SRX

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

OSPF on SRX 240

Jump to Best Answer

1. OSPF on SRX 240

Recommend

ndanl

Posted 06-16-2015 01:17

Hi, recently I setup two OSPF sessions for an ecmp setup, but for some reason I can't reach the advertised routes by the ospf neighbors, can some tell me what am I missing in my config ?

here is the srx configuration:

# show protocols ospf
export [ ospf-default export-static ];
area 0.0.3.32 {
    interface reth1.0 {
        priority 100;
        hello-interval 1;
        dead-interval 4;
    }
}

# show policy-options policy-statement ospf-default
term ospd-default {
    from {
        route-filter 0.0.0.0/0 exact accept;
    }
}

# show policy-options policy-statement export-static
term export-static {
    from protocol static;
    then accept;
}
term export-local {
    from protocol local;
    then accept;
}
term export-direct {
    from protocol direct;
    then accept;
}

> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
172.16.6.2       reth1.0                Full      172.16.6.2        10     3
172.16.6.6       reth1.0                Full      172.16.6.6        10     3

> show ospf route
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop
                   Type  Type       Type            Interface     Address/LSP
172.16.6.2         Intra AS BR      IP            1 reth1.0       172.16.6.2
172.16.6.6         Intra AS BR      IP            1 reth1.0       172.16.6.6
10.8.0.0/16        Intra Network    IP            1 reth1.0
172.16.1.10/32     Ext1  Network    IP            1 reth1.0       172.16.6.2
                                                                          reth1.0       172.16.6.6
172.16.6.0/30      Intra Network    IP            1 reth1.0
172.16.6.4/30      Intra Network    IP            1 reth1.0


> show route 172.16.1.10 extensive

inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
Restart Complete
172.16.1.10/32 (1 entry, 1 announced)
TSI:
KRT in-kernel 172.16.1.10/32 -> {172.16.6.2, 172.16.6.6}
        *OSPF   Preference: 150
                Next hop type: Router, Next hop index: 262142
                Address: 0x16a058c
                Next-hop reference count: 3
                Next hop: 172.16.6.2 via reth1.0, selected
                Next hop: 172.16.6.6 via reth1.0
                State: <Active Int Ext>
                Local AS: 62299
                Age: 21:20:22   Metric: 1       Tag: 0
                Task: OSPF
                Announcement bits (2): 0-KRT 3-Resolve tree 1
                AS path: I

--- 172.16.1.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

--- 172.16.6.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.603/2.318/3.014/0.576 ms

--- 172.16.6.6 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.584/1.792/2.161/0.262 ms

could be a problem with security zone or ?

thanks

Dan

2. RE: OSPF on SRX 240

0 Recommend
joses
Posted 06-16-2015 01:23

Reply Reply Privately
Hello ,

Can you try to ping the IP sourcing the reth1.0 IP address . We do not need security policy for the same since its elf generated traffic and hits self policy .
3. RE: OSPF on SRX 240

0 Recommend
ndanl
Posted 06-16-2015 02:46

Reply Reply Privately
what do you mean by "IP sourcing the reth1.0" ? I can ping from both linux routers reth1.0 any ip addresses

[root@dns802 ~]# ping 172.16.6.5 -c 3 -q PING 172.16.6.5 (172.16.6.5) 56(84) bytes of data. --- 172.16.6.5 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.519/0.535/0.550/0.022 ms
[root@dns802 ~]# ping 10.8.0.1 -c 3 -q PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. --- 10.8.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.443/0.498/0.568/0.057 ms
[root@dns802 ~]# ip r l | grep def default via 172.16.6.5 dev ens192 proto zebra
4. RE: OSPF on SRX 240

0 Recommend
joses
Posted 06-16-2015 02:51

Reply Reply Privately
Hello ,

I ment , are you able to ping those IPs ( 172.16.1.10 , 172.16.6.2 , 172.16.6.6 ) sourcing reth1.0 IP :

ping 172.16.1.10 source <reth1.0 IP>
ping 172.16.6.2 source <reth1.0 IP>
ping 172.16.6.6 source <reth1.0 IP>
5. RE: OSPF on SRX 240

