SRX Services Gateway
Highlighted
SRX Services Gateway

Subnet routing issues

‎10-22-2015 12:36 AM

I have the following simple network setup. I got the problem of ping from subnet A to subnet was unsuccess but from Subnet C to Subnet A was success.

 

All other connection are fine (e.g. subnet A <> B,  B<>C).

 

Subnet A --------------------- Subnet B ------------------------ Subnet C

----------------MPLS-----------------------------IPVPN-------------------

 

The below log was ping from host in subnet A (192.168.1.96) to Subnet C (192.168.2.2) unsuccesful.

 

ctadmin@PVRT-SRX100# run show log debugfile | match 176244 | no-more
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:<192.168.1.96/41409->192.168.2.2/23;1> matched filter f1:
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:packet [60] ipid = 7750, @0x43674b1a
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43674900, rtbl_idx = 0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow process pak fast ifl 75 in_ifp fe-0/0/1.0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: fe-0/0/1.0:192.168.1.96->192.168.2.2, icmp, (8/0)
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: find flow: table 0x4f9a9038, hash 12769(0xffff), sa 192.168.1.96, da 192.168.2.2, sp 41409, dp 23, proto 1, tok 8
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow_first_create_session
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/1.0>, out <N/A> dst_adr 192.168.2.2, sp 41409, dp 23
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: chose interface fe-0/0/1.0 as incoming nat if.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.2.2(23)
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.1.96, x_dst_ip 192.168.2.2, in ifp fe-0/0/1.0, out ifp N/A sp 41409, dp 23, ip_proto 1, tos 0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:Doing DESTINATION addr route-lookup
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: routed (x_dst_ip 192.168.2.2) from PV-VPNToHK (fe-0/0/1.0 in 0) to st0.0, Next-hop: 192.168.2.2
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_policy_search: policy search from zone PV-VPNToHK-> zone PV-VPNToCT (0x0,0xa1c10017,0x17)
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:Policy lkup: vsys 0 zone(8:PV-VPNToHK) -> zone(9:PV-VPNToCT) scope:0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: 192.168.1.96/2048 -> 192.168.2.2/43907 proto 1
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: permitted by policy allowAccess(11)
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: packet passed, Permitted by policy.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 2/2, pst_nat: False.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: dip id = 2/0, 192.168.1.96/41409->1.1.1.1/19997 protocol 58
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: Found tunnel for if (non-vpn or vpn without nhtb) st0.0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_get_tun_info: tunnel out 0x537ba9c8, tun id 131073
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x537ba9c8, tun id 131073
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: choose interface fe-0/0/0.0 as outgoing phy if
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 192.168.2.2, rtt_idx:0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf : Alloc sess plugin info for session 98784470857
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 0, impli mask(0x17), post_nat cnt 223049 svc req(0x0)
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:-jsf : no plugin interested for session 98784470857, free sess plugin info
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_service_lookup(): natp(0x598ba188): app_id, 0(0).
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: service lookup identified service 0.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow_first_final_check: in <fe-0/0/1.0>, out <fe-0/0/0.0>
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4fa2a290, nsp: 0x598ba188, in_tunnel: 0x0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:construct v4 vector for nsp2
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: existing vector list 0x1204-0x48d10118.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: Session (id:223049) created for first pak 1204
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow_first_install_session======> 0x598ba188
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: nsp 0x598ba188, nsp2 0x598ba208
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: make_nsp_ready_no_resolve()
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: route lookup: dest-ip 192.168.1.96 orig ifp fe-0/0/1.0 output_ifp fe-0/0/1.0 orig-zone 8 out-zone 8 vsd 0
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: route to 172.17.0.2
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:no need update ha
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:Installing c2s NP session wing
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow got session.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow session id 223049
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: vector bits 0x1204 vector 0x48d10118
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:ttl vector, out_tunnel = 0x537ba9c8
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_xlate_pak
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_handle_icmp_xlate
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:xlate_icmp_pak
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: post addr xlation: 1.1.1.1->192.168.2.2.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: post addr xlation: 1.1.1.1->192.168.2.2.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:pre-frag not needed: ipsize: 60, mtu: 1452, nsp2->pmtu: 1452
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: encap vector
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: going into tunnel 131073 (nsp_tunnel=0x537ba9c8).
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: flow_encrypt: tun 0x537ba9c8, type 1
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:mbuf 0x43674900, exit nh 0x50010
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

 

And the below one is reverse ping from Subnet C (92.168.2.2) to Subnet A (192.168.1.96) success.

