SRX

last person joined: 2 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

Route problem from trust VLAN to external gateway

  • 1.  Route problem from trust VLAN to external gateway

    Posted 08-11-2016 14:07

    I have vlan.3 in my trust zone, and hosts in vlan.3 get an IP from the vlan.3 DHCP server just fine, and they can even ping the public IP I've assigned to the untrust interface on my SRX-210B. However, members of trust zone cannot ping the gateway of my public IP. With my public IP being 1.1.1.71, trust members can ping 1.1.1.71, but they cannot ping 1.1.1.1. The SRX itself can ping anything.

     

    Example configuration:

    trust zone, vlan.3: 10.0.3.0/24

    untrust zone, vlan.2: 1.1.1.71/24 (using all 1s instead of my real public IP)

     

    If I ping 8.8.8.8 from the SRX, I get a response:

     

    will@gw1> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=10.983 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.983/10.983/10.983/0.000 ms

will@gw1> ping 8.8.8.8 source 1.1.1.71
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=18.858 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 18.858/18.858/18.858/0.000 ms

    If I ping 8.8.8.8 from my vlan.3 router, I get nothing:

     

    will@gw1> ping 8.8.8.8 source 10.0.3.1
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
11 packets transmitted, 0 packets received, 100% packet loss

    My VLAN config:

    will@gw1> show configuration vlans
vlan-trust {
    vlan-id 3;
    l3-interface vlan.3;
}
vlan-untrust {
    vlan-id 2;
    l3-interface vlan.2;
}

     

     

    Here's my DHCP config:

     

    address-assignment {
    pool vlan3pool {
        family inet {
            network 10.0.3.0/24;
            range DHCPCLIENTS {
                low 10.0.3.100;
                high 10.0.3.199;
            }
            dhcp-attributes {
               router {
                    10.0.3.1;
                }
                propagate-settings vlan.3;
            }
            
        }
    }
}

     

    Here are my interface settings:

     

    will@gw1# show interfaces
fe-0/0/4 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan-trust;
            }
        }
    }
}
fe-0/0/6 {
    fastether-options {
        802.3ad ae0;
    }
}
fe-0/0/7 {
    fastether-options {
        802.3ad ae0;
    }
}
ae0 {
    aggregated-ether-options {
        lacp {
            active;
            periodic slow;
        }
    }
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members vlan-untrust;
            }
            native-vlan-id 2;
        }
    }
}
vlan {
    unit 2 {
        family inet {
            address 1.1.1.71/24;
        }
    }
    unit 3 {
        family inet {
            address 10.0.3.1/24;
        }
    }
}

     

     

    I have a default static route:

     

    will@gw1> show configuration routing-options
static {
    route 0.0.0.0/0 next-hop 1.1.1.1;
}

     

     

    will@gw1> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 4d 02:36:18
                    > to 1.1.1.1 via vlan.2
10.0.3.0/24        *[Direct/0] 2d 01:30:23
                    > via vlan.3
10.0.3.1/32        *[Local/0] 5d 01:42:21
                      Local via vlan.3
10.0.3.11/32       *[Access-internal/12] 00:17:39
                    > to 10.0.3.1 via vlan.3
10.0.3.100/32      *[Access-internal/12] 5d 01:41:50
                    > to 10.0.3.1 via vlan.3
1.1.1.0/24    *[Direct/0] 4d 02:36:18
                    > via vlan.2
1.1.1.71/32   *[Local/0] 5d 01:42:21
                      Local via vlan.2

     

     

    And relevant interface output:

     

    will@gw1# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   aenet    --> ae1.0
fe-0/0/4                up    up
fe-0/0/4.0              up    up   eth-switch
fe-0/0/6                up    up
fe-0/0/6.0              up    up   aenet    --> ae0.0
fe-0/0/7                up    down
fe-0/0/7.0              up    down aenet    --> ae0.0
ae0                     up    up
ae0.0                   up    up   eth-switch
vlan                    up    up
vlan.2                  up    up   inet     1.1.1.71/24
vlan.3                  up    up   inet     10.0.3.1/24

     

     

    Perhaps something is wrong in my forwarding table?

