Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Back to discussions
Expand all | Collapse all

SRX PBR (or FBF) for retrurn static routing

  • 1.  SRX PBR (or FBF) for retrurn static routing

    Posted 09-20-2023 11:07

    Hi All,

    I would like to configure a FBF to specify a return traffic next hop in order to avoid the an asynmetric routing.

    The return packet from the serveur when reach the srx takes a different route (interface)  instead of the interface that the packet came from wich result to an asymetric routing.

    Best Regards



    ------------------------------
    OUSMANE NATHA DIARRA
    ------------------------------


  • 2.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-20-2023 14:48

    Hi,

    Can you please share a topology, IP addresses of the source and server and the output of "show route <server-ip>" and "show route <client-ip>" from the SRX in question?

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 3.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-21-2023 05:09

    Explaination :

    when the packet is initiating from ip 10.232.0.132/32 locate on vsys internet  to the ip 10.172.19.15 behind the SRX via reth0.600, the return packet is going toward reth0.910 instead of reth0.600.

    I would like the return trafic to go back througth reth0.600 to vsys internet.

    I have only one routine instance and no FBF configure.

    Best Regards



    ------------------------------
    OUSMANE NATHA DIARRA
    ------------------------------

    Original Message


  • 4.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-20-2023 19:58

    If you just want to insure return routing on the SRX a simple method would be to enable source nat translation to the interface for the inbound flow.  Then the traffic internal to the network will be routed back to the SRX interface address and match that existing session.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 5.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-21-2023 05:09

    Explaination :

    when the packet is initiating from ip 10.232.0.132/32 locate on vsys internet  to the ip 10.172.19.15 behind the SRX via reth0.600, the return packet is going toward reth0.910 instead of reth0.600.

    I would like the return trafic to go back througth reth0.600 to vsys internet.

    I have only one routine instance and no FBF configure.

    Best Regards



    ------------------------------
    OUSMANE NATHA DIARRA
    ------------------------------

    Original Message


  • 6.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-21-2023 09:34

    Thanks.

    Can you please share the output of "show route 10.232.0.132" from the SRX? It looks like the SRX has a better route to reach to 10.232.0.132/32 via 10.172.98.6 as compared with 10.172.99.14.

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 7.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-21-2023 10:45

