SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Incoming Destination NAT through VPN Tunnel

    Posted 06-13-2019 08:38

    Web Server 10.0.0.2 ------(10.0.0.1) Site A SRX (1.1.1.1)---------------IPSEC VPN-----------------(2.2.2.2) Site B SRX (10.2.0.1)

     

    I'm trying to setup a backup destination NAT for some servers. Since the ISP can't give us more external IPs for Site A, I want to use Site B's external IP to create a secondary 'entrance' for the HTTPS Server on Site A.

     

    The VPN Tunnel works. (route based) 

    I can reach 10.0.0.2 from 10.2.0.1.

    The destination NAT works to 1.1.1.1:443 to reach 10.0.0.2:443.

     

    I can't get destination NAT to work on site B, so I can reach 10:0.0.2:443 through 2.2.2.2:443.

     

    I've tried all kinds of NATting possibilities to get from untrust Site B to trust Site A, but I must be doing something wrong.

    I've only used source NAT and destination NAT so far (in all possible ways).

    Do I need proxy-arp for this? Or static NAT?

     

    I don't have much of a configuration I can show with attempts, since I rollbacked everytime.

     

    Thanks!



  • 2.  RE: Incoming Destination NAT through VPN Tunnel

    Posted 06-13-2019 11:18

    Hi datapex,

     

    I believe we need to work this out with flow traceoptions on both SRXs.

     

    Ideally it will work like this (Please share you config):

     

    1. On SRXB we need a Dst NAT rule matching traffic to 2.2.2.2:443 and translate it to 10.0.0.2:443. At that point the SRXB will do a route-lookup to 10.0.0.2 and the st0 interface should be the next-hop (hence we need that route in place). Also a security-policy from zone "External-Interface" to zone "VPN-Interface" has to allow that traffic. No other NAT rule should affect this traffic.

     

    2. The packet will flow over the VPN and reach SRXA. No Dst NAT has to affect this traffic and the packets will be forwarded to 10.0.0.2. A security policy has to allow this traffic as well. 10.0.0.2 will reply after that and the traffic should match an already existing session on SRXA and the traffic be permitted and sent over the VPN again.

     

    3. SRXB will receive the traffic and match an existing session and send the traffic back to the external host.

     

    In order to confirm the above behavior please configure flow traces on SRXB in the following way:

     

     

    #set security flow traceoptions file SRXB
    #set security flow traceoptions flag basic-datapath
    #set security flow traceoptions packet-filter F1 destination-prefix 2.2.2.2 destination-port 443
    #set security flow traceoptions packet-filter F2 source-prefix 10.0.0.2 source-port 443
    # commit
    
    Try the test and then check the file:
    
    # run show log SRXB

     

    On SRXA (and for the same test) try:

     

    #set security flow traceoptions file SRXA
    #set security flow traceoptions flag basic-datapath
    #set security flow traceoptions packet-filter F1 destination-prefix 10.0.0.2 destination-port 443
    #set security flow traceoptions packet-filter F2 source-prefix 10.0.0.2 source-port 443
    # commit
    
    Try the test and then check the file:
    
    # run show log SRXA

     

    Please attach the files so we can help you with the root cause. Also during the test capture the following commands to confirm if the sessions are created on both SRXs:

     

    SRXB:

    > show security flow session destination-prefix 2.2.2.2 destination-port 443

     

    SRXA:

    > show security flow session destination-prefix 10.0.0.2 destination-port 443

     

     

     

     



  • 3.  RE: Incoming Destination NAT through VPN Tunnel

    Posted 06-13-2019 13:37

    Hi stwardlp,

     

    this is going to be a lot... 

     

    A few sidenotes:

     

    My tests to the webserver were done from 5.5.5.5 to 2.2.2.2:443

     

    Every SRX is actually a cluster... I left out the ge-xxx which were made into rethx, and just kept the rethx for the sake of not overcomplicating too much.

     

    SRXA and SRXB have

    reth0.0 as trust

    reth0.1 as untrust

    st0.0 as VPN tunnel

     

    1.1.1.254 is the SRXA's DSL router (exposed host to SRX IP 1.1.1.1)

    2.2.2.254 is the SRXB's DSL router (exposed host to SRX IP 2.2.2.2)

     

    I spent a bit of time cutting out and replacing a lot of IPs. I hope I didn't miss anything, for your legibility's sake :).

    There's a monitoring server on the SRXA site, which unfortunately spammed the trace a bit. I replaced its IP with "ignorethisip". So, just ignore that IP and its sessions ;).

     

    SRXA
    
    interfaces {
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                description trust;
                vlan-id 100;
                family inet {
                    address 10.0.0.1/24;
                }
            }
            unit 1 {
                description untrust;
                vlan-id 99;
                family inet {
                    address 1.1.1.1/24;
                }
            }
        st0 {
            unit 0 {
                description vpn-Site-B;
                family inet;
            }
    
    routing-options {
        static {
                route 10.2.0.0/16 next-hop st0.0;
                route 0.0.0.0/0 next-hop 1.1.1.254; ----- dsl router exposed host to the SRX
              }
             }
    
    security {
        ike {
            proposal ike-proposal-standard {
                authentication-method pre-shared-keys;
                dh-group group14;
                authentication-algorithm sha-256;
                encryption-algorithm aes-128-cbc;
                lifetime-seconds 3600;
            }
            policy ike-vpn-standard {
                mode main;
                proposals ike-proposal-standard;
                pre-shared-key ascii-text "snip"; ## SECRET-DATA
            }
            gateway gateway-2.2.2.2 {
                ike-policy ike-vpn-standard;
                address 2.2.2.2;
                dead-peer-detection;
                nat-keepalive 10;
                local-identity inet 1.1.1.1;
                remote-identity inet 2.2.2.2;
                external-interface reth0.1;
            }
        }
    
        ipsec {
            proposal ipsec-proposal-standard {
                protocol esp;
                authentication-algorithm hmac-sha-256-128;
                encryption-algorithm aes-128-cbc;
                lifetime-seconds 7200;
            }
            policy ipsec-vpn-standard {
                perfect-forward-secrecy {
                    keys group14;
                }
                proposals ipsec-proposal-standard;
            }
            vpn vpn-Site-B {
                bind-interface st0.0;
                ike {
                    gateway gateway-2.2.2.2;
                    ipsec-policy ipsec-vpn-standard;
                }
                establish-tunnels immediately;
            }
        }
    
        nat {
            source {
                rule-set untrust-out {
                    from zone trust;
                    to zone untrust;
                    rule untrust-source-nat {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            destination {
                pool https-server {
                    address 10.0.0.2/32 port 443;
                }
                rule-set untrust-destination-nat {
                    from interface reth0.1;
                    rule https-server-NAT {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                            destination-port {
                                443;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    https-server;
                                }
                            }
                        }
                    }
    
        policies {
    
              from-zone trust to-zone untrust {
                  policy allow-all {
                      match {
                          source-address any;
                          destination-address any;
                          application any;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
              from-zone trust to-zone vpn-Site-B {
                  policy allow-all {
                      match {
                          source-address any;
                          destination-address any;
                          application any;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
              from-zone vpn-Site-B to-zone trust {
                  policy allow-all {
                      match {
                          source-address any;
                          destination-address any;
                          application any;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
              from-zone untrust to-zone trust {
                  policy allow-https {
                      match {
                          source-address any;
                          destination-address https-server;
                          application junos-https;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
        zones {
            security-zone trust {
                address-book {
                    address https-server 10.0.0.2/32;
                interfaces {
                    reth0.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                ike;
                                snmp;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                interfaces {
                    reth0.1 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                ike;
                                snmp;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone vpn-Site-B {
                interfaces {
                    st0.0;
                }
            }
    