    will@gw1> show route forwarding-table
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     1 0:0:c:7:ac:9a      ucst  1338     4 vlan.2
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
10.0.3.0/24        intf     0                    rslv  1320     1 vlan.3
10.0.3.0/32        dest     0 10.0.3.0           recv  1318     1 vlan.3
10.0.3.1/32        intf     0 10.0.3.1           locl  1319     2
10.0.3.1/32        dest     0 10.0.3.1           locl  1319     2
10.0.3.9/32        dest     0 0:1e:4f:14:aa:5c   ucst  1328     1 vlan.3
10.0.3.10/32       dest     0 0:1d:9:29:1:7c     ucst  1348     1 vlan.3
10.0.3.11/32       dest     0 0:c:29:53:3d:7a    ucst  1329     1 vlan.3
10.0.3.100/32      dest     0 0:23:ae:14:72:3    ucst  1336     1 vlan.3
10.0.3.255/32      dest     0 10.0.3.255         bcst  1317     1 vlan.3
1.1.1.0/24    intf     0                    rslv  1316     1 vlan.2
1.1.1.0/32    dest     0 1.1.1.0       recv  1314     1 vlan.2
1.1.1.1/32    dest     0 0:0:c:7:ac:9a      ucst  1338     4 vlan.2
1.1.1.71/32   intf     0 1.1.1.71      locl  1315     2
1.1.1.71/32   dest     0 1.1.1.71      locl  1315     2
1.1.1.117/32  dest     0 0:d0:68:c:c2:4f    ucst  1352     1 vlan.2
1.1.1.251/32  dest     0 0:1d:e5:a6:d6:46   ucst  1342     1 vlan.2
1.1.1.252/32  dest     0 0:23:ea:c0:55:c6   ucst  1346     1 vlan.2
1.1.1.253/32  dest     0 0:e0:81:32:5f:c3   ucst  1340     1 vlan.2
1.1.1.255/32  dest     0 1.1.1.255     bcst  1313     1 vlan.2
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1

    Relevant security zones:

    will@gw1> show configuration security zones
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        vlan.3;
    }
}
security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
            ftp;
        }
    }
    interfaces {
        vlan.2;
    }
}

    Relevant security policy:

    will@gw1> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone trust {
    policy intra-zone {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone junos-host {
    policy mgmt-trust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy mgmt-untrust {
        match {
            source-address allowed_admins;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
    policy denyall {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}
from-zone untrust to-zone junos-host {
    policy mgmt-untrust {
        match {
            source-address allowed_admins;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
    policy ping-untrust {
        match {
            source-address any;
            destination-address any;
            application junos-icmp-all;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
    policy denyall {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}

    Pings from the host plugged into fe-0/0/4:

    C:\Users\Owner>ping 10.0.3.10

Pinging 10.0.3.10 with 32 bytes of data:
Reply from 10.0.3.10: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.3.10:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
Control-C
^C
C:\Users\Owner>ping 10.0.3.1

Pinging 10.0.3.1 with 32 bytes of data:
Reply from 10.0.3.1: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.3.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
Control-C
^C
C:\Users\Owner>ping 1.1.1.71

Pinging 1.1.1.71 with 32 bytes of data:
Reply from 1.1.1.71: bytes=32 time=2ms TTL=64

Ping statistics for 1.1.1.71:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
C:\Users\Owner>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 1.1.1.1:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss)
Control-C
^C
C:\Users\Owner>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.

Ping statistics for 8.8.8.8:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss)
Control-C
^C

     

     

    I can't for the life of me find out why nothing on 10.0.3.0/24 can get past 1.1.1.71!!

     



  • 2.  RE: Route problem from trust VLAN to external gateway

    Posted 08-11-2016 15:30

    I don't see a nat rule posted from trust to untrust.  Does that exist, I would assume as an interface nat?

     

    If the nat were missing or not configured correctly that could explain why the trust side addresses cannot get replies.



  • 3.  RE: Route problem from trust VLAN to external gateway

    Posted 08-11-2016 20:08

    Thanks for the reply! I have nat but forgot to include it in my original post. Here's the NAT I have configured:

    will@gw1> show configuration security nat
source {
    rule-set trust-to-untrust {
        from zone trust;
        to zone untrust;
        rule source-nat-rule {
            match {
                source-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

    IJ'm going to do a bit more research on my NAT config. Any ideas though?