    Hi,

    I put a lab for the test

    I want the traffic to take the greed colort

    >Config

    root@vSRX> show configuration | display set    
    set version 21.3R1.9
    set system host-name vSRX
    set system root-authentication encrypted-password "$6$zJw2kymY$ghxn/3jlZGMFY6xCGcSQmMUeVZ9oyKh3Kddlod.TyTS3uufl9sa10TAT67a8YlNhp7cum2.1k.B9UDSC11FJQ1"
    set system services ssh
    set system services web-management http interface fxp0.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface fxp0.0
    set system syslog file interactive-commands interactive-commands any
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval" title="https://ae1.juniper.net/junos/key_retrieval" href="https://ae1.juniper.net/junos/key_retrieval" rel="noreferrer noopener" target="_blank" class="fui-Link ___10kug0w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn">https://ae1.juniper.net/junos/key_retrieval
    set security flow traceoptions file test
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter p1 source-prefix 10.239.10.11/32
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone INTERNET to-zone NET19 policy INTERNET_To_NET19_00 description INTERNET_To_NET19
    set security policies from-zone INTERNET to-zone NET19 policy INTERNET_To_NET19_00 match source-address any
    set security policies from-zone INTERNET to-zone NET19 policy INTERNET_To_NET19_00 match destination-address any
    set security policies from-zone INTERNET to-zone NET19 policy INTERNET_To_NET19_00 match application any
    set security policies from-zone INTERNET to-zone NET19 policy INTERNET_To_NET19_00 then permit
    set security policies from-zone NET19 to-zone INTERNET policy NET19_To_INTERNET_00 description NET19_To_INTERNET
    set security policies from-zone NET19 to-zone INTERNET policy NET19_To_INTERNET_00 match source-address any
    set security policies from-zone NET19 to-zone INTERNET policy NET19_To_INTERNET_00 match destination-address any
    set security policies from-zone NET19 to-zone INTERNET policy NET19_To_INTERNET_00 match application any
    set security policies from-zone NET19 to-zone INTERNET policy NET19_To_INTERNET_00 then permit
    set security policies from-zone NET19 to-zone WAN policy NET19_To_WAN_00 description NET19_To_WAN
    set security policies from-zone NET19 to-zone WAN policy NET19_To_WAN_00 match source-address any
    set security policies from-zone NET19 to-zone WAN policy NET19_To_WAN_00 match destination-address any
    set security policies from-zone NET19 to-zone WAN policy NET19_To_WAN_00 match application any
    set security policies from-zone NET19 to-zone WAN policy NET19_To_WAN_00 then permit
    set security policies from-zone WAN to-zone NET19 policy WAN_To_NET19_00 description WAN_To_NET19
    set security policies from-zone WAN to-zone NET19 policy WAN_To_NET19_00 match source-address any
    set security policies from-zone WAN to-zone NET19 policy WAN_To_NET19_00 match destination-address any
    set security policies from-zone WAN to-zone NET19 policy WAN_To_NET19_00 match application any
    set security policies from-zone WAN to-zone NET19 policy WAN_To_NET19_00 then permit
    set security policies pre-id-default-policy then log session-close
    set security zones security-zone trust tcp-rst
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone INTERNET interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone NET19 host-inbound-traffic system-services ping
    set security zones security-zone NET19 host-inbound-traffic system-services http
    set security zones security-zone NET19 interfaces ge-0/0/1.0
    set security zones security-zone WAN host-inbound-traffic system-services ping
    set security zones security-zone WAN interfaces ge-0/0/2.0
    set interfaces ge-0/0/0 unit 0 family inet filter input PBF-Filter
    set interfaces ge-0/0/0 unit 0 family inet address 10.172.99.1/29
    set interfaces ge-0/0/1 unit 0 family inet address 10.172.19.1/24
    set interfaces ge-0/0/2 unit 0 family inet address 10.172.98.1/29
    set interfaces fxp0 unit 0
    set policy-options prefix-list 10.172.19.90/32 10.172.19.90/32
    set policy-options prefix-list 10.239.10.11/32 10.239.10.11/32
    set firewall family inet filter PBF-Filter term 2 from source-address 10.239.10.11/32
    set firewall family inet filter PBF-Filter term 2 from destination-address 10.172.19.90/32
    set firewall family inet filter PBF-Filter term 2 then routing-instance PBF-Instance
    set firewall family inet filter PBF-Filter term 3 then accept
    set routing-instances PBF-Instance instance-type forwarding
    set routing-instances PBF-Instance routing-options static route 10.239.10.11/32 next-hop 10.172.99.2
    set routing-options interface-routes rib-group inet fbf-group
    set routing-options static route 0.0.0.0/0 next-hop 10.172.99.2
    set routing-options static route 10.239.10.11/32 next-hop 10.172.98.6
    set routing-options static route 10.10.10.0/24 next-hop 10.172.98.6
    set routing-options rib-groups fbf-group import-rib inet.0
    set routing-options rib-groups fbf-group import-rib PBF-Instance.inet.0

    > ROute

    [13:55] Solomane KANE [OML ]

    root@vSRX> show route  

     

    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    0.0.0.0/0          *[Static/5] 15:25:38
                        >  to 10.172.99.2 via ge-0/0/0.0
    10.10.10.0/24      *[Static/5] 14:57:29
                        >  to 10.172.98.6 via ge-0/0/2.0
    10.172.19.0/24     *[Direct/0] 17:10:44
                        >  via ge-0/0/1.0
    10.172.19.1/32     *[Local/0] 17:10:44
                           Local via ge-0/0/1.0
    10.172.98.0/29     *[Direct/0] 15:43:04
                        >  via ge-0/0/2.0
    10.172.98.1/32     *[Local/0] 15:43:04
                           Local via ge-0/0/2.0
    10.172.99.0/29     *[Direct/0] 16:07:50
                        >  via ge-0/0/0.0
    10.172.99.1/32     *[Local/0] 16:07:50
                           Local via ge-0/0/0.0
    10.239.10.11/32    *[Static/5] 15:09:25
                        >  to 10.172.98.6 via ge-0/0/2.0