0 Recommend
ndanl
Posted 06-16-2015 02:59

Reply Reply Privately
One thing that I noticed, is that if I ping directly from the router, the source IP address will be from the fxp interface

so it looks like from the router everything is working

i# run ping 172.16.1.10 source 172.16.6.5 count 3 PING 172.16.1.10 (172.16.1.10): 56 data bytes 64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.494 ms 64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.656 ms 64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.686 ms --- 172.16.1.10 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.656/1.945/2.494/0.388 ms
i# run ping 172.16.1.10 source 10.8.0.1 count 3 PING 172.16.1.10 (172.16.1.10): 56 data bytes 64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.568 ms 64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.543 ms 64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=2.690 ms --- 172.16.1.10 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.543/2.267/2.690/0.514 ms
but when I try to ping any ip behind ospf network from any machine behinde the 10.8.0.0/16 network is not working, they are on the same reth1.0
6. RE: OSPF on SRX 240

0 Recommend
MarcTB
Posted 06-16-2015 03:16

Reply Reply Privately
Can you share the complete config of your SRX with us ? So we can have a look to solve the problem you are having ?

I'm guessing it has something todo with some security policies
7. RE: OSPF on SRX 240

0 Recommend
ndanl
Posted 06-16-2015 03:22

Reply Reply Privately
sure, how do you want me to export it ? as set or as normal ?

thanks,
Dan
8. RE: OSPF on SRX 240

0 Recommend
MarcTB
Posted 06-16-2015 03:38

Reply Reply Privately
Normal and set are fine to check the configs

9. RE: OSPF on SRX 240

Recommend

ndanl

Posted 06-16-2015 05:30

see config below, for security reasons I have modified some of the IP's cu xxx, also copp rules are note applied