  • 4.  RE: Route problem from trust VLAN to external gateway

    Posted 08-11-2016 20:27

    Hi,

     

    Please provide the output of the "test1" file and we would be able to see where it is failing :-

     

    set security flow traceoptions file test1 size 2m
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter pf1 source-prefix <Source_IP>
set security flow traceoptions packet-filter pf1 destination-prefix <Destination_IP>
set security flow traceoptions packet-filter pf1 protocol icmp
set security flow traceoptions packet-filter pf2 source-prefix 1.1.1.1
set security flow traceoptions packet-filter pf2 destination-prefix <Source_IP>
set security flow traceoptions packet-filter pf2 protocol icmp

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.

     



  • 5.  RE: Route problem from trust VLAN to external gateway

     
    Posted 08-12-2016 05:58

    Hi,

     

    Could you look at security flow sessions for this traffic:

    show security flow session source-prefix x.x.x.x destination-prefix y.y.y.y protocol icmp
show security flow session nat brief
show security nat source summary

    You can follow the steps in this guide:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21719&actp=search

     

    Cheers,

    Ashvin



  • 6.  RE: Route problem from trust VLAN to external gateway

    Posted 08-12-2016 08:41 
    will@gw1# run ping 66.117.151.5 source 10.0.3.1
PING 66.117.151.5 (66.117.151.5): 56 data bytes
^C
--- 66.117.151.5 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

[edit]
will@gw1# run show security flow session source-prefix 10.0.3.1 destination-prefix 66.117.151.5 protocol icmp
Session ID: 20740, Policy name: self-traffic-policy/1, Timeout: 42, Valid
  In: 10.0.3.1/0 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/0;icmp, If: vlan.2, Pkts: 0, Bytes: 0

Session ID: 20745, Policy name: self-traffic-policy/1, Timeout: 46, Valid
  In: 10.0.3.1/4 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/4;icmp, If: vlan.2, Pkts: 0, Bytes: 0

Session ID: 20748, Policy name: self-traffic-policy/1, Timeout: 44, Valid
  In: 10.0.3.1/3 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/3;icmp, If: vlan.2, Pkts: 0, Bytes: 0

Session ID: 20750, Policy name: self-traffic-policy/1, Timeout: 44, Valid
  In: 10.0.3.1/2 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/2;icmp, If: vlan.2, Pkts: 0, Bytes: 0

Session ID: 20752, Policy name: self-traffic-policy/1, Timeout: 46, Valid
  In: 10.0.3.1/5 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/5;icmp, If: vlan.2, Pkts: 0, Bytes: 0

Session ID: 20754, Policy name: self-traffic-policy/1, Timeout: 48, Valid
  In: 10.0.3.1/6 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/6;icmp, If: vlan.2, Pkts: 0, Bytes: 0

Session ID: 20765, Policy name: self-traffic-policy/1, Timeout: 42, Valid
  In: 10.0.3.1/1 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/1;icmp, If: vlan.2, Pkts: 0, Bytes: 0
Total sessions: 7


    will@gw1# run show security flow session nat brief
Total sessions: 0
    will@gw1# run show security nat source summary
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 8388608
Total pools: 0

Total rules: 0

     



  • 7.  RE: Route problem from trust VLAN to external gateway

     
    Posted 08-12-2016 09:39

    Hi,

    The traffic is not being source-nat.

    Could you try pinging from a host instead of the SRX interface and capture the show security flow session.

    You could also perhaps specify the LAN subnet [10.0.3.x/x] to match the source-address for the source-nat.

     

    Also, the traffic is matching self-traffic-policy:

    Session ID: 20765, Policy name: self-traffic-policy/1, Timeout: 42, Valid
  In: 10.0.3.1/1 --> 66.117.151.5/15860;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 66.117.151.5/15860 --> 10.0.3.1/1;icmp, If: vlan.2, Pkts: 0, Bytes: 0

    Cheers,

     

    Ashvin

     



  • 8.  RE: Route problem from trust VLAN to external gateway

    Posted 08-12-2016 10:32

    Unfortunately, I don't have access to any of the hosts right now. I may have access later today. I tried specifying the LAN subnet instead of 0.0.0.0/0 but still no pings. See below:

    will@gw1# show | compare
[edit security nat source rule-set trust-to-untrust rule source-nat-rule match]
-       source-address 0.0.0.0/0;
+       source-address 10.0.3.0/24;

[edit]
will@gw1# commit
commit complete

[edit]
will@gw1# ping
          ^
unknown command.
will@gw1# run ping 1.1.1.1 source 10.0.3.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

[edit]
will@gw1# run ping 1.1.1.71 source 10.0.3.1
PING 1.1.1.71 (1.1.1.71): 56 data bytes
64 bytes from 1.1.1.71: icmp_seq=0 ttl=64 time=1.504 ms
64 bytes from 1.1.1.71: icmp_seq=1 ttl=64 time=0.483 ms
64 bytes from 1.1.1.71: icmp_seq=2 ttl=64 time=0.496 ms
^C
--- 1.1.1.71 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.483/0.828/1.504/0.478 ms

[edit]
will@gw1#


  • 9.  RE: Route problem from trust VLAN to external gateway

    Posted 08-12-2016 12:27

    Hi,

     

    As this traffic is initiated form the SRX itself, we can see it hitting self traffic policy as it is originated from the zone junos-host :-

     

    Aug 12 08:28:58 08:28:58.842689:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(7:untrust) scope:0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:             10.0.3.1/2048 -> 1.1.1.1/5756 proto 1

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  permitted by policy self-traffic-policy(1)

    We need to collect the same outputs from the host which is unable to ping.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 10.  RE: Route problem from trust VLAN to external gateway

    Posted 08-12-2016 16:55

    Thank you, Sahil. I expect to have access to the hosts tomorrow. I will perform the tests and post the result.



  • 11.  RE: Route problem from trust VLAN to external gateway
    Best Answer

    Posted 08-13-2016 08:12

    Unfortunately, I believe this SRX210B has experienced hardware failure. While running a show command, I got a memory error. I checked memory, and it had less than 4 MB free. I checked hardware usage and the control plane had very high CPU or RAM (can't remember which). After disconnecting from the SRX, I can no longer connect to it. This may be related to the "control plane would eat all the RAM" described here

     

    I powered it off for 45 minutes, powered back on, waited 20 minutes to connect, and I still do not have SSH access. I do not have a console cable available right now.

     

    I have purchased an SRX210HE-POE H2 with more RAM to replace this box. The new box will have 2GB RAM and the old box had 512 MB.

     

    I expect to have the new box set up within 6 days. I will come back to this thread if NAT isn't working and continue troubleshooting pings from a host on the 10.0.3.0/24 subnet.

     

    EDIT: Editing this post to say that this was the problem! I imported the SAME CONFIG into the new SRX210, and everything works fine! Problem solved.



  • 12.  RE: Route problem from trust VLAN to external gateway

    Posted 09-09-2016 18:17

    Hey everyone, I found the solution! I was having these problems on my SRX210B with 512 MB of RAM. I replaced it with an SRX210HE2-POE with 2 GB of RAM, imported the same configuration, and everything works fine! Source NAT works and everything.

     

    Thank you, everyone.



  • 13.  RE: Route problem from trust VLAN to external gateway

    Posted 08-12-2016 08:38

    Here's a sample of the output from what sahilsha requested. I'll get the other device output soon.

    will@gw1# run file show /var/log/testping1 | no-more
Aug 12 08:28:49 08:28:49.206346:CID-0:RT:jsf sess close notify

Aug 12 08:28:49 08:28:49.206346:CID-0:RT:flow_ipv4_del_flow: sess 20097, in hash 32

Aug 12 08:28:49 08:28:49.206346:CID-0:RT:flow_ipv4_del_flow: sess 20097, in hash 32

Aug 12 08:28:49 08:28:49.206346:CID-0:RT:jsf sess close notify

Aug 12 08:28:49 08:28:49.206346:CID-0:RT:flow_ipv4_del_flow: sess 20068, in hash 32

Aug 12 08:28:49 08:28:49.206346:CID-0:RT:flow_ipv4_del_flow: sess 20068, in hash 32

Aug 12 08:28:51 08:28:51.206709:CID-0:RT:jsf sess close notify

Aug 12 08:28:51 08:28:51.206709:CID-0:RT:flow_ipv4_del_flow: sess 20070, in hash 32

Aug 12 08:28:51 08:28:51.206709:CID-0:RT:flow_ipv4_del_flow: sess 20070, in hash 32