    PBF-Instance.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    10.172.19.0/24     *[Direct/0] 01:40:35
                        >  via ge-0/0/1.0
    10.172.19.1/32     *[Local/0] 01:40:35
                           Local via ge-0/0/1.0
    10.172.98.0/29     *[Direct/0] 01:40:35
                        >  via ge-0/0/2.0
    10.172.98.1/32     *[Local/0] 01:40:35
                           Local via ge-0/0/2.0
    10.172.99.0/29     *[Direct/0] 01:40:35
                        >  via ge-0/0/0.0
    10.172.99.1/32     *[Local/0] 01:40:35
                           Local via ge-0/0/0.0
    10.239.10.11/32    *[Static/5] 01:40:35
                        >  to 10.172.99.2 via ge-0/0/0.0

     

    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    ff02::2/128        *[INET6/0] 19:38:50
                           MultiRecv        

     

    PBF-Instance.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    ff02::2/128        *[INET6/0] 14:51:18
                           MultiRecv

    [13:56] Solomane KANE [OML ]

    root@vSRX> show route 10.239.10.11

     

    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    10.239.10.11/32    *[Static/5] 15:10:25
                        >  to 10.172.98.6 via ge-0/0/2.0

     

    PBF-Instance.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    10.239.10.11/32    *[Static/5] 01:41:35
                        >  to 10.172.99.2 via ge-0/0/0.0

     