    
    
    
    
    
    
    

     

    SRXB
    
    interfaces {
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                description trust;
                vlan-id 100;
                family inet {
                    address 10.2.0.1/24;
                }
            }
            unit 1 {
                description untrust;
                vlan-id 99;
                family inet {
                    address 2.2.2.2/24;
                }
            }
        st0 {
            unit 0 {
                description vpn-Site-A;
                family inet;
            }
    
    routing-options {
        static {
                route 10.0.0.0/16 next-hop st0.0;
                route 0.0.0.0/0 next-hop 2.2.2.254; -----  dsl router exposed host to the SRX
              }
             }
    
    security {
        ike {
            proposal ike-proposal-standard {
                authentication-method pre-shared-keys;
                dh-group group14;
                authentication-algorithm sha-256;
                encryption-algorithm aes-128-cbc;
                lifetime-seconds 3600;
            }
            policy ike-vpn-standard {
                mode main;
                proposals ike-proposal-standard;
                pre-shared-key ascii-text "snip"; ## SECRET-DATA
            }
            gateway gateway-1.1.1.1 {
                ike-policy ike-vpn-standard;
                address 1.1.1.1;
                dead-peer-detection;
                nat-keepalive 10;
                local-identity inet 2.2.2.2;
                remote-identity inet 1.1.1.1;
                external-interface reth0.1;
            }
        }
    
        ipsec {
            proposal ipsec-proposal-standard {
                protocol esp;
                authentication-algorithm hmac-sha-256-128;
                encryption-algorithm aes-128-cbc;
                lifetime-seconds 7200;
            }
            policy ipsec-vpn-standard {
                perfect-forward-secrecy {
                    keys group14;
                }
                proposals ipsec-proposal-standard;
            }
            vpn vpn-Site-A {
                bind-interface st0.0;
                ike {
                    gateway gateway-1.1.1.1;
                    ipsec-policy ipsec-vpn-standard;
                }
                establish-tunnels immediately;
            }
        }
    
        nat {
            source {
                rule-set untrust-out {
                    from zone trust;
                    to zone untrust;
                    rule untrust-source-nat {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            destination {
                pool https-server-Site-A {
                    address 10.0.0.2/32 port 443;
                }
                rule-set untrust-destination-nat {
                    from interface reth0.1;
                    rule https-server-Site-A-NAT {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                            destination-port {
                                443;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    https-server-Site-A;
                                }
                            }
                        }
                    }
    
        policies {
    
              from-zone trust to-zone untrust {
                  policy allow-all {
                      match {
                          source-address any;
                          destination-address any;
                          application any;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
              from-zone trust to-zone vpn-Site-A {
                  policy allow-all {
                      match {
                          source-address any;
                          destination-address any;
                          application any;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
              from-zone vpn-Site-A to-zone trust {
                  policy allow-all {
                      match {
                          source-address any;
                          destination-address any;
                          application any;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
              from-zone untrust to-zone vpn-Site-A {
                  policy allow-https-through-vpn {
                      match {
                          source-address any;
                          destination-address https-server-Site-A;
                          application junos-https;
                      }
                      then {
                          permit;
                          log {
                              session-init;
                          }
                      }
                  }
    
        zones {
            security-zone trust {
                interfaces {
                    reth0.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                ike;
                                snmp;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                interfaces {
                    reth0.1 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                ike;
                                snmp;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone vpn-Site-A {
                address-book {
                    address https-server-Site-A 10.0.0.2/32;
                interfaces {
                    st0.0;
                }
            }
    
    
    
    
    
    
    
    

     

    root@juniper-srv-a# run show log SRXA
    Jun 13 22:10:03 22:10:02.576747:CID-2:RT:<5.5.5.5/53155->10.0.0.2/443;6> matched filter F1:
    
    Jun 13 22:10:03 22:10:02.576747:CID-2:RT:packet [52] ipid = 23706, @0x439b0f50
    
    Jun 13 22:10:03 22:10:02.576747:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 1, common flag 0x0, mbuf 0x439b0d00, rtbl_idx = 0
    
    Jun 13 22:10:03 22:10:02.576747:CID-2:RT:flow process pak, mbuf 0x439b0d00, ifl 129, ctxt_type 1 inq type 6
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT: in_ifp <vpn-Site-B:st0.0>
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT:host inq check inq_type 0x6
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT:tifp st0.0
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT:pkt out of tunnel.Proceed normally
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT:  st0.0:5.5.5.5/53155->10.0.0.2/443, tcp, flag 2 syn
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT: find flow: table 0x52756b80, hash 17048(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53155, dp 443, proto 6, tok 14
    
    Jun 13 22:10:03 22:10:02.576884:CID-2:RT:  no session found, start first path. in_tunnel - 0x55dbcda8, from_cp_flag - 0
    
    Jun 13 22:10:03 22:10:02.577038:CID-2:RT:  Not a traffic-selector enabled tunnel. returing EOK
    
    Jun 13 22:10:03 22:10:02.577067:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53155->10.0.0.2/443,6
    
    Jun 13 22:10:03 22:10:02.577091:CID-2:RT:gate_search_specific_bucket: no gate found
    
    Jun 13 22:10:03 22:10:02.577091:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53155->10.0.0.2/443,6
    
    Jun 13 22:10:03 22:10:02.577091:CID-2:RT:gate_search_specific_bucket: no gate found
    
    Jun 13 22:10:03 22:10:02.577144:CID-2:RT:search widecast gate for vpn-Site-B:5.5.5.5/53155->10.0.0.2/443,6
    
    Jun 13 22:10:03 22:10:02.577144:CID-2:RT:gate_search_widecast_bucket: no gate found
    
    Jun 13 22:10:03 22:10:02.577144:CID-2:RT:  flow_first_create_session
    
    Jun 13 22:10:03 22:10:02.577185:CID-2:RT:First path alloc and instl pending session, natp=0x5a623ab8, id=153071
    
    Jun 13 22:10:03 22:10:02.577185:CID-2:RT:  flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 10.0.0.2, sp 53155, dp 443
    
    Jun 13 22:10:03 22:10:02.577185:CID-2:RT:  chose interface st0.0 as incoming nat if.
    
