ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

pkt not xfred to h/w

10.22.08   |  
‎10-22-2008 04:36 PM

Simple src nat appears to be failing. Can see a policy pass in the debug... any clues?


**st: <pr|ethernet2/1.5|Root|28> e00d811c: 49b6:>,6,48
****** 22273504.0: <pr/ethernet2/1.5> packet received [48]******
  ipid = 18870(49b6), @e00d811c
  packet passed sanity check.
  flow_first_inline_vector: in <ethernet2/1.5>, out <N/A>
  chose interface ethernet2/1.5 as incoming nat if.
  flow_first_inline_vector: in <ethernet2/1.5>, out <N/A>
  search route to (ethernet2/1.5,> in vr ndc-vr for vsd-0/flag-0/ifp-null
  [ Dest] 84.route>, to ethernet2/3.1
  routed (x_dst_ip from ethernet2/1.5 (ethernet2/1.5 in 0) to ethernet2/3.1
  policy search from zone 3007-> zone 3001
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip, port 22, proto 6)
  No SW RPC rule match, search HW rule
  Permitted by policy 975
  dip id = 11,>
  choose interface ethernet2/3.1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet2/3.1
  vsd 0 is active
  no loop on ifp ethernet2/3.1.
  session application type 22, name None, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_inline_vector: in <ethernet2/1.5>, out <ethernet2/3.1>
  existing vector list 23-29b9fcd0.
  Session (id:898220) created for first pak 23
  route to
  arp entry found for
  nsp2 wing prepared, ready
cache mac in the session
  search route to (null,> in vr ndc-vr for vsd-0/flag-3000/ifp-ethernet2/1.5
  [ Dest] 149.route>, to ethernet2/1.5
  route to
Success installing work and forward sessions
  nsrp msg sent.
  flow got session.
  flow session id 898220
  vsd 0 is active
  Got syn,>, nspflag 0x801805, 0x800804
pkt not xfred to h/w. session flags: 0x40000400


Any ideas?



ScreenOS Firewalls (NOT SRX)

Re: pkt not xfred to h/w

10.22.08   |  
‎10-22-2008 05:04 PM

A bit more additional information.


The NAT'd address is a secondary address on E2/3.1


There appears to be no route in the VR for the NAT'd IP. I added one, but it still fails 'cannot transfer to hardware'


Any clues? Smiley Sad

ScreenOS Firewalls (NOT SRX)

Re: pkt not xfred to h/w

10.22.08   |  
‎10-22-2008 07:56 PM
So i've used an IP from the interfaces primary range, and it works... Can anyone tell me the restrictions with Src NAT using secondary addresses on an interface? I cant get it to work Smiley Sad Works fine using IP's from the primary subnet though..