thank you

version 12.1X44-D40.2;
groups {
    node0 {
        system {
            host-name rtr01-timi;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.99.99.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name rtr02-timi;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.99.99.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    time-zone Europe/Bucharest;
    no-redirects;
    arp {
        aging-timer 5;
        passive-learning;
        purging;
        gratuitous-arp-on-ifup;
        gratuitous-arp-delay 1;
    }
    root-authentication {
        encrypted-password "$1$yiNoLbJN$CTQJJizNyxYFeYXJxt9x./"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        class super-user-local {
            idle-timeout 1;
        }
        user andrei {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$1$3cH/.OwX$SFh1211KUc6BMENcpzNLz0"; ## SECRET-DATA
            }
        }
        user fred {
            uid 2003;
            class super-user;
            authentication {
                encrypted-password "$1$V7o4JmR8$65FMmkJPJ0.xfNbnF4rOx/"; ## SECRET-DATA
            }
        }
        user kiki {
            uid 2004;
            class super-user;
            authentication {
                encrypted-password "$1$xSFKcRZx$I0L5wHzBig4wnWU7GHjsB."; ## SECRET-DATA
            }
        }
        user timi {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$3wCJjy1Q$4VCzAK1qcEvOYahgnPzYI1"; ## SECRET-DATA
            }
        }
        password {
            minimum-length 8;
            maximum-length 20;
            change-type character-sets;
            minimum-changes 3;
        }
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
    max-configurations-on-flash 10;
    max-configuration-rollbacks 10;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 92.86.106.228;
        server 93.114.42.129;
        server 80.96.120.253;
        server 91.216.151.202;
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }
    }
}
interfaces {
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet;
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 62.xxx.xxx.2/30;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                no-redirects;
                address 10.8.0.1/16;
                address 188.xxx.xxx.1/24;
                address 188.xxx.xxx.1/24;
                address 172.16.6.1/30;
                address 172.16.6.5/30;
            }
        }
    }
    st0 {
        description ipsec-vpn;
        unit 0 {
            description to-LV;
            family inet {
                mtu 1420;
                address 172.16.0.2/30;
            }
        }
        unit 1 {
            description to-NJ;
            family inet {
                mtu 1420;
                address 172.16.8.1/30;
            }
        }
    }
}
forwarding-options {
    hash-key {
        family inet {
            layer-3;
            layer-4;
        }
    }
}
snmp {
    community jun1p3r5 {
        clients {
            127.0.0.1/32;
        }
    }
}
routing-options {
    graceful-restart;
    static {
        defaults {
            no-readvertise;
            resolve;
        }
        route 10.6.0.0/16 next-hop st0.0;
        route 10.3.0.0/16 next-hop st0.1;
    }
    router-id 62.xxx.xxx.2;
    autonomous-system 62299;
    forwarding-table {
        export pol-load-balance;
    }
}
protocols {
    bgp {
        mtu-discovery;
        group bm2orange {
            type external;
            import [ pol-default-in pol-reject-any pol-no-crap ];
            export pol-bm2isp-out;
            neighbor 62.xxx.xxx.1 {
                description Org;
                peer-as 8953;
            }
        }
    }
    ospf {
        export [ ospf-default export-static ];
        area 0.0.3.32 {
            interface reth1.0 {
                priority 100;
                hello-interval 1;
                dead-interval 4;
            }
        }
    }
    rstp;
}
policy-options {
    prefix-list p-ospf {
        10.99.99.0/24;
        172.16.6.2/32;
        172.16.6.6/32;
    }
    prefix-list p-ssh-servers {
        10.8.0.0/16;
        10.99.99.0/24;
        89.xxx.xxx.34/32;
    }
    prefix-list p-snmp-servers {
        10.8.0.0/16;
        10.99.99.0/24;
    }
    prefix-list p-dns-servers {
        8.8.4.4/32;
        8.8.8.8/32;
        10.8.0.0/16;
        10.99.99.0/24;
        172.16.6.0/30;
        172.16.6.4/30;
    }
    prefix-list p-ntp-servers {
        10.8.0.0/16;
        10.99.99.0/24;
        apply-path "system ntp server <*>";
    }
    prefix-list p-router-interfaces4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list p-bgp-neighbors {
        10.99.99.0/24;
        62.xxx.xxx.1/32;
    }
    prefix-list p-ipsec-neighbors {
        108.xxx.xxx.125/32;
        192.xxx.xxx.66/32;
    }
    policy-statement export-static {
        term export-static {
            from protocol static;
            then accept;
        }
        term export-local {
            from protocol local;
            then accept;
        }
        term export-direct {
            from protocol direct;
            then accept;
        }
    }
    policy-statement ospf-default {
        term ospd-default {
            from {
                route-filter 0.0.0.0/0 exact accept;
            }
        }
    }
    policy-statement ospf-to-rib {
        term ospf-to-rib {
            from protocol ospf;
            then accept;
        }
    }
    policy-statement pol-bm2isp-out {
        term match-local-prefixes {
            from {
                route-filter 188.xxx.xxx.0/24 exact;
                route-filter 188.xxx.xxx.0/24 exact;
            }
            then accept;
        }
    }
    policy-statement pol-default-in {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then accept;
    }
    policy-statement pol-load-balance {
        then {
            load-balance per-packet;
        }
    }
    policy-statement pol-no-crap {
        term no-crap {
            from {
                route-filter 10.0.0.0/8 orlonger;
                route-filter 127.0.0.0/8 orlonger;
                route-filter 169.254.0.0/16 orlonger;
                route-filter 172.16.0.0/12 orlonger;
                route-filter 192.0.2.0/24 orlonger;
                route-filter 224.0.0.0/3 orlonger;
                route-filter 100.64.0.0/10 orlonger;
            }
            then reject;
        }
    }
    policy-statement pol-reject-any {
        then reject;
    }
}
security {
    ike {
        proposal ike-proposal-vpn01 {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
        }
        proposal ike-proposal-vpn02 {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
        }
        policy ike-policy-vpn01 {