    Jun 13 22:10:03 22:10:02.577283:CID-2:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.0.0.2(443)
    
    Jun 13 22:10:03 22:10:02.577283:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp st0.0, out ifp N/A sp 53155, dp 443, ip_proto 6, tos 0
    
    Jun 13 22:10:03 22:10:02.577283:CID-2:RT:Doing DESTINATION addr route-lookup
    
    Jun 13 22:10:03 22:10:02.577362:CID-2:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x81, oifl 0x4d
    
    Jun 13 22:10:03 22:10:02.577379:CID-2:RT:  routed (x_dst_ip 10.0.0.2) from vpn-Site-B (st0.0 in 0) to reth0.0, Next-hop: 10.0.0.2
    
    Jun 13 22:10:03 22:10:02.577379:CID-2:RT:flow_first_policy_search: policy search from zone vpn-Site-B-> zone trust (0x0,0xcfa301bb,0x1bb)
    
    Jun 13 22:10:03 22:10:02.577379:CID-2:RT:Policy lkup: vsys 0 zone(14:vpn-Site-B) -> zone(7:trust) scope:0
    
    Jun 13 22:10:03 22:10:02.577379:CID-2:RT:             5.5.5.5/53155 -> 10.0.0.2/443 proto 6
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  policy has timeout 900
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  app 58, timeout 1800s, curr ageout 20s
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  permitted by policy allow-all(10)
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  packet passed, Permitted by policy.
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:flow_first_src_xlate:  incoming src port is : 53155.
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  dip id = 0/0, 5.5.5.5/53155->5.5.5.5/53155 protocol 0
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:  choose interface reth0.0(P2P) as outgoing phy if
    
    Jun 13 22:10:03 22:10:02.577509:CID-2:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.0.0.2, rtt_idx:0
    
    Jun 13 22:10:03 22:10:02.577678:CID-2:RT:  check nsrp pak fwd: in_tun=0x20020005, VSD 1 for out ifp reth0.0
    
    Jun 13 22:10:03 22:10:02.577678:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:03 22:10:02.577678:CID-2:RT:-jsf : Alloc sess plugin info for session 747324462575
    
    Jun 13 22:10:03 22:10:02.577678:CID-2:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0
    
    Jun 13 22:10:03 22:10:02.577678:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.577678:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 747324462575, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:-jsf : no plugin interested for session 747324462575, free sess plugin info
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  service lookup identified service 58.
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  flow_first_final_check: in <st0.0>, out <reth0.0>
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:In flow_first_complete_session
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:flow_first_complete_session, pak_ptr: 0x52048c50, nsp: 0x5a623ab8, in_tunnel: 0x55dbcda8
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:construct v4 vector for nsp2
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  existing vector list 0x10026-0x4b4378f8.
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  Session (id:153071) created for first pak 10026
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:first pak processing successful
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  flow_first_install_session======> 0x5a623ab8
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT: nsp 0x5a623ab8, nsp2 0x5a623b48
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x81, oifl 0x46
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route lookup: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 orig-zone 14 out-zone 17 vsd 0
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route to 1.1.1.254
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:Installing s2c NP session wing
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8
    
    Jun 13 22:10:03 22:10:02.578170:CID-2:RT:get NULL sess plugin info 0x5a623ab8
    
    Jun 13 22:10:03 22:10:02.578342:CID-2:RT:first path session installation succeeded
    
    Jun 13 22:10:03 22:10:02.578342:CID-2:RT:  flow got session.
    
    Jun 13 22:10:03 22:10:02.578342:CID-2:RT:  flow session id 153071
    
    Jun 13 22:10:03 22:10:02.578342:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8
    
    Jun 13 22:10:03 22:10:02.578653:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:tcp head size = 32, opt_size=12
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:MSS found 0x 4b0
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:  encap vector
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:  no more encapping needed
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:mbuf 0x439b0d00, exit nh 0x18063c2
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52048c50 associated with mbuf 0x439b0d00
    
    Jun 13 22:10:03 22:10:02.578664:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 22:10:03 22:10:02.579219:CID-2:RT:<10.0.0.2/443->5.5.5.5/53155;6> matched filter F2:
    
    Jun 13 22:10:03 22:10:02.579248:CID-2:RT:packet [52] ipid = 13717, @0x439d1e24
    
    Jun 13 22:10:03 22:10:02.579291:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x439d1c00, rtbl_idx = 0
    
    Jun 13 22:10:03 22:10:02.579291:CID-2:RT: flow process pak fast ifl 77 in_ifp reth0.0
    
    Jun 13 22:10:03 22:10:02.579291:CID-2:RT:  reth0.0:10.0.0.2/443->5.5.5.5/53155, tcp, flag 12 syn ack
    
    Jun 13 22:10:03 22:10:02.579364:CID-2:RT: find flow: table 0x52756b80, hash 6025(0xffff), sa 10.0.0.2, da 5.5.5.5, sp 443, dp 53155, proto 6, tok 7
    
    Jun 13 22:10:03 22:10:02.579380:CID-2:RT:Found: session id 0x255ef. sess tok 7
    
    Jun 13 22:10:03 22:10:02.579380:CID-2:RT:  flow got session.
    
    Jun 13 22:10:03 22:10:02.579380:CID-2:RT:  flow session id 153071
    
    Jun 13 22:10:03 22:10:02.579380:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x0, oifl 0x46
    
    Jun 13 22:10:03 22:10:02.579380:CID-2:RT:  route lookup failed: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 fto 0x4b40ac78 orig-zone 14 out-zone 17 vsd 0
    Jun 13 22:10:03 22:10:02.579513:CID-2:RT:  readjust timeout to 6 s
    
    Jun 13 22:10:03 22:10:02.579513:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.579513:CID-2:RT:  packet dropped,   pak dropped since re-route failed
    
    Jun 13 22:10:03 22:10:02.579513:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
    
    
    Jun 13 22:10:03 22:10:02.596433:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.596433:CID-2:RT:jsf sess close notify
    
    Jun 13 22:10:03 22:10:02.596433:CID-2:RT:flow_ipv4_del_flow: sess 235848, in hash 32
    
    Jun 13 22:10:03 22:10:02.596433:CID-2:RT:flow_ipv4_del_flow: sess 235848, in hash 32
    
    Jun 13 22:10:03 22:10:02.596433:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:<5.5.5.5/53157->10.0.0.2/443;6> matched filter F1:
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:packet [52] ipid = 23709, @0x43b684d0
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 1, common flag 0x0, mbuf 0x43b68280, rtbl_idx = 0
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:flow process pak, mbuf 0x43b68280, ifl 129, ctxt_type 1 inq type 6
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT: in_ifp <vpn-Site-B:st0.0>
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:host inq check inq_type 0x6
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:tifp st0.0
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:pkt out of tunnel.Proceed normally
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT:  st0.0:5.5.5.5/53157->10.0.0.2/443, tcp, flag 2 syn
    
    Jun 13 22:10:03 22:10:02.871979:CID-2:RT: find flow: table 0x52756b80, hash 33016(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53157, dp 443, proto 6, tok 14
    
    Jun 13 22:10:03 22:10:02.872235:CID-2:RT:  no session found, start first path. in_tunnel - 0x55dbcda8, from_cp_flag - 0
    