Aug 12 08:28:51 08:28:51.206709:CID-0:RT:jsf sess close notify

Aug 12 08:28:51 08:28:51.206709:CID-0:RT:flow_ipv4_del_flow: sess 20073, in hash 32

Aug 12 08:28:51 08:28:51.206709:CID-0:RT:flow_ipv4_del_flow: sess 20073, in hash 32

Aug 12 08:28:53 08:28:53.206738:CID-0:RT:jsf sess close notify

Aug 12 08:28:53 08:28:53.206738:CID-0:RT:flow_ipv4_del_flow: sess 20106, in hash 32

Aug 12 08:28:53 08:28:53.206738:CID-0:RT:flow_ipv4_del_flow: sess 20106, in hash 32

Aug 12 08:28:53 08:28:53.206738:CID-0:RT:jsf sess close notify

Aug 12 08:28:53 08:28:53.206738:CID-0:RT:flow_ipv4_del_flow: sess 20080, in hash 32

Aug 12 08:28:53 08:28:53.206738:CID-0:RT:flow_ipv4_del_flow: sess 20080, in hash 32

Aug 12 08:28:55 08:28:55.206657:CID-0:RT:jsf sess close notify

Aug 12 08:28:55 08:28:55.206657:CID-0:RT:flow_ipv4_del_flow: sess 20086, in hash 32

Aug 12 08:28:55 08:28:55.206657:CID-0:RT:flow_ipv4_del_flow: sess 20086, in hash 32

Aug 12 08:28:55 08:28:55.206657:CID-0:RT:jsf sess close notify

Aug 12 08:28:55 08:28:55.206657:CID-0:RT:flow_ipv4_del_flow: sess 20052, in hash 32

Aug 12 08:28:55 08:28:55.206657:CID-0:RT:flow_ipv4_del_flow: sess 20052, in hash 32

Aug 12 08:28:57 08:28:57.205723:CID-0:RT:jsf sess close notify

Aug 12 08:28:57 08:28:57.205723:CID-0:RT:flow_ipv4_del_flow: sess 20076, in hash 32

Aug 12 08:28:57 08:28:57.205723:CID-0:RT:flow_ipv4_del_flow: sess 20076, in hash 32

Aug 12 08:28:57 08:28:57.205723:CID-0:RT:jsf sess close notify

Aug 12 08:28:57 08:28:57.205723:CID-0:RT:flow_ipv4_del_flow: sess 20078, in hash 32

Aug 12 08:28:57 08:28:57.205723:CID-0:RT:flow_ipv4_del_flow: sess 20078, in hash 32

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:<10.0.3.1/0->1.1.1.1/15822;1> matched filter trust_to_web:

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:packet [84] ipid = 43502, @0x40d924d2

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x40d92280, rtbl_idx = 0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow process pak, mbuf 0x40d92280, ifl 0, ctxt_type 0 inq type 5

Aug 12 08:28:57 08:28:57.839062:CID-0:RT: in_ifp <junos-host:.local..0>

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x42ce5f18

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:host inq check inq_type 0x5

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:Using vr id from pfe_tag with value= 0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:Over-riding lpak->vsys with 0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  .local..0:10.0.3.1->1.1.1.1, icmp, (8/0)

Aug 12 08:28:57 08:28:57.839062:CID-0:RT: find flow: table 0x4236e218, hash 24141(0xffff), sa 10.0.3.1, da 1.1.1.1, sp 0, dp 15822, proto 1, tok 2

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  flow_first_create_session

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:First path alloc and instl pending session, natp=0x44ddc958, id=20151

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 1.1.1.1, sp 0, dp 15822

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  chose interface .local..0 as incoming nat if.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_rule_dst_xlate: packet 10.0.3.1->1.1.1.1 nsp2 0.0.0.0->1.1.1.1.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.0.3.1, x_dst_ip 1.1.1.1, in ifp .local..0, out ifp N/A sp 0, dp 15822, ip_proto 1, tos 0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:Doing DESTINATION addr route-lookup

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_ipv4_rt_lkup success 1.1.1.1, iifl 0x0, oifl 0x48

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  routed (x_dst_ip 1.1.1.1) from junos-host (.local..0 in 0) to vlan.2, Next-hop: 1.1.1.1

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone untrust (0x0,0x3dce,0x3dce)