            mode main;
            proposals ike-proposal-vpn01;
            pre-shared-key ascii-text "$9$6fS0AORSreW87cyYg4aHkn/CuIEM87"; ## SECRET-DATA
        }
        policy ike-policy-vpn02 {
            mode main;
            proposals ike-proposal-vpn02;
            pre-shared-key ascii-text "$9$haqrMX-Vwg4ZNdqmP5/9EcyKLx24Z"; ## SECRET-DATA
        }
        gateway ike-gate-vpn01 {
            ike-policy ike-policy-vpn01;
            address 192.xxx.xxx.66;
            external-interface reth0.0;
            version v2-only;
        }
        gateway ike-gate-vpn02 {
            ike-policy ike-policy-vpn02;
            address 108.xxx.xxx.125;
            external-interface reth0.0;
            version v2-only;
        }
    }
    ipsec {
        policy ipsec-policy-vpn01 {
            proposal-set standard;
        }
        policy ipsec-policy-vpn02 {
            proposal-set standard;
        }
        vpn ipsec-vpn-vpn01 {
            bind-interface st0.0;
            ike {
                gateway ike-gate-vpn01;
                ipsec-policy ipsec-policy-vpn01;
            }
            establish-tunnels immediately;
        }
        vpn ipsec-vpn-vpn02 {
            bind-interface st0.1;
            ike {
                gateway ike-gate-vpn02;
                ipsec-policy ipsec-policy-vpn02;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        syn-flood-protection-mode syn-proxy;
        tcp-mss {
            ipsec-vpn {
                mss 1420;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool default-nat {
                address {
                    188.xxx.xxx.1/32;
                }
            }
            rule-set internet-nat {
                from zone trust;
                to zone untrust;
                rule any-to-any {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                default-nat;
                            }
                        }
                    }
                }
            }
        }
        destination {
            pool ssh01 {
                address 10.8.20.22/32 port 22;
            }
            rule-set DNAT {
                from zone untrust;
                rule ssh01 {
                    match {
                        destination-address 188.xxx.xxx.222/32;
                        destination-port 22;
                    }
                    then {
                        destination-nat pool ssh01;
                    }
                }
            }
        }
        static {
            rule-set static-nat {
                from zone untrust;
                rule rdp01 {
                    match {
                        destination-address 188.xxx.xxx.220/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.8.20.20/32;
                            }
                        }
                    }
                }
                rule ssh01 {
                    match {
                        destination-address 188.xxx.xxx.222/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.8.20.22/32;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone ipsec_vpn {
            policy trust-to-ipsec_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone ipsec_vpn to-zone trust {
            policy ipsec_vpn-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone ipsec_vpn02 {
            policy trust-to-ipsec_vpn02 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone ipsec_vpn02 to-zone trust {
            policy ipsec_vpn02-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone ipsec_vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
        security-zone ipsec_vpn02 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.1;
            }
        }
    }
}
firewall {
    family inet {
        filter pm-copp-in {
            term copp-important-ssh {
                from {
                    source-prefix-list {
                        p-ssh-servers;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                    protocol tcp;
                    port 22;
                }
                then policer copp-important;
            }
            term copp-important-snmp {
                from {
                    source-prefix-list {
                        p-snmp-servers;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                    protocol udp;
                    port snmp;
                }
                then policer copp-important;
            }
            term copp-important-dns {
                from {
                    source-prefix-list {
                        p-dns-servers;
                        p-router-interfaces4;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                        p-dns-servers;
                    }
                    protocol udp;
                    source-port 53;
                }
                then policer copp-important;
            }
            term copp-normal-icmp {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply time-exceeded ];
                }
                then policer copp-normal;
            }
            term copp-important-ntp {
                from {
                    source-prefix-list {
                        p-ntp-servers;
                        p-router-interfaces4;
                    }
                    destination-prefix-list {
                        p-ntp-servers;
                        p-router-interfaces4;
                    }
                    protocol udp;
                    port ntp;
                }
                then policer copp-important;
            }
            term copp-critical-bgp {
                from {
                    source-prefix-list {
                        p-bgp-neighbors;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                    protocol tcp;
                    port bgp;
                }
                then accept;
            }
            term copp-critical-ipsec {
                from {
                    source-prefix-list {
                        p-ipsec-neighbors;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                }
                then accept;
            }
            term copp-critical-ospf {
                from {
                    source-prefix-list {
                        p-ospf;
                    }
                    protocol ospf;
                }
                then accept;
            }
        }
    }
    policer copp-normal {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 128k;
        }
        then discard;
    }
    policer copp-important {
        if-exceeding {
            bandwidth-limit 20m;
            burst-size-limit 2m;
        }
        then discard;
    }
}