    root@vSRX>

    > Log error

    root@vSRX# run show log test 
    Sep 21 13:41:00 13:41:00.616629:CID-0:THREAD_ID-01:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.239.10.11, iifl 0x48, oifl 0x4a
    Sep 21 13:41:00 13:41:00.616631:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  route lookup failed: dest-ip 10.239.10.11 orig ifp ge-0/0/0.0 output_ifp ge-0/0/2.0 fto 0x7f5ff5a0 orig-zone 10 out-zone 12 vsd 0 orig vrf-id 0 out vrf-id 0 orig vrf-grp-id 0 out vrf-grp-id 0
    Sep 21 13:41:00 13:41:00.616633:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  readjust timeout to 30s
    Sep 21 13:41:00 13:41:00.616634:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  packet dropped,   pak dropped since re-route failed
    Sep 21 13:41:00 13:41:00.616639:CID-0:THREAD_ID-01:LSYS_ID-00:RT:flow_proc_rc: -1.
    Sep 21 13:41:00 13:41:00.616641:CID-0:THREAD_ID-01:LSYS_ID-00:RT: ---- flow_process_pkt rc 0x7 (fp rc -1)
    Sep 21 13:41:00 13:41:00.615490:CID-0:THREAD_ID-02:LSYS_ID-00:RT:
    Sep 21 13:41:00 13:41:00.615492:CID-0:THREAD_ID-02:LSYS_ID-00:RT:~~~FLOW <10.239.10.11/9->10.172.19.90/4;1,0x0> matched filter p1(0) of root-logical-system for iif ge-0/0/0.0:
    Sep 21 13:41:00 13:41:00.615497:CID-0:THREAD_ID-02:LSYS_ID-00:RT:   packet [84] ipid = 53000, @0x957539ce
    Sep 21 13:41:00 13:41:00.615499:CID-0:THREAD_ID-02:LSYS_ID-00:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x70dc7e00, rtbl_idx = 6
    Sep 21 13:41:00 13:41:00.615501:CID-0:THREAD_ID-02:LSYS_ID-00:RT: flow process pak fast ifl 72 in_ifp ge-0/0/0.0
    Sep 21 13:41:00 13:41:00.615505:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  ge-0/0/0.0:10.239.10.11->10.172.19.90, icmp, (8/0)
    Sep 21 13:41:00 13:41:00.615508:CID-0:THREAD_ID-02:LSYS_ID-00:RT: find flow: table 0x2a6625c0, hash 36145(0xffff), sa 10.239.10.11, da 10.172.19.90, sp 9, dp 4, proto 1, tok 10, conn-tag 0x00000000, vrf-grp-id 0
    Sep 21 13:41:00 13:41:00.615510:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    Sep 21 13:41:00 13:41:00.615517:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_create_session
    Sep 21 13:41:00 13:41:00.615523:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Save init hash spu id 0 to nsp and nsp2!
    Sep 21 13:41:00 13:41:00.615525:CID-0:THREAD_ID-02:LSYS_ID-00:RT:First path alloc and instl pending session, natp=0x2ba5a640, id=6623
    Sep 21 13:41:00 13:41:00.615528:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 10.172.19.90, sp 9, dp 4
    Sep 21 13:41:00 13:41:00.615530:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  chose interface ge-0/0/0.0 as incoming nat if.
    Sep 21 13:41:00 13:41:00.615535:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.172.19.90(4)
    Sep 21 13:41:00 13:41:00.615538:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF] Do ingress interest check. regd ingress plugins(2)
    Sep 21 13:41:00 13:41:00.615555:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF][0]plugins(0x0) enabled for session = 6623  implicit mask(0x0), service request(0x0)
    Sep 21 13:41:00 13:41:00.615556:CID-0:THREAD_ID-02:LSYS_ID-00:RT:-jsf : no plugin ingress interested for session 6623
    Sep 21 13:41:00 13:41:00.615557:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_routing: vr_id 6, call flow_route_lookup(): src_ip 10.239.10.11, x_dst_ip 10.172.19.90, in ifp ge-0/0/0.0, out ifp N/A sp 9, dp 4, ip_proto 1, tos 0
    Sep 21 13:41:00 13:41:00.615563:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_routing: Doing DESTINATION addr route-lookup
    Sep 21 13:41:00 13:41:00.615577:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.172.19.90, iifl 0x48, oifl 0x49
    Sep 21 13:41:00 13:41:00.615581:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0
    Sep 21 13:41:00 13:41:00.615582:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  routed (x_dst_ip 10.172.19.90) from INTERNET (ge-0/0/0.0 in 0) to ge-0/0/1.0, Next-hop: 10.172.19.90
    Sep 21 13:41:00 13:41:00.615590:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Policy lkup: vsys 0 zone(10:INTERNET) -> zone(11:NET19) scope:0
    src vrf (0) dsv vrf (0) scope:327024896
    Sep 21 13:41:00 13:41:00.615592:CID-0:THREAD_ID-02:LSYS_ID-00:RT:             10.239.10.11/2048 -> 10.172.19.90/2686 proto 1
    Sep 21 13:41:00 13:41:00.615608:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search: policy search from zone INTERNET-> zone NET19 (0x0,0x90004,0x4), result: 0x598af168, pending: 0?
    Sep 21 13:41:00 13:41:00.615609:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