 

ctadmin@PVRT-SRX100# run show log debugfile | match 095349 | no-more
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:<192.168.2.2/5003->192.168.1.96/1;1> matched filter f2:
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:packet [60] ipid = 18215, @0x4362f1be
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x4362ef80, rtbl_idx = 0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: in_ifp <PV-VPNToCT:st0.0>
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x61c02c48
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:pkt out of tunnel.Proceed normally
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: st0.0:192.168.2.2->192.168.1.96, icmp, (8/0)
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: find flow: table 0x4f9a9038, hash 18439(0xffff), sa 192.168.2.2, da 192.168.1.96, sp 5003, dp 1, proto 1, tok 9
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: no session found, start first path. in_tunnel - 0x537ba9c8, from_cp_flag - 0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: flow_first_create_session
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 192.168.1.96, sp 5003, dp 1
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: chose interface st0.0 as incoming nat if.
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.96(1)
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.2.2, x_dst_ip 192.168.1.96, in ifp st0.0, out ifp N/A sp 5003, dp 1, ip_proto 1, tos 0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:Doing DESTINATION addr route-lookup
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: routed (x_dst_ip 192.168.1.96) from PV-VPNToCT (st0.0 in 0) to fe-0/0/1.0, Next-hop: 172.17.0.2
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_policy_search: policy search from zone PV-VPNToCT-> zone PV-VPNToHK (0x0,0x138b0001,0x1)
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:Policy lkup: vsys 0 zone(9:PV-VPNToCT) -> zone(8:PV-VPNToHK) scope:0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: 192.168.2.2/2048 -> 192.168.1.96/14800 proto 1
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: permitted by policy allowAccess(13)
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: packet passed, Permitted by policy.
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: dip id = 0/0, 192.168.2.2/5003->192.168.2.2/5003 protocol 0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: choose interface fe-0/0/1.0 as outgoing phy if
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:is_loop_pak: No loop: on ifp: fe-0/0/1.0, addr: 192.168.1.96, rtt_idx:0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf : Alloc sess plugin info for session 98784480881
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 140055540, impli mask(0x17), post_nat cnt 233073 svc req(0x0)
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:-jsf : no plugin interested for session 98784480881, free sess plugin info
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_service_lookup(): natp(0x59d160c8): app_id, 0(0).
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: service lookup identified service 0.
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: flow_first_final_check: in <st0.0>, out <fe-0/0/1.0>
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4fa2a028, nsp: 0x59d160c8, in_tunnel: 0x537ba9c8
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:construct v4 vector for nsp2
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: existing vector list 0x204-0x48d03868.
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: Session (id:233073) created for first pak 204
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: flow_first_install_session======> 0x59d160c8
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: nsp 0x59d160c8, nsp2 0x59d16148
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: make_nsp_ready_no_resolve()
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: route lookup: dest-ip 192.168.2.2 orig ifp st0.0 output_ifp st0.0 orig-zone 9 out-zone 9 vsd 0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: route to 192.168.2.2
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:no need update ha
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:Installing s2c NP session wing
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: flow got session.
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: flow session id 233073
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: vector bits 0x204 vector 0x48d03868
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: encap vector
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: no more encapping needed
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:mbuf 0x4362ef80, exit nh 0xf0010
Oct 22 14:52:31 14:52:31.095349:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x4fa2a028 associated with mbuf 0x4362ef80
Oct 22 14:52:31 14:52:31.095349:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

 

Can another one helping me to check for the log? many thanks!!

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Subnet routing issues

‎10-22-2015 06:59 AM

It looks like the path from A to C is across a tunnel interface and has NAT on a rule.  I would check these:

 

Is there a security policy that permits the A to C traffic on the C firewall (and check the flow here)

Is the NAT correct and accounted for in the source address poicy on firewall C

 

Oct 22 14:45:56 14:45:56.176244:CID-0:RT: packet passed, Permitted by policy.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Oct 22 14:45:56 14:45:56.176244:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 2/2, pst_nat: False.
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: dip id = 2/0, 192.168.1.96/41409->1.1.1.1/19997 protocol 58
Oct 22 14:45:56 14:45:56.176244:CID-0:RT: Found tunnel for if (non-vpn or vpn without nhtb) st0.0
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback