Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  VPN: no way(tunnel) out

    Posted 10-28-2008 02:41

    Hi

    I have a route VPN that was working until recently. Now it shows as up and ok, but the traffic just seems to get nowhere. When I try to ping a node on the other side I get this output:

     

      ipid = 5034(13aa), @0326d4b4
      packet passed sanity check.
      ethernet0/0.3:192.168.3.10/36289->10.0.0.1/768,1(8/0)<Root>
      no session found
      flow_first_sanity_check: in <ethernet0/0.3>, out <N/A>
      [ Dest] 5.route 192.168.3.10->0.0.0.0, to ethernet0/0.3
      chose interface ethernet0/0.3 as incoming nat if.
      flow_first_routing: in <ethernet0/0.3>, out <N/A>
      search route to (ethernet0/0.3, 192.168.3.10->10.0.0.1) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 30.route 10.0.0.1->10.0.0.1, to tunnel.3
      routed (x_dst_ip 10.0.0.1) from ethernet0/0.3 (ethernet0/0.3 in 0) to tunnel.3
      policy search from zone 105-> zone 1
     policy_flow_search  policy search nat_crt from zone 105-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.0.0.1, port 48282, proto 1)
      No SW RPC rule match, search HW rule
      Permitted by policy 114
      dip id = 6, 192.168.3.10/36289->172.16.200.101/3051
      packet dropped, no way(tunnel) out
     

    So it seems to be permitted by policy, it seems to know to route it to tunnel.3, the VPN seems up:

    00000004<   156.23.19.210  500 esp:a256/sha1 7dda7617  9731  403M A/U    -1 0
    00000004>   156.23.19.210  500 esp:a256/sha1 8765d673  9731  403M A/U    -1 0

     

    I can't see the lines of really choosing the interface for paket out, NAT translated packetand so on. So what does this mean. Is this a problem in my configuration or can that be something on remote side. Unfortunatly I don't have an insight to the other side's status..

     

    Thanks

    Jure



  • 2.  RE: VPN: no way(tunnel) out

    Posted 10-28-2008 08:58

    Hi,

     

    Do you have ip address on your tunnel interface? because i see you assigned dip id 6 to that policy.

     

    GreetZ,

    Frac



  • 3.  RE: VPN: no way(tunnel) out

    Posted 10-28-2008 09:49

    No, it's an unnumbered interface:

     

    Interface tunnel.3:
      description tunnel.3
      number 20, if_info 1784, if_index 3, mode route
      link ready
      vsys Root, zone Untrust, vr untrust-vr
      admin mtu 1500, operating mtu 1500, default mtu 1500
      *ip 0.0.0.0/0  unnumbered, source interface ethernet0/1.7
      *manage ip 0.0.0.0
      bound vpn:
        IRRS

    ^^^^^^^^^^^^ this is the problematic VPN
        SimobilAutraceAPN

      Next-Hop Tunnel Binding table
      Flag Status Next-Hop(IP)    tunnel-id  VPN

      pmtu-v4 disabled
      ping disabled, telnet disabled, SSH disabled, SNMP disabled
      web disabled, ident-reset disabled, SSL disabled

      OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
      PIM: not configured  IGMP not configured
      NHRP disabled
      bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
                 configured ingress mbw 0kbps, current bw 0kbps
                 total allocated gbw 0kbps
     



  • 4.  RE: VPN: no way(tunnel) out
    Best Answer

    Posted 10-28-2008 23:13

    The no way tunnel out error usually indicates a problem with next-hop tunnel binding (NHTB). Based on your tunnel.3 output, it appears that you have two VPNs using the same tunnel interface. But there are no NHTB entries in your table. Hence the traffic doesn't know which SA to use. You would need to either manually configure NHTB entry or separate each VPN to use its own tunnel interface. If you don't have a very large amount of tunnels, I would recommend the latter option.

     

    Incidentally, we have a Knowledgebase article about this.

     

    http://kb.juniper.net/KB7253

     

    -Richard