    Sep 21 13:41:00 13:41:00.615612:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  app 0, timeout 60s, curr ageout 60s
    Sep 21 13:41:00 13:41:00.615614:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  permitted by policy INTERNET_To_NET19_00(6)
    Sep 21 13:41:00 13:41:00.615614:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  packet passed, Permitted by policy.
    Sep 21 13:41:00 13:41:00.615615:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search:policy explicit matched or jdpi final matched, set session with dynamic_appid 0
    Sep 21 13:41:00 13:41:00.615616:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search: Policy final match
    Sep 21 13:41:00 13:41:00.615617:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_conn_track_ent_lookup: zone connection track 0xb
    Sep 21 13:41:00 13:41:00.615620:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    Sep 21 13:41:00 13:41:00.615621:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_src_xlate:  incoming src port is : 9.
    Sep 21 13:41:00 13:41:00.615622:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False, nat_eim: False.
    Sep 21 13:41:00 13:41:00.615623:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  dip id = 0/0, 10.239.10.11/9->10.239.10.11/9 protocol 0
    Sep 21 13:41:00 13:41:00.615626:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  choose interface ge-0/0/1.0(P2P) as outgoing phy if
    Sep 21 13:41:00 13:41:00.615629:CID-0:THREAD_ID-02:LSYS_ID-00:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 10.172.19.90, rtt_idx:0
    Sep 21 13:41:00 13:41:00.615632:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_do_pre_interest_check_per_session JDPI packet capture global mode return TRUE
    Sep 21 13:41:00 13:41:00.615633:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF]Normal interest check. regd plugins 45, enabled impl mask 0x0
    Sep 21 13:41:00 13:41:00.615639:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615647:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615664:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615673:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615676:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615677:CID-0:THREAD_ID-02:LSYS_ID-00:RT:+++++++++++jsf_test_plugin_data_evh: 3
    Sep 21 13:41:00 13:41:00.615680:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615683:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615688:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615698:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF]Plugins(0x0, count 0) enabled for session = 6623, impli mask(0x0), post_nat cnt 0 svc req(0x1d20e05)
    Sep 21 13:41:00 13:41:00.615699:CID-0:THREAD_ID-02:LSYS_ID-00:RT:-jsf : no plugin interested for session 6623, free sess plugin info
    Sep 21 13:41:00 13:41:00.615700:CID-0:THREAD_ID-02:LSYS_ID-00:RT:jsf pre int check result 0 0 0 0
    Sep 21 13:41:00 13:41:00.615701:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_service_lookup(): natp(0x2ba5a640): app_id, 0(0).
    Sep 21 13:41:00 13:41:00.615702:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  service lookup identified service 0.
    Sep 21 13:41:00 13:41:00.615702:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_final_check: in <ge-0/0/0.0>, out <ge-0/0/1.0>
    Sep 21 13:41:00 13:41:00.615703:CID-0:THREAD_ID-02:LSYS_ID-00:RT:In flow_first_complete_session
    Sep 21 13:41:00 13:41:00.615704:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_complete_session, pak_ptr: 0x137e0848, nsp: 0x2ba5a640, in_tunnel: 0x0
    Sep 21 13:41:00 13:41:00.615705:CID-0:THREAD_ID-02:LSYS_ID-00:RT:before copy: nsp vec_list 0x0, nsp2 vec_list 0x200
    Sep 21 13:41:00 13:41:00.615706:CID-0:THREAD_ID-02:LSYS_ID-00:RT:after copy: nsp vec_list 0x200, nsp2 vec_list 0x200
    Sep 21 13:41:00 13:41:00.615706:CID-0:THREAD_ID-02:LSYS_ID-00:RT:construct v4 vector for nsp2 and nsp
    Sep 21 13:41:00 13:41:00.615707:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  existing vector list 0x200-0x7f5fef50.
    Sep 21 13:41:00 13:41:00.615708:CID-0:THREAD_ID-02:LSYS_ID-00:RT:vector index for nsp2: 200
    Sep 21 13:41:00 13:41:00.615708:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  existing vector list 0x200-0x7f5fef50.
    Sep 21 13:41:00 13:41:00.615709:CID-0:THREAD_ID-02:LSYS_ID-00:RT:vector index for nsp: 200
    Sep 21 13:41:00 13:41:00.615710:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  Session (id:6623) created for first pak 200