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(7:untrust) scope:0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:             10.0.3.1/2048 -> 1.1.1.1/10771 proto 1

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  permitted by policy self-traffic-policy(1)

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  packet passed, Permitted by policy.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_src_xlate:  incoming src port is : 0.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  dip id = 0/0, 10.0.3.1/0->10.0.3.1/0 protocol 0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  choose interface vlan.2(P2P) as outgoing phy if

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.2, addr: 1.1.1.1, rtt_idx:0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:-jsf : Alloc sess plugin info for session 98784267959

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:[JSF]Normal interest check. regd plugins 14, enabled impl mask 0x0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1111437052, impli mask(0x17), post_nat cnt 20151 svc req(0x0)

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:-jsf : no plugin interested for session 98784267959, free sess plugin info

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_service_lookup(): natp(0x44ddc958): app_id, 0(0).

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  service lookup identified service 0.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  flow_first_final_check: in <.local..0>, out <vlan.2>

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:In flow_first_complete_session

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:flow_first_complete_session, pak_ptr: 0x423f30d0, nsp: 0x44ddc958, in_tunnel: 0x0

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:construct v4 vector for nsp2

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  install vector flow_ttl_vector

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  install vector flow_icmp_info_process_vector

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  install vector flow_frag_list_vector

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  install vector flow_send_vector

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  install vector NULL

Aug 12 08:28:57 08:28:57.839062:CID-0:RT: fatal error, objcache_alloc failed.
Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  create new vector list 0x200-0x0.

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:  Session (id:20151) created for first pak 200

Aug 12 08:28:57 08:28:57.839062:CID-0:RT:first pak processing successful

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:  flow_first_install_session======> 0x44ddc958

Aug 12 08:28:58 08:28:57.839062:CID-0:RT: nsp 0x44ddc958, nsp2 0x44ddc9dc

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:  make_nsp_ready_no_resolve()

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:flow_ipv4_rt_lkup success 10.0.3.1, iifl 0x0, oifl 0x0

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:  route lookup: dest-ip 10.0.3.1 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:  route to 10.0.3.1

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms.

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:no need update ha

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:Installing c2s NP session wing

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:Installing s2c NP session wing

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:first path session installation succeeded

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:  flow got session.

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:  flow session id 20151

Aug 12 08:28:58 08:28:57.839062:CID-0:RT: vector bits 0x200 vector 0x0

Aug 12 08:28:58 08:28:57.839062:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x423f30d0 associated with mbuf 0x40d92280

Aug 12 08:28:58 08:28:57.839062:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Aug 12 08:28:58 08:28:58.842689:CID-0:RT:<10.0.3.1/1->1.1.1.1/15822;1> matched filter trust_to_web:

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:packet [84] ipid = 43506, @0x40d924d2

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x40d92280, rtbl_idx = 0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow process pak, mbuf 0x40d92280, ifl 0, ctxt_type 0 inq type 5

Aug 12 08:28:58 08:28:58.842689:CID-0:RT: in_ifp <junos-host:.local..0>

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x42ce5f18

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:host inq check inq_type 0x5

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:Using vr id from pfe_tag with value= 0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:Over-riding lpak->vsys with 0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  .local..0:10.0.3.1->1.1.1.1, icmp, (8/0)

Aug 12 08:28:58 08:28:58.842689:CID-0:RT: find flow: table 0x4236e218, hash 32445(0xffff), sa 10.0.3.1, da 1.1.1.1, sp 1, dp 15822, proto 1, tok 2

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  flow_first_create_session

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:First path alloc and instl pending session, natp=0x44ddfb20, id=20178

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 1.1.1.1, sp 1, dp 15822

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  chose interface .local..0 as incoming nat if.

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_rule_dst_xlate: packet 10.0.3.1->1.1.1.1 nsp2 0.0.0.0->1.1.1.1.

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.0.3.1, x_dst_ip 1.1.1.1, in ifp .local..0, out ifp N/A sp 1, dp 15822, ip_proto 1, tos 0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:Doing DESTINATION addr route-lookup

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_ipv4_rt_lkup success 1.1.1.1, iifl 0x0, oifl 0x48

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  routed (x_dst_ip 1.1.1.1) from junos-host (.local..0 in 0) to vlan.2, Next-hop: 1.1.1.1

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone untrust (0x0,0x13dce,0x3dce)

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(7:untrust) scope:0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:             10.0.3.1/2048 -> 1.1.1.1/5756 proto 1

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  permitted by policy self-traffic-policy(1)

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  packet passed, Permitted by policy.