    Jun 13 22:10:03 22:10:02.872235:CID-2:RT:  Not a traffic-selector enabled tunnel. returing EOK
    
    Jun 13 22:10:03 22:10:02.872286:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53157->10.0.0.2/443,6
    
    Jun 13 22:10:03 22:10:02.872286:CID-2:RT:gate_search_specific_bucket: no gate found
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:search gate for vpn-Site-B:5.5.5.5/53157->10.0.0.2/443,6
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:gate_search_specific_bucket: no gate found
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:search widecast gate for vpn-Site-B:5.5.5.5/53157->10.0.0.2/443,6
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:gate_search_widecast_bucket: no gate found
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:  flow_first_create_session
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:First path alloc and instl pending session, natp=0x572ddb68, id=44676
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:  flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 10.0.0.2, sp 53157, dp 443
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:  chose interface st0.0 as incoming nat if.
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.0.0.2(443)
    
    Jun 13 22:10:03 22:10:02.872328:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp st0.0, out ifp N/A sp 53157, dp 443, ip_proto 6, tos 0
    
    Jun 13 22:10:03 22:10:02.872555:CID-2:RT:Doing DESTINATION addr route-lookup
    
    Jun 13 22:10:03 22:10:02.872555:CID-2:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x81, oifl 0x4d
    
    Jun 13 22:10:03 22:10:02.872555:CID-2:RT:  routed (x_dst_ip 10.0.0.2) from vpn-Site-B (st0.0 in 0) to reth0.0, Next-hop: 10.0.0.2
    
    Jun 13 22:10:03 22:10:02.872555:CID-2:RT:flow_first_policy_search: policy search from zone vpn-Site-B-> zone trust (0x0,0xcfa501bb,0x1bb)
    
    Jun 13 22:10:03 22:10:02.872555:CID-2:RT:Policy lkup: vsys 0 zone(14:vpn-Site-B) -> zone(7:trust) scope:0
    
    Jun 13 22:10:03 22:10:02.872555:CID-2:RT:             5.5.5.5/53157 -> 10.0.0.2/443 proto 6
    
    Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  policy has timeout 900
    
    Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  app 58, timeout 1800s, curr ageout 20s
    
    Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  permitted by policy allow-all(10)
    
    Jun 13 22:10:03 22:10:02.872729:CID-2:RT:  packet passed, Permitted by policy.
    
    Jun 13 22:10:03 22:10:02.872788:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Jun 13 22:10:03 22:10:02.872803:CID-2:RT:flow_first_src_xlate:  incoming src port is : 53157.
    
    Jun 13 22:10:03 22:10:02.872803:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
    
    Jun 13 22:10:03 22:10:02.872803:CID-2:RT:  dip id = 0/0, 5.5.5.5/53157->5.5.5.5/53157 protocol 0
    
    Jun 13 22:10:03 22:10:02.872861:CID-2:RT:  choose interface reth0.0(P2P) as outgoing phy if
    
    Jun 13 22:10:03 22:10:02.872861:CID-2:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.0.0.2, rtt_idx:0
    
    Jun 13 22:10:03 22:10:02.872908:CID-2:RT:  check nsrp pak fwd: in_tun=0x20020005, VSD 1 for out ifp reth0.0
    
    Jun 13 22:10:03 22:10:02.872908:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:03 22:10:02.872908:CID-2:RT:-jsf : Alloc sess plugin info for session 691489779332
    
    Jun 13 22:10:03 22:10:02.872960:CID-2:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0
    
    Jun 13 22:10:03 22:10:02.872970:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.873013:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 22:10:03 22:10:02.873048:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 691489779332, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:-jsf : no plugin interested for session 691489779332, free sess plugin info
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:  service lookup identified service 58.
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:  flow_first_final_check: in <st0.0>, out <reth0.0>
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:In flow_first_complete_session
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:flow_first_complete_session, pak_ptr: 0x52048c50, nsp: 0x572ddb68, in_tunnel: 0x55dbcda8
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:construct v4 vector for nsp2
    
    Jun 13 22:10:03 22:10:02.873078:CID-2:RT:  existing vector list 0x10026-0x4b4378f8.
    
    Jun 13 22:10:03 22:10:02.873221:CID-2:RT:  Session (id:44676) created for first pak 10026
    
    Jun 13 22:10:03 22:10:02.873221:CID-2:RT:first pak processing successful
    
    Jun 13 22:10:03 22:10:02.873221:CID-2:RT:  flow_first_install_session======> 0x572ddb68
    
    Jun 13 22:10:03 22:10:02.873221:CID-2:RT: nsp 0x572ddb68, nsp2 0x572ddbf8
    
    Jun 13 22:10:03 22:10:02.873221:CID-2:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 22:10:03 22:10:02.873221:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x81, oifl 0x46
    
    Jun 13 22:10:03 22:10:02.873323:CID-2:RT:  route lookup: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 orig-zone 14 out-zone 17 vsd 0
    
    Jun 13 22:10:03 22:10:02.873323:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
    
    Jun 13 22:10:03 22:10:02.873323:CID-2:RT:  route to 1.1.1.254
    
    Jun 13 22:10:03 22:10:02.873372:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.873372:CID-2:RT:get NULL sess plugin info 0x572ddb68
    
    Jun 13 22:10:03 22:10:02.873414:CID-2:RT:get NULL sess plugin info 0x572ddb68
    
    Jun 13 22:10:03 22:10:02.873436:CID-2:RT:Installing s2c NP session wing
    
    Jun 13 22:10:03 22:10:02.873436:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.873436:CID-2:RT:get NULL sess plugin info 0x572ddb68
    
    Jun 13 22:10:03 22:10:02.873481:CID-2:RT:get NULL sess plugin info 0x572ddb68
    
    Jun 13 22:10:03 22:10:02.873502:CID-2:RT:get NULL sess plugin info 0x572ddb68
    
    Jun 13 22:10:03 22:10:02.873715:CID-2:RT:first path session installation succeeded
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:  flow got session.
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:  flow session id 44676
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:tcp head size = 32, opt_size=12
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:MSS found 0x 4b0
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 22:10:03 22:10:02.873819:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    
    Jun 13 22:10:03 22:10:02.873930:CID-2:RT:  encap vector
    
    Jun 13 22:10:03 22:10:02.873930:CID-2:RT:  no more encapping needed
    
    Jun 13 22:10:03 22:10:02.873930:CID-2:RT:mbuf 0x43b68280, exit nh 0x18063c2
    
    Jun 13 22:10:03 22:10:02.873967:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52048c50 associated with mbuf 0x43b68280
    
    Jun 13 22:10:03 22:10:02.873982:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 22:10:03 22:10:02.874206:CID-2:RT:<10.0.0.2/443->5.5.5.5/53157;6> matched filter F2:
    
    Jun 13 22:10:03 22:10:02.874206:CID-2:RT:packet [52] ipid = 13719, @0x43c8d024
    
    Jun 13 22:10:03 22:10:02.874280:CID-2:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x43c8ce00, rtbl_idx = 0
    
    Jun 13 22:10:03 22:10:02.874289:CID-2:RT: flow process pak fast ifl 77 in_ifp reth0.0
    
    Jun 13 22:10:03 22:10:02.874289:CID-2:RT:  reth0.0:10.0.0.2/443->5.5.5.5/53157, tcp, flag 12 syn ack
    
    Jun 13 22:10:03 22:10:02.874352:CID-2:RT: find flow: table 0x52756b80, hash 6031(0xffff), sa 10.0.0.2, da 5.5.5.5, sp 443, dp 53157, proto 6, tok 7
    
    Jun 13 22:10:03 22:10:02.874352:CID-2:RT:Found: session id 0xae84. sess tok 7
    
    Jun 13 22:10:03 22:10:02.874352:CID-2:RT:  flow got session.
    