    Sep 21 13:41:00 13:41:00.615710:CID-0:THREAD_ID-02:LSYS_ID-00:RT:first pak processing successful
    Sep 21 13:41:00 13:41:00.615711:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_install_session======> 0x2ba5a640
    Sep 21 13:41:00 13:41:00.615712:CID-0:THREAD_ID-02:LSYS_ID-00:RT: nsp 0x2ba5a640, nsp2 0x2ba5a700, local_pak 0x137e0848
    Sep 21 13:41:00 13:41:00.615713:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  make_nsp_ready_no_resolve()
    Sep 21 13:41:00 13:41:00.615715:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.239.10.11, iifl 0x48, oifl 0x4a
    Sep 21 13:41:00 13:41:00.615717:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  route lookup: dest-ip 10.239.10.11 orig ifp ge-0/0/0.0 output_ifp ge-0/0/2.0  orig-zone 10 out-zone 12 need_clear_fto 0 vsd 0, route_flag: 0x8
    Sep 21 13:41:00 13:41:00.615719:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
    Sep 21 13:41:00 13:41:00.615720:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  route to 10.172.98.6
    Sep 21 13:41:00 13:41:00.615725:CID-0:THREAD_ID-02:LSYS_ID-00:RT:no need update ha
    Sep 21 13:41:00 13:41:00.615726:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_conn_track_ent_create: connection track on zone 10 not enabled
    Sep 21 13:41:00 13:41:00.615727:CID-0:THREAD_ID-02:LSYS_ID-00:RT:first path session installation succeeded
    Sep 21 13:41:00 13:41:00.615728:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow got session (id 6623).
    Sep 21 13:41:00 13:41:00.615728:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow session id 6623
    Sep 21 13:41:00 13:41:00.615730:CID-0:THREAD_ID-02:LSYS_ID-00:RT: vector bits 0x200 vector 0x7f5fef50 for session 6623
    Sep 21 13:41:00 13:41:00.615733:CID-0:THREAD_ID-02:LSYS_ID-00:RT:mbuf 0x70dc7e00, exit nh 0xd0010
    Sep 21 13:41:00 13:41:00.615734:CID-0:THREAD_ID-02:LSYS_ID-00:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:~~~FLOW <10.172.19.90/5->10.239.10.11/9;1,0x0> matched filter p1(0) of root-logical-system for iif ge-0/0/1.0:
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:   packet [84] ipid = 26670, @0x9673f9ce
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x70e47400, rtbl_idx = 0
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT: flow process pak fast ifl 73 in_ifp ge-0/0/1.0
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  ge-0/0/1.0:10.172.19.90->10.239.10.11, icmp, (0/0)
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT: find flow: table 0x2a6625c0, hash 6865(0xffff), sa 10.172.19.90, da 10.239.10.11, sp 5, dp 9, proto 1, tok 11, conn-tag 0x00000000, vrf-grp-id 0
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:Found: session id 6624. sess tok 11
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  flow got session (id 6624).
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  flow session id 6624
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.239.10.11, iifl 0x48, oifl 0x4a
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  route lookup failed: dest-ip 10.239.10.11 orig ifp ge-0/0/0.0 output_ifp ge-0/0/2.0 fto 0x7f5ff5a0 orig-zone 10 out-zone 12 vsd 0 orig vrf-id 0 out vrf-id 0 orig vrf-grp-id 0 out vrf-grp-id 0
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  readjust timeout to 30s
    Sep 21 13:41:01 13:41:01.640121:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  packet dropped,   pak dropped since re-route failed
    Sep 21 13:41:01 13:41:01.640163:CID-0:THREAD_ID-01:LSYS_ID-00:RT:flow_proc_rc: -1.
    Sep 21 13:41:01 13:41:01.640165:CID-0:THREAD_ID-01:LSYS_ID-00:RT: ---- flow_process_pkt rc 0x7 (fp rc -1)
    Sep 21 13:41:01 13:41:01.639341:CID-0:THREAD_ID-02:LSYS_ID-00:RT:
    Sep 21 13:41:01 13:41:01.639343:CID-0:THREAD_ID-02:LSYS_ID-00:RT:~~~FLOW <10.239.10.11/9->10.172.19.90/5;1,0x0> matched filter p1(0) of root-logical-system for iif ge-0/0/0.0:
    Sep 21 13:41:01 13:41:01.639348:CID-0:THREAD_ID-02:LSYS_ID-00:RT:   packet [84] ipid = 53217, @0x9574b9ce
    Sep 21 13:41:01 13:41:01.639350:CID-0:THREAD_ID-02:LSYS_ID-00:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x70dc7a00, rtbl_idx = 6
    Sep 21 13:41:01 13:41:01.639352:CID-0:THREAD_ID-02:LSYS_ID-00:RT: flow process pak fast ifl 72 in_ifp ge-0/0/0.0
    Sep 21 13:41:01 13:41:01.639356:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  ge-0/0/0.0:10.239.10.11->10.172.19.90, icmp, (8/0)
    Sep 21 13:41:01 13:41:01.639359:CID-0:THREAD_ID-02:LSYS_ID-00:RT: find flow: table 0x2a6625c0, hash 36432(0xffff), sa 10.239.10.11, da 10.172.19.90, sp 9, dp 5, proto 1, tok 10, conn-tag 0x00000000, vrf-grp-id 0