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_src_xlate:  incoming src port is : 1.

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  dip id = 0/0, 10.0.3.1/1->10.0.3.1/1 protocol 0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  choose interface vlan.2(P2P) as outgoing phy if

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.2, addr: 1.1.1.1, rtt_idx:0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:-jsf : Alloc sess plugin info for session 98784267986

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:[JSF]Normal interest check. regd plugins 14, enabled impl mask 0x0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1111437052, impli mask(0x17), post_nat cnt 20178 svc req(0x0)

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:-jsf : no plugin interested for session 98784267986, free sess plugin info

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_service_lookup(): natp(0x44ddfb20): app_id, 0(0).

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  service lookup identified service 0.

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  flow_first_final_check: in <.local..0>, out <vlan.2>

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:In flow_first_complete_session

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:flow_first_complete_session, pak_ptr: 0x423f30d0, nsp: 0x44ddfb20, in_tunnel: 0x0

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:construct v4 vector for nsp2

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  install vector flow_ttl_vector

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  install vector flow_icmp_info_process_vector

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  install vector flow_frag_list_vector

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  install vector flow_send_vector

Aug 12 08:28:58 08:28:58.842689:CID-0:RT:  install vector NULL

Aug 12 08:28:58 08:28:58.842689:CID-0:RT: fatal error, objcache_alloc failed.
Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  create new vector list 0x200-0x0.

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  Session (id:20178) created for first pak 200

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:first pak processing successful

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  flow_first_install_session======> 0x44ddfb20

Aug 12 08:28:59 08:28:58.842689:CID-0:RT: nsp 0x44ddfb20, nsp2 0x44ddfba4

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  make_nsp_ready_no_resolve()

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:flow_ipv4_rt_lkup success 10.0.3.1, iifl 0x0, oifl 0x0

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  route lookup: dest-ip 10.0.3.1 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  route to 10.0.3.1

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms.

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:no need update ha

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:Installing c2s NP session wing

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:Installing s2c NP session wing

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:first path session installation succeeded

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  flow got session.

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:  flow session id 20178

Aug 12 08:28:59 08:28:58.842689:CID-0:RT: vector bits 0x200 vector 0x0

Aug 12 08:28:59 08:28:58.842689:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x423f30d0 associated with mbuf 0x40d92280

Aug 12 08:28:59 08:28:58.842689:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Aug 12 08:28:59 08:28:59.209243:CID-0:RT:jsf sess close notify

Aug 12 08:28:59 08:28:59.209243:CID-0:RT:flow_ipv4_del_flow: sess 20090, in hash 32

Aug 12 08:28:59 08:28:59.209243:CID-0:RT:flow_ipv4_del_flow: sess 20090, in hash 32

Aug 12 08:28:59 08:28:59.209243:CID-0:RT:jsf sess close notify

Aug 12 08:28:59 08:28:59.209243:CID-0:RT:flow_ipv4_del_flow: sess 20083, in hash 32

Aug 12 08:28:59 08:28:59.209243:CID-0:RT:flow_ipv4_del_flow: sess 20083, in hash 32

Aug 12 08:28:59 08:28:59.847448:CID-0:RT:<10.0.3.1/2->1.1.1.1/15822;1> matched filter trust_to_web:

Aug 12 08:28:59 08:28:59.847448:CID-0:RT:packet [84] ipid = 43507, @0x40d924d2

Aug 12 08:28:59 08:28:59.847448:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x40d92280, rtbl_idx = 0

Aug 12 08:28:59 08:28:59.847448:CID-0:RT:flow process pak, mbuf 0x40d92280, ifl 0, ctxt_type 0 inq type 5


  • 14.  RE: Route problem from trust VLAN to external gateway

    Posted 08-14-2016 05:45

    If I ping 8.8.8.8 from my vlan.3 router, I get nothing:

     

    That looks like your are actually pinging from the SRX and not your layer 3 switch?



  • 15.  RE: Route problem from trust VLAN to external gateway

    Posted 08-15-2016 22:12

    Add vlan-trust to the vlan members on the trunk port.