    Jun 13 22:10:03 22:10:02.874352:CID-2:RT:  flow session id 44676
    
    Jun 13 22:10:03 22:10:02.874436:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x0, oifl 0x46
    
    Jun 13 22:10:03 22:10:02.874436:CID-2:RT:  route lookup failed: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 fto 0x4b40ac78 orig-zone 14 out-zone 17 vsd 0
    Jun 13 22:10:03 22:10:02.874474:CID-2:RT:  readjust timeout to 6 s
    
    Jun 13 22:10:03 22:10:02.874503:CID-2:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:03 22:10:02.874503:CID-2:RT:  packet dropped,   pak dropped since re-route failed
    
    Jun 13 22:10:03 22:10:02.874503:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
    
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT: find flow: table 0x52756be0, hash 64700(0xffff), sa ignorethisip, da 10.0.0.2, sp 33248, dp 443, proto 6, tok 7
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:-jsf : Alloc sess plugin info for session 932008041476
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:ha_ifp: reth0.0
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 932008041476, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:-jsf : no plugin interested for session 932008041476, free sess plugin info
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:get NULL sess plugin info 0x59f1ffb8
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:get NULL sess plugin info 0x59f1ffb8
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  existing vector list 0x22-0x4b4275c0.
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  existing vector list 0x22-0x4b4275c0.
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:no need update ha
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:Installing c2s NP session wing
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:Installing s2c NP session wing
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:flow_ipv4_rt_lkup success ignorethisip, iifl 0x54, oifl 0x54
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route lookup: dest-ip ignorethisip orig ifp reth0.5 output_ifp reth0.5 orig-zone 7 out-zone 7 vsd 1
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route to ignorethisip
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x4d, oifl 0x4d
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route lookup: dest-ip 10.0.0.2 orig ifp reth0.0 output_ifp reth0.0 orig-zone 7 out-zone 7 vsd 1
    
    Jun 13 22:10:06 22:10:05.823933:CID-1:RT:  route to 10.0.0.2
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:<5.5.5.5/53155->10.0.0.2/443;6> matched filter F1:
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:packet [52] ipid = 23712, @0x43e632d0
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x43e63080, rtbl_idx = 0
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:flow process pak, mbuf 0x43e63080, ifl 129, ctxt_type 1 inq type 6
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT: in_ifp <vpn-Site-B:st0.0>
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:host inq check inq_type 0x6
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:tifp st0.0
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:pkt out of tunnel.Proceed normally
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  st0.0:5.5.5.5/53155->10.0.0.2/443, tcp, flag 2 syn
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT: find flow: table 0x52756b80, hash 17048(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53155, dp 443, proto 6, tok 14
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:Found: session id 0x255ef. sess tok 14
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  flow got session.
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  flow session id 153071
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:tcp head size = 32, opt_size=12
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:MSS found 0x 4b0
    
    Jun 13 22:10:06 22:10:05.571853:CID-2:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT:  encap vector
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT:  no more encapping needed
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT:mbuf 0x43e63080, exit nh 0x18063c2
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52028c50 associated with mbuf 0x43e63080
    
    Jun 13 22:10:06 22:10:05.572202:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 22:10:06 22:10:05.573930:CID-2:RT:<5.5.5.5/53156->10.0.0.2/443;6> matched filter F1:
    
    Jun 13 22:10:06 22:10:05.573930:CID-2:RT:packet [52] ipid = 23711, @0x43db4ed0
    
    Jun 13 22:10:06 22:10:05.573930:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x43db4c80, rtbl_idx = 0
    
    Jun 13 22:10:06 22:10:05.573930:CID-2:RT:flow process pak, mbuf 0x43db4c80, ifl 129, ctxt_type 1 inq type 6
    
    Jun 13 22:10:06 22:10:05.574027:CID-2:RT: in_ifp <vpn-Site-B:st0.0>
    
    Jun 13 22:10:06 22:10:05.574027:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148
    
    Jun 13 22:10:06 22:10:05.574027:CID-2:RT:host inq check inq_type 0x6
    
    Jun 13 22:10:06 22:10:05.574027:CID-2:RT:tifp st0.0
    
    Jun 13 22:10:06 22:10:05.574027:CID-2:RT:pkt out of tunnel.Proceed normally
    
    Jun 13 22:10:06 22:10:05.574027:CID-2:RT:  st0.0:5.5.5.5/53156->10.0.0.2/443, tcp, flag 2 syn
    
    Jun 13 22:10:06 22:10:05.574126:CID-2:RT: find flow: table 0x52756b80, hash 41864(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53156, dp 443, proto 6, tok 14
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:Found: session id 0x2bfd7. sess tok 14
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  flow got session.
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  flow session id 180183
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:tcp head size = 32, opt_size=12
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:MSS found 0x 4b0
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  encap vector
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:  no more encapping needed
    
    Jun 13 22:10:06 22:10:05.574174:CID-2:RT:mbuf 0x43db4c80, exit nh 0x18063c2
    
    Jun 13 22:10:06 22:10:05.574309:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x52028c50 associated with mbuf 0x43db4c80
    
    Jun 13 22:10:06 22:10:05.574309:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:<10.0.0.2/443->5.5.5.5/53156;6> matched filter F2:
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:packet [52] ipid = 13720, @0x43e632a4
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43e63080, rtbl_idx = 0
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT: flow process pak fast ifl 77 in_ifp reth0.0
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  reth0.0:10.0.0.2/443->5.5.5.5/53156, tcp, flag 12 syn ack
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT: find flow: table 0x52756b80, hash 6024(0xffff), sa 10.0.0.2, da 5.5.5.5, sp 443, dp 53156, proto 6, tok 7
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:Found: session id 0x2bfd7. sess tok 7
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  flow got session.
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  flow session id 180183
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x0, oifl 0x46
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  route lookup failed: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 fto 0x4b40ac78 orig-zone 14 out-zone 17 vsd 0
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT:  packet dropped,   pak dropped since re-route failed
    
    Jun 13 22:10:06 22:10:05.582148:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
    
    
    Jun 13 22:10:06 22:10:05.840896:CID-2:RT:<5.5.5.5/53157->10.0.0.2/443;6> matched filter F1:
    