    Sep 21 13:41:01 13:41:01.639362:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    Sep 21 13:41:01 13:41:01.639368:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_create_session
    Sep 21 13:41:01 13:41:01.639373:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Save init hash spu id 0 to nsp and nsp2!
    Sep 21 13:41:01 13:41:01.639376:CID-0:THREAD_ID-02:LSYS_ID-00:RT:First path alloc and instl pending session, natp=0x2ba5a940, id=6624
    Sep 21 13:41:01 13:41:01.639378:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 10.172.19.90, sp 9, dp 5
    Sep 21 13:41:01 13:41:01.639381:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  chose interface ge-0/0/0.0 as incoming nat if.
    Sep 21 13:41:01 13:41:01.639387:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.172.19.90(5)
    Sep 21 13:41:01 13:41:01.639389:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF] Do ingress interest check. regd ingress plugins(2)
    Sep 21 13:41:01 13:41:01.639407:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF][0]plugins(0x0) enabled for session = 6624  implicit mask(0x0), service request(0x0)
    Sep 21 13:41:01 13:41:01.639408:CID-0:THREAD_ID-02:LSYS_ID-00:RT:-jsf : no plugin ingress interested for session 6624
    Sep 21 13:41:01 13:41:01.639409:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_routing: vr_id 6, call flow_route_lookup(): src_ip 10.239.10.11, x_dst_ip 10.172.19.90, in ifp ge-0/0/0.0, out ifp N/A sp 9, dp 5, ip_proto 1, tos 0
    Sep 21 13:41:01 13:41:01.639414:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_routing: Doing DESTINATION addr route-lookup
    Sep 21 13:41:01 13:41:01.639429:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.172.19.90, iifl 0x48, oifl 0x49
    Sep 21 13:41:01 13:41:01.639432:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0
    Sep 21 13:41:01 13:41:01.639433:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  routed (x_dst_ip 10.172.19.90) from INTERNET (ge-0/0/0.0 in 0) to ge-0/0/1.0, Next-hop: 10.172.19.90
    Sep 21 13:41:01 13:41:01.639442:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Policy lkup: vsys 0 zone(10:INTERNET) -> zone(11:NET19) scope:0
    src vrf (0) dsv vrf (0) scope:327024896
    Sep 21 13:41:01 13:41:01.639444:CID-0:THREAD_ID-02:LSYS_ID-00:RT:             10.239.10.11/2048 -> 10.172.19.90/18719 proto 1
    Sep 21 13:41:01 13:41:01.639459:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search: policy search from zone INTERNET-> zone NET19 (0x0,0x90005,0x5), result: 0x598af168, pending: 0?
    Sep 21 13:41:01 13:41:01.639461:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
    Sep 21 13:41:01 13:41:01.639463:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  app 0, timeout 60s, curr ageout 60s
    Sep 21 13:41:01 13:41:01.639465:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  permitted by policy INTERNET_To_NET19_00(6)
    Sep 21 13:41:01 13:41:01.639465:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  packet passed, Permitted by policy.
    Sep 21 13:41:01 13:41:01.639466:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search:policy explicit matched or jdpi final matched, set session with dynamic_appid 0
    Sep 21 13:41:01 13:41:01.639467:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_policy_search: Policy final match
    Sep 21 13:41:01 13:41:01.639468:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_conn_track_ent_lookup: zone connection track 0xb
    Sep 21 13:41:01 13:41:01.639471:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    Sep 21 13:41:01 13:41:01.639473:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_src_xlate:  incoming src port is : 9.
    Sep 21 13:41:01 13:41:01.639474:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False, nat_eim: False.
    Sep 21 13:41:01 13:41:01.639475:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  dip id = 0/0, 10.239.10.11/9->10.239.10.11/9 protocol 0
    Sep 21 13:41:01 13:41:01.639477:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  choose interface ge-0/0/1.0(P2P) as outgoing phy if
    Sep 21 13:41:01 13:41:01.639481:CID-0:THREAD_ID-02:LSYS_ID-00:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 10.172.19.90, rtt_idx:0
    Sep 21 13:41:01 13:41:01.639484:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_do_pre_interest_check_per_session JDPI packet capture global mode return TRUE