10. RE: OSPF on SRX 240

0 Recommend
ndanl
Posted 06-16-2015 12:28

Reply Reply Privately
anyone ?
11. RE: OSPF on SRX 240

0 Recommend
joses
Posted 06-16-2015 22:15

Reply Reply Privately
Hello ,

Your configuration looks fine . Also when we source the ping with reth1.0 IP , you where able to reach the OSPF network .

So now the issue as stated by you is that your host behind the SRX cannot reach the OSPF network , for that we need to run flow traceoptions in your SRX device and see if we are dropping the packets or doing asymetric routing .

12. RE: OSPF on SRX 240

Recommend

ndanl

Posted 06-17-2015 00:34

# run show log flow-trace
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow0: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow0: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648602:CID-1:RT:filter 0 name f0 is set

Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow1: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow1: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow0: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow0: Destination ID set to 2
Jun 17 10:31:42 10:31:50.362687:CID-2:RT:filter 0 name f0 is set

Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow2: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow2: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow1: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow1: Destination ID set to 2
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow3: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow3: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow2: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow2: Destination ID set to 2
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow4: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow4: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow3: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow3: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow5: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow5: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow4: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow4: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow6: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow6: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow5: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow5: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow7: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow7: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow6: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow6: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow8: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow8: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow7: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow7: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow9: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow9: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow8: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow8: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow10: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow10: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow9: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow9: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow11: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow11: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow10: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow10: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow11: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow11: Destination ID set to 2
Jun 17 10:32:04 10:32:04.003393:CID-1:RT:<10.8.20.22/1->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:04 10:32:04.003393:CID-1:RT:packet [84] ipid = 20573, @0x4320c51c

Jun 17 10:32:04 10:32:04.003393:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4320c300, rtbl_idx = 0

Jun 17 10:32:04 10:32:04.003469:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:04 10:32:04.003469:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:04 10:32:04.003469:CID-1:RT: find flow: table 0x511609a0, hash 57765(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 1, dp 6717, proto 1, tok 6

Jun 17 10:32:04 10:32:04.003469:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:04 10:32:04.003469:CID-1:RT:  flow_first_create_session

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 1, dp 6717

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 1, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x11a3d,0x1a3d)

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/14389 proto 1

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/14389 proto 1

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:04 10:32:04.003885:CID-1:RT:  flow find session returns error.

Jun 17 10:32:04 10:32:04.003885:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:04 10:32:04.384754:CID-1:RT:jsf sess close notify

Jun 17 10:32:04 10:32:04.384774:CID-1:RT:flow_ipv4_del_flow: sess 288214, in hash 32

Jun 17 10:32:04 10:32:04.384774:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:<10.8.20.22/2->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:packet [84] ipid = 20574, @0x4367539c

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43675180, rtbl_idx = 0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:05 10:32:05.003313:CID-1:RT: find flow: table 0x511609a0, hash 49333(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 2, dp 6717, proto 1, tok 6

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  flow_first_create_session

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 2, dp 6717

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 2, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x21a3d,0x1a3d)

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/31284 proto 1

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/31284 proto 1

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  flow find session returns error.

Jun 17 10:32:05 10:32:05.003643:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:06 10:32:06.003356:CID-1:RT:<10.8.20.22/3->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:06 10:32:06.003356:CID-1:RT:packet [84] ipid = 20575, @0x4319dd1c

Jun 17 10:32:06 10:32:06.003356:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4319db00, rtbl_idx = 0

Jun 17 10:32:06 10:32:06.003356:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:06 10:32:06.003544:CID-1:RT: find flow: table 0x511609a0, hash 10181(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 3, dp 6717, proto 1, tok 6

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  flow_first_create_session

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 3, dp 6717

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 3, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x31a3d,0x1a3d)

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/23603 proto 1

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/23603 proto 1

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  flow find session returns error.

Jun 17 10:32:06 10:32:06.003544:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:06 10:32:06.386710:CID-1:RT:jsf sess close notify

Jun 17 10:32:06 10:32:06.386710:CID-1:RT:flow_ipv4_del_flow: sess 287850, in hash 32

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:jsf sess close notify

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:flow_ipv4_del_flow: sess 289155, in hash 32

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:07 10:32:07.003295:CID-1:RT:<10.8.20.22/4->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:packet [84] ipid = 20576, @0x4319dd1c

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4319db00, rtbl_idx = 0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:07 10:32:07.003467:CID-1:RT: find flow: table 0x511609a0, hash 1749(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 4, dp 6717, proto 1, tok 6

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  flow_first_create_session

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 4, dp 6717

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 4, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x41a3d,0x1a3d)

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/39218 proto 1

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/39218 proto 1

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  flow find session returns error.

Jun 17 10:32:07 10:32:07.003467:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:08 10:32:08.003347:CID-1:RT:<10.8.20.22/5->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:packet [84] ipid = 20577, @0x4320c51c

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4320c300, rtbl_idx = 0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:08 10:32:08.003347:CID-1:RT: find flow: table 0x511609a0, hash 26085(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 5, dp 6717, proto 1, tok 6

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  flow_first_create_session

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 5, dp 6717

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 5, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x51a3d,0x1a3d)

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/29233 proto 1

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/29233 proto 1

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  flow find session returns error.