    Jun 13 22:10:06 22:10:05.840896:CID-2:RT:packet [52] ipid = 23713, @0x438c8450
    
    Jun 13 22:10:06 22:10:05.840943:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x438c8200, rtbl_idx = 0
    
    Jun 13 22:10:06 22:10:05.840974:CID-2:RT:flow process pak, mbuf 0x438c8200, ifl 129, ctxt_type 1 inq type 6
    
    Jun 13 22:10:06 22:10:05.841007:CID-2:RT: in_ifp <vpn-Site-B:st0.0>
    
    Jun 13 22:10:06 22:10:05.841007:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x69da2148
    
    Jun 13 22:10:06 22:10:05.841037:CID-2:RT:host inq check inq_type 0x6
    
    Jun 13 22:10:06 22:10:05.841037:CID-2:RT:tifp st0.0
    
    Jun 13 22:10:06 22:10:05.841037:CID-2:RT:pkt out of tunnel.Proceed normally
    
    Jun 13 22:10:06 22:10:05.841037:CID-2:RT:  st0.0:5.5.5.5/53157->10.0.0.2/443, tcp, flag 2 syn
    
    Jun 13 22:10:06 22:10:05.841037:CID-2:RT: find flow: table 0x52756b80, hash 33016(0xffff), sa 5.5.5.5, da 10.0.0.2, sp 53157, dp 443, proto 6, tok 14
    
    Jun 13 22:10:06 22:10:05.841132:CID-2:RT:Found: session id 0xae84. sess tok 14
    
    Jun 13 22:10:06 22:10:05.841152:CID-2:RT:  flow got session.
    
    Jun 13 22:10:06 22:10:05.841152:CID-2:RT:  flow session id 44676
    
    Jun 13 22:10:06 22:10:05.841152:CID-2:RT: vector bits 0x10026 vector 0x4b4378f8
    
    Jun 13 22:10:06 22:10:05.841191:CID-2:RT:  vsd 1 is active
    
    Jun 13 22:10:06 22:10:05.841191:CID-2:RT:tcp head size = 32, opt_size=12
    
    Jun 13 22:10:06 22:10:05.841191:CID-2:RT:MSS found 0x 4b0
    
    Jun 13 22:10:06 22:10:05.841191:CID-2:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 22:10:06 22:10:05.841191:CID-2:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    

     

     

     

    root@juniper-srx-b# run show log SRXB
    Jun 13 21:57:58 juniper-segl-pan clear-log[89373]: logfile cleared
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:<5.5.5.5/52827->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:packet [52] ipid = 23496, @0x43e8daa2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8d880, rtbl_idx = 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  reth0.1:5.5.5.5/52827->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: find flow: table 0x52ea02e8, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:check self-traffic on reth0.1, in_tunnel 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self: No handler function found for proto:6, dst-port:443, drop pkt
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:retcode: 0x1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self : proto 6, dst port 443, action 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_create_session
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:First path alloc and instl pending session, natp=0x567229c8, id=29409
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_in_dst_nat: in <reth0.1>, out <N/A> dst_adr 2.2.2.2, sp 52827, dp 443
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  chose interface reth0.1 as incoming nat if.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 2.2.2.2(443) to 10.0.0.2(443), rule/pool id 13/32771.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp reth0.1, out ifp N/A sp 52827, dp 443, ip_proto 6, tos 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Doing DESTINATION addr route-lookup
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x45, oifl 0x8e
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  routed (x_dst_ip 10.0.0.2) from untrust (reth0.1 in 1) to st0.0, Next-hop: 10.0.0.2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn-Site-A (0x110,0xce5b01bb,0x1bb)
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Policy lkup: vsys 0 zone(13:untrust) -> zone(10:vpn-Site-A) scope:0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:             5.5.5.5/52827 -> 10.0.0.2/443 proto 6
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  policy has timeout 900
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  app 58, timeout 1800s, curr ageout 20s
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  permitted by policy allow-https-through-vpn(30)
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  packet passed, Permitted by policy.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  incoming src port is : 52827.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  dip id = 0/0, 5.5.5.5/52827->5.5.5.5/52827 protocol 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Doing IPSec traffic-selector match for  5.5.5.5 -> 10.0.0.2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found IPSec nsp_tunnel 0x55941078 for bind-ifp st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_tun_info: tunnel out 0x55941078, tun id 131073
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_out_ifp: tunnel out 0x55941078, tun id 131073, tun if reth0.1, tun bind if st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  choose interface reth0.1(P2P) as outgoing phy if
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.0.0.2, rtt_idx:0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_check_ha_fwd: tunnel out 0x55941078, tun id 131073, tun if reth0.1, ha_ifp reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : Alloc sess plugin info for session 687194796769
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 687194796769, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : no plugin interested for session 687194796769, free sess plugin info
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  service lookup identified service 58.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_final_check: in <reth0.1>, out <reth0.1>
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_final_check: flow_set_xlate_vector.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:In flow_first_complete_session
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session: pak_ptr is xlated packet
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session, pak_ptr: 0x51f08ea8, nsp: 0x567229c8, in_tunnel: 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:construct v4 vector for nsp2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  existing vector list 0x11026-0x4b3ee7d0.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Session (id:29409) created for first pak 11026
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first pak processing successful
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_install_session======> 0x567229c8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: nsp 0x567229c8, nsp2 0x56722a58
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x45, oifl 0x45
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route lookup: dest-ip 5.5.5.5 orig ifp reth0.1 output_ifp reth0.1 orig-zone 13 out-zone 13 vsd 1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route to 80.150.68.233
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Installing c2s NP session wing
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x567229c8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first path session installation succeeded
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow got session.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow session id 29409
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  encap vector
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:mbuf 0x43e8d880, exit nh 0x250010
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:<5.5.5.5/52826->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:packet [52] ipid = 23495, @0x43d642a2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d64080, rtbl_idx = 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  reth0.1:5.5.5.5/52826->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: find flow: table 0x52ea02e8, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:check self-traffic on reth0.1, in_tunnel 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self: No handler function found for proto:6, dst-port:443, drop pkt
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:retcode: 0x1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pak_for_self : proto 6, dst port 443, action 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_create_session
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:First path alloc and instl pending session, natp=0x55b68558, id=4616
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_in_dst_nat: in <reth0.1>, out <N/A> dst_adr 2.2.2.2, sp 52826, dp 443
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  chose interface reth0.1 as incoming nat if.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 2.2.2.2(443) to 10.0.0.2(443), rule/pool id 13/32771.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp reth0.1, out ifp N/A sp 52826, dp 443, ip_proto 6, tos 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Doing DESTINATION addr route-lookup
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x45, oifl 0x8e
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  routed (x_dst_ip 10.0.0.2) from untrust (reth0.1 in 1) to st0.0, Next-hop: 10.0.0.2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn-Site-A (0x110,0xce5a01bb,0x1bb)
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Policy lkup: vsys 0 zone(13:untrust) -> zone(10:vpn-Site-A) scope:0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:             5.5.5.5/52826 -> 10.0.0.2/443 proto 6
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  policy has timeout 900
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  app 58, timeout 1800s, curr ageout 20s
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  permitted by policy allow-https-through-vpn(30)
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  packet passed, Permitted by policy.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate:  incoming src port is : 52826.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  dip id = 0/0, 5.5.5.5/52826->5.5.5.5/52826 protocol 0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Doing IPSec traffic-selector match for  5.5.5.5 -> 10.0.0.2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: Found IPSec nsp_tunnel 0x55941078 for bind-ifp st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_tun_info: tunnel out 0x55941078, tun id 131073
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_get_out_ifp: tunnel out 0x55941078, tun id 131073, tun if reth0.1, tun bind if st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  choose interface reth0.1(P2P) as outgoing phy if
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.0.0.2, rtt_idx:0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_check_ha_fwd: tunnel out 0x55941078, tun id 131073, tun if reth0.1, ha_ifp reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : Alloc sess plugin info for session 416611832328
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: st0.0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 416611832328, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:-jsf : no plugin interested for session 416611832328, free sess plugin info
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  service lookup identified service 58.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_final_check: in <reth0.1>, out <reth0.1>
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_final_check: flow_set_xlate_vector.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:In flow_first_complete_session
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session: pak_ptr is xlated packet
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_first_complete_session, pak_ptr: 0x51f08ea8, nsp: 0x55b68558, in_tunnel: 0x0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:construct v4 vector for nsp2
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  existing vector list 0x11026-0x4b3ee7d0.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  Session (id:4616) created for first pak 11026
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first pak processing successful
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_first_install_session======> 0x55b68558
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: nsp 0x55b68558, nsp2 0x55b685e8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x45, oifl 0x45
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route lookup: dest-ip 5.5.5.5 orig ifp reth0.1 output_ifp reth0.1 orig-zone 13 out-zone 13 vsd 1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  route to 80.150.68.233
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:Installing c2s NP session wing
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get NULL sess plugin info 0x55b68558
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:first path session installation succeeded
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow got session.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow session id 4616
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  encap vector
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT:mbuf 0x43d64080, exit nh 0x250010
    