    Sep 21 13:41:01 13:41:01.639485:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF]Normal interest check. regd plugins 45, enabled impl mask 0x0
    Sep 21 13:41:01 13:41:01.639490:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639499:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639516:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639526:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639528:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639530:CID-0:THREAD_ID-02:LSYS_ID-00:RT:+++++++++++jsf_test_plugin_data_evh: 3
    Sep 21 13:41:01 13:41:01.639533:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639535:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639541:CID-0:THREAD_ID-02:LSYS_ID-00:RT:get NULL sess plugin info 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639551:CID-0:THREAD_ID-02:LSYS_ID-00:RT:[JSF]Plugins(0x0, count 0) enabled for session = 6624, impli mask(0x0), post_nat cnt 0 svc req(0x1d20e05)
    Sep 21 13:41:01 13:41:01.639552:CID-0:THREAD_ID-02:LSYS_ID-00:RT:-jsf : no plugin interested for session 6624, free sess plugin info
    Sep 21 13:41:01 13:41:01.639553:CID-0:THREAD_ID-02:LSYS_ID-00:RT:jsf pre int check result 0 0 0 0
    Sep 21 13:41:01 13:41:01.639554:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_service_lookup(): natp(0x2ba5a940): app_id, 0(0).
    Sep 21 13:41:01 13:41:01.639555:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  service lookup identified service 0.
    Sep 21 13:41:01 13:41:01.639555:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_final_check: in <ge-0/0/0.0>, out <ge-0/0/1.0>
    Sep 21 13:41:01 13:41:01.639556:CID-0:THREAD_ID-02:LSYS_ID-00:RT:In flow_first_complete_session
    Sep 21 13:41:01 13:41:01.639557:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_first_complete_session, pak_ptr: 0x137e0848, nsp: 0x2ba5a940, in_tunnel: 0x0
    Sep 21 13:41:01 13:41:01.639559:CID-0:THREAD_ID-02:LSYS_ID-00:RT:before copy: nsp vec_list 0x0, nsp2 vec_list 0x200
    Sep 21 13:41:01 13:41:01.639559:CID-0:THREAD_ID-02:LSYS_ID-00:RT:after copy: nsp vec_list 0x200, nsp2 vec_list 0x200
    Sep 21 13:41:01 13:41:01.639560:CID-0:THREAD_ID-02:LSYS_ID-00:RT:construct v4 vector for nsp2 and nsp
    Sep 21 13:41:01 13:41:01.639560:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  existing vector list 0x200-0x7f5fef50.
    Sep 21 13:41:01 13:41:01.639561:CID-0:THREAD_ID-02:LSYS_ID-00:RT:vector index for nsp2: 200
    Sep 21 13:41:01 13:41:01.639561:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  existing vector list 0x200-0x7f5fef50.
    Sep 21 13:41:01 13:41:01.639562:CID-0:THREAD_ID-02:LSYS_ID-00:RT:vector index for nsp: 200
    Sep 21 13:41:01 13:41:01.639562:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  Session (id:6624) created for first pak 200
    Sep 21 13:41:01 13:41:01.639563:CID-0:THREAD_ID-02:LSYS_ID-00:RT:first pak processing successful
    Sep 21 13:41:01 13:41:01.639564:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_first_install_session======> 0x2ba5a940
    Sep 21 13:41:01 13:41:01.639565:CID-0:THREAD_ID-02:LSYS_ID-00:RT: nsp 0x2ba5a940, nsp2 0x2ba5aa00, local_pak 0x137e0848
    Sep 21 13:41:01 13:41:01.639566:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  make_nsp_ready_no_resolve()
    Sep 21 13:41:01 13:41:01.639568:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.239.10.11, iifl 0x48, oifl 0x4a
    Sep 21 13:41:01 13:41:01.639570:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  route lookup: dest-ip 10.239.10.11 orig ifp ge-0/0/0.0 output_ifp ge-0/0/2.0  orig-zone 10 out-zone 12 need_clear_fto 0 vsd 0, route_flag: 0x8
    Sep 21 13:41:01 13:41:01.639572:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
    Sep 21 13:41:01 13:41:01.639572:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  route to 10.172.98.6
    Sep 21 13:41:01 13:41:01.639622:CID-0:THREAD_ID-02:LSYS_ID-00:RT:no need update ha
    Sep 21 13:41:01 13:41:01.639624:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow_conn_track_ent_create: connection track on zone 10 not enabled
    Sep 21 13:41:01 13:41:01.639625:CID-0:THREAD_ID-02:LSYS_ID-00:RT:first path session installation succeeded
    Sep 21 13:41:01 13:41:01.639626:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow got session (id 6624).
    Sep 21 13:41:01 13:41:01.639626:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  flow session id 6624
    Sep 21 13:41:01 13:41:01.639629:CID-0:THREAD_ID-02:LSYS_ID-00:RT: vector bits 0x200 vector 0x7f5fef50 for session 6624
    Sep 21 13:41:01 13:41:01.639632:CID-0:THREAD_ID-02:LSYS_ID-