Jun 17 10:32:08 10:32:08.003786:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:08 10:32:08.386970:CID-1:RT:jsf sess close notify

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:flow_ipv4_del_flow: sess 290026, in hash 32

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:jsf sess close notify

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:flow_ipv4_del_flow: sess 289460, in hash 32

Jun 17 10:32:08 10:32:08.387031:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:<10.8.20.22/6->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:packet [84] ipid = 20578, @0x432dda1c

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x432dd800, rtbl_idx = 0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:09 10:32:09.003377:CID-1:RT: find flow: table 0x511609a0, hash 17653(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 6, dp 6717, proto 1, tok 6

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  flow_first_create_session

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 6, dp 6717

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 6, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x61a3d,0x1a3d)

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/19248 proto 1

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/19248 proto 1

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  flow find session returns error.

Jun 17 10:32:09 10:32:09.003729:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:10 10:32:10.384859:CID-1:RT:jsf sess close notify

Jun 17 10:32:10 10:32:10.384859:CID-1:RT:flow_ipv4_del_flow: sess 288575, in hash 32

Jun 17 10:32:10 10:32:10.384878:CID-1:RT:ha_ifp: reth1.0

flow trace attached looks like some policy is dropping the packet

13. RE: OSPF on SRX 240

0 Recommend
ndanl
Posted 06-17-2015 00:48

Reply Reply Privately
I found the solution for the problem, looks like the defaul-policy for srx re is deny-all so i set the following policy

set security policies default-policy permit-all
14. RE: OSPF on SRX 240

0 Recommend
MarcTB
Posted 06-17-2015 00:51

Reply Reply Privately
@ndanl wrote:
I found the solution for the problem, looks like the defaul-policy for srx re is deny-all so i set the following policy

set security policies default-policy permit-all

This can work but you now allow everything from any where! see my last post to allow the traffic within only the trust zone.
15. RE: OSPF on SRX 240
Best Answer

1 Recommend
MarcTB
Posted 06-17-2015 00:49

Reply Reply Privately
Yes!

You need to make an policy to allow traffic within zone trust to zone trust:

set security policies from zone trust to zone trust policy default-permit match source-address any
set security policies from zone trust to zone trust policy default-permit match destination-address any
set security policies from zone trust to zone trust policy default-permit match application any
set security policies from zone trust to zone trust policy default-permit then permit
16. RE: OSPF on SRX 240

0 Recommend
ndanl
Posted 06-17-2015 01:17

Reply Reply Privately
correct your solution is better since you still can control the traffic, annoying zones 🙂

thank you
--
Dan
17. RE: OSPF on SRX 240

0 Recommend
MarcTB
Posted 06-17-2015 01:46

Reply Reply Privately
Hi,

nice to see that your problem is solved! 🙂
18. RE: OSPF on SRX 240

0 Recommend
joses
Posted 06-16-2015 03:21

Reply Reply Privately
Hello ,

Does those IPs fall on 10.8.0.0/16 network itself or different network . If so then the packet should not even reach the SRX and it should be internally routed . If its a different network then , it will be coming to SRX and we can check for policies and other stuff .

But this issue pritty much looks to be external to SRX box.

SRX

OSPF on SRX 240

ndanl06-16-2015 01:17

joses06-16-2015 01:23

ndanl06-16-2015 02:46

joses06-16-2015 02:51

ndanl06-16-2015 02:59

MarcTB06-16-2015 03:16

ndanl06-16-2015 03:22

MarcTB06-16-2015 03:38

ndanl06-16-2015 05:30

ndanl06-16-2015 12:28

joses06-16-2015 22:15

ndanl06-17-2015 00:34

ndanl06-17-2015 00:48

MarcTB06-17-2015 00:51

MarcTB06-17-2015 00:49Best Answer

ndanl06-17-2015 01:17

MarcTB06-17-2015 01:46

joses06-16-2015 03:21

1. OSPF on SRX 240

2. RE: OSPF on SRX 240

3. RE: OSPF on SRX 240

4. RE: OSPF on SRX 240

5. RE: OSPF on SRX 240

6. RE: OSPF on SRX 240

7. RE: OSPF on SRX 240

8. RE: OSPF on SRX 240

9. RE: OSPF on SRX 240

10. RE: OSPF on SRX 240

11. RE: OSPF on SRX 240

12. RE: OSPF on SRX 240

13. RE: OSPF on SRX 240

14. RE: OSPF on SRX 240

15. RE: OSPF on SRX 240 Best Answer

16. RE: OSPF on SRX 240

17. RE: OSPF on SRX 240

18. RE: OSPF on SRX 240

15. RE: OSPF on SRX 240
Best Answer