    Jun 13 21:58:14 21:58:14.604671:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT: find flow: table 0x51e84018, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : Alloc sess plugin info for session 597000497788
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 597000497788, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : no plugin interested for session 597000497788, free sess plugin info
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x56dddc88
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x56dddc88
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:no need update ha
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:Installing c2s NP session wing
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT: find flow: table 0x51e84018, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : Alloc sess plugin info for session 536870913450
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 536870913450, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:-jsf : no plugin interested for session 536870913450, free sess plugin info
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x559e85a8
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get NULL sess plugin info 0x559e85a8
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:no need update ha
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:Installing c2s NP session wing
    
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.613762:CID-2:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:<5.5.5.5/52828->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:packet [52] ipid = 23498, @0x43d5a122
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d59f00, rtbl_idx = 0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  reth0.1:5.5.5.5/52828->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: find flow: table 0x52ea02e8, hash 41773(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52828, dp 443, proto 6, tok 13
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:check self-traffic on reth0.1, in_tunnel 0x0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:pak_for_self: No handler function found for proto:6, dst-port:443, drop pkt
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:retcode: 0x1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:pak_for_self : proto 6, dst port 443, action 0x0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_create_session
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:First path alloc and instl pending session, natp=0x570a4f58, id=49512
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_in_dst_nat: in <reth0.1>, out <N/A> dst_adr 2.2.2.2, sp 52828, dp 443
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  chose interface reth0.1 as incoming nat if.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 2.2.2.2(443) to 10.0.0.2(443), rule/pool id 13/32771.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.5, x_dst_ip 10.0.0.2, in ifp reth0.1, out ifp N/A sp 52828, dp 443, ip_proto 6, tos 0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:Doing DESTINATION addr route-lookup
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_ipv4_rt_lkup success 10.0.0.2, iifl 0x45, oifl 0x8e
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  routed (x_dst_ip 10.0.0.2) from untrust (reth0.1 in 1) to st0.0, Next-hop: 10.0.0.2
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn-Site-A (0x110,0xce5c01bb,0x1bb)
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:Policy lkup: vsys 0 zone(13:untrust) -> zone(10:vpn-Site-A) scope:0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:             5.5.5.5/52828 -> 10.0.0.2/443 proto 6
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  policy has timeout 900
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  app 58, timeout 1800s, curr ageout 20s
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  permitted by policy allow-https-through-vpn(30)
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  packet passed, Permitted by policy.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_src_xlate:  incoming src port is : 52828.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  dip id = 0/0, 5.5.5.5/52828->5.5.5.5/52828 protocol 0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  Doing IPSec traffic-selector match for  5.5.5.5 -> 10.0.0.2
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT: find flow: table 0x51e84018, hash 41773(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52828, dp 443, proto 6, tok 13
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:-jsf : Alloc sess plugin info for session 609885410854
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 609885410854, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:-jsf : no plugin interested for session 609885410854, free sess plugin info
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get NULL sess plugin info 0x573275e8
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get NULL sess plugin info 0x573275e8
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:  existing vector list 0x11026-0x4b3eec48.
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:no need update ha
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:Installing c2s NP session wing
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: Found IPSec nsp_tunnel 0x55941078 for bind-ifp st0.0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_get_tun_info: tunnel out 0x55941078, tun id 131073
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_get_out_ifp: tunnel out 0x55941078, tun id 131073, tun if reth0.1, tun bind if st0.0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  choose interface reth0.1(P2P) as outgoing phy if
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.0.0.2, rtt_idx:0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp st0.0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_check_ha_fwd: tunnel out 0x55941078, tun id 131073, tun if reth0.1, ha_ifp reth0.1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:-jsf : Alloc sess plugin info for session 949187821928
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ha_ifp: st0.0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:[JSF]Plugins(0x0, count 0) enabled for session = 949187821928, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:-jsf : no plugin interested for session 949187821928, free sess plugin info
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  service lookup identified service 58.
    
