXA will reply via the tunnel and SRXB will revert the changes and sent the traffic to 5.5.5.5 accordingly.

 

Does it makes sense to you? Do you need help with the config?

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: Incoming Destination NAT through VPN Tunnel

‎06-13-2019 05:15 PM

Datapex,

 

If asymmetry in routing doesn't matter, another way of dealing with the mismatch-zone situation on SRX-A, is to ensure that reth.x and st0.x are in the same security-zone.

 

This would prevent a zone mismatch packet drop.

 

But do note that this packet will then be sent out via the untrust interface reth.x, instead of through the tunnel and back.

 

Cheers

Pooja

SRX Services Gateway

Re: Incoming Destination NAT through VPN Tunnel

‎06-13-2019 07:26 PM

Hi 

 

This is an interesting but complex requirement. I believe you would need a combination of DNAT and SRC NAT on SiteB for this to work. When traffic reached Site A the return would get sent back to the Pub IP over the internet and not back over the VPN tunnel.

 

Here are some things you may need to consider while doing the NAT on Site B for a destination over the VPN

 

1. DNAT - from untrust - src any dst: 2.2.2.2 then dnat:10.0.0.2

2. SNAT - from untrust to zone vpn - src any dst:10.0.0.2, then src nat interface. I suggest you use numbered tunnel to NAT to interface or use another IP from the 10.2.0. pool for the SRC NAT

3. Security policy (happens before SRC NAT) - from any to 10.0.0.2 - untrust to vpn zone

 

I believe this should be it, verify sessions at both ends to ensure flow and translation are as expected.

 

Regards,

 

Vikas

SRX Services Gateway

Re: Incoming Destination NAT through VPN Tunnel

‎06-13-2019 10:02 PM

Thanks! That was it Smiley Happy.

 

 

I needed to mask using an IP from the SRXB site, so the SRXA knew to send it back that way. source-nat interface wasn't enough, so I added a nat source pool with 10.2.0.254/32 to forward the traffic to SRXA through the tunnel. Lo and behold, it works!

 

Thank you all for taking the time!