    Jun 13 21:58:14 21:58:14.879241:CID-2:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_final_check: in <reth0.1>, out <reth0.1>
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_final_check: flow_set_xlate_vector.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:In flow_first_complete_session
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_complete_session: pak_ptr is xlated packet
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_first_complete_session, pak_ptr: 0x51f08ea8, nsp: 0x570a4f58, in_tunnel: 0x0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:construct v4 vector for nsp2
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  existing vector list 0x11026-0x4b3ee7d0.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  Session (id:49512) created for first pak 11026
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:first pak processing successful
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_first_install_session======> 0x570a4f58
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: nsp 0x570a4f58, nsp2 0x570a4fe8
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  make_nsp_ready_no_resolve()
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x45, oifl 0x45
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  route lookup: dest-ip 5.5.5.5 orig ifp reth0.1 output_ifp reth0.1 orig-zone 13 out-zone 13 vsd 1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  route to 80.150.68.233
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:Installing c2s NP session wing
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ha_ifp: reth0.1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get NULL sess plugin info 0x570a4f58
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:first path session installation succeeded
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow got session.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow session id 49512
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  encap vector
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT:mbuf 0x43d59f00, exit nh 0x250010
    
    Jun 13 21:58:14 21:58:14.872803:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:<5.5.5.5/52827->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:packet [52] ipid = 23502, @0x43e8daa2
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8d880, rtbl_idx = 0
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  reth0.1:5.5.5.5/52827->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: find flow: table 0x52ea02e8, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:Found: session id 0x72e1. sess tok 13
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow got session.
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow session id 29409
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  encap vector
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:mbuf 0x43e8d880, exit nh 0x250010
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:<5.5.5.5/52826->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:packet [52] ipid = 23503, @0x43cdfe22
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43cdfc00, rtbl_idx = 0
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  reth0.1:5.5.5.5/52826->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: find flow: table 0x52ea02e8, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:Found: session id 0x1208. sess tok 13
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow got session.
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow session id 4616
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  encap vector
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT:mbuf 0x43cdfc00, exit nh 0x250010
    
    Jun 13 21:58:17 21:58:17.638686:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:<5.5.5.5/52828->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:packet [52] ipid = 23504, @0x43c971a2
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43c96f80, rtbl_idx = 0
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  reth0.1:5.5.5.5/52828->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT: find flow: table 0x52ea02e8, hash 41773(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52828, dp 443, proto 6, tok 13
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:Found: session id 0xc168. sess tok 13
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  flow got session.
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  flow session id 49512
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  encap vector
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT:mbuf 0x43c96f80, exit nh 0x250010
    
    Jun 13 21:58:17 21:58:17.860804:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:<5.5.5.5/52827->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:packet [52] ipid = 23505, @0x43d3d622
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d3d400, rtbl_idx = 0
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  reth0.1:5.5.5.5/52827->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT: find flow: table 0x52ea02e8, hash 33757(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52827, dp 443, proto 6, tok 13
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:Found: session id 0x72e1. sess tok 13
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  flow got session.
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  flow session id 29409
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  encap vector
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT:mbuf 0x43d3d400, exit nh 0x250010
    
    Jun 13 21:58:23 21:58:23.604988:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:<5.5.5.5/52826->2.2.2.2/443;6> matched filter F1:
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:packet [52] ipid = 23506, @0x43ca92a2
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43ca9080, rtbl_idx = 0
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT: flow process pak fast ifl 69 in_ifp reth0.1
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  reth0.1:5.5.5.5/52826->2.2.2.2/443, tcp, flag 2 syn
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT: find flow: table 0x52ea02e8, hash 58061(0xffff), sa 5.5.5.5, da 2.2.2.2, sp 52826, dp 443, proto 6, tok 13
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:Found: session id 0x1208. sess tok 13
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  flow got session.
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  flow session id 4616
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT: vector bits 0x11026 vector 0x4b3ee7d0
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  vsd 1 is active
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:ttl vector, out_tunnel = 0x55941078
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:tcp head size = 32, opt_size=12
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:MSS found 0x 5b4
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  rewrite TCP MSS, new MSS: 1200, old MSS: 1460
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:flow_tcp_wsf_update: wsf 8
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:flow_xlate_pak
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  post addr xlation: 5.5.5.5->10.0.0.2.
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:out_ifp reth0.1 not tunnel if
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:get_tunnel_out_ha_ifp: out_ifp reth0.1
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:pre-frag not needed: ipsize: 52, mtu: 1438, nsp2->pmtu: 1438
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  encap vector
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  going into tunnel 131073 (nsp_tunnel=0x55941078).
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:  flow_encrypt: tun 0x55941078, type 1
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT:mbuf 0x43ca9080, exit nh 0x250010
    
    Jun 13 21:58:23 21:58:23.609002:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

     

     

    So from what I can tell (I could be wrong here), ist that SRXA is trying to send it back through its reth0.1 (untrust) interface back to 5.5.5.5, instead of through the st0.0.

    At least from this tiny snip from the SRXA flow trace

     

    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:flow_ipv4_rt_lkup success 5.5.5.5, iifl 0x81, oifl 0x46
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route lookup: dest-ip 5.5.5.5 orig ifp st0.0 output_ifp reth0.1 orig-zone 14 out-zone 17 vsd 0
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
    
    Jun 13 22:10:03 22:10:02.577833:CID-2:RT:  route to 1.1.1.254

    Thanks a lot!



  • 4.  RE: Incoming Destination NAT through VPN Tunnel
    Best Answer

    Posted 06-13-2019 14:04

    Datapex,

     

    Thats exactly what we needed. The problem that SRXA is having is that it has a route to reach 5.5.5.5 via reth1 (because its a public address) however it received the traffic via st0. From SRXA perspective, a packet from 5.5.5.5 should have come via reth1 because it faces internet.

     

    I think you could use Src NAT on SRXB before sending these packets to SRXA. This way we can use a fake subnet and hide the real 5.5.5.5 address to SRXA. Then SRXA will reply via the tunnel and SRXB will revert the changes and sent the traffic to 5.5.5.5 accordingly.

     

    Does it makes sense to you? Do you need help with the config?

     



  • 5.  RE: Incoming Destination NAT through VPN Tunnel

    Posted 06-13-2019 22:03

    Thanks! That was it :).

     

     

    I needed to mask using an IP from the SRXB site, so the SRXA knew to send it back that way. source-nat interface wasn't enough, so I added a nat source pool with 10.2.0.254/32 to forward the traffic to SRXA through the tunnel. Lo and behold, it works!

     

    Thank you all for taking the time!



  • 6.  RE: Incoming Destination NAT through VPN Tunnel

     
    Posted 06-13-2019 17:15

    Datapex,

     

    If asymmetry in routing doesn't matter, another way of dealing with the mismatch-zone situation on SRX-A, is to ensure that reth.x and st0.x are in the same security-zone.

     

    This would prevent a zone mismatch packet drop.

     

    But do note that this packet will then be sent out via the untrust interface reth.x, instead of through the tunnel and back.

     

    Cheers

    Pooja



  • 7.  RE: Incoming Destination NAT through VPN Tunnel

     
    Posted 06-13-2019 19:27

    Hi 

     

    This is an interesting but complex requirement. I believe you would need a combination of DNAT and SRC NAT on SiteB for this to work. When traffic reached Site A the return would get sent back to the Pub IP over the internet and not back over the VPN tunnel.

     

    Here are some things you may need to consider while doing the NAT on Site B for a destination over the VPN

     

    1. DNAT - from untrust - src any dst: 2.2.2.2 then dnat:10.0.0.2

    2. SNAT - from untrust to zone vpn - src any dst:10.0.0.2, then src nat interface. I suggest you use numbered tunnel to NAT to interface or use another IP from the 10.2.0. pool for the SRC NAT

    3. Security policy (happens before SRC NAT) - from any to 10.0.0.2 - untrust to vpn zone

     

    I believe this should be it, verify sessions at both ends to ensure flow and translation are as expected.

     

    Regards,

     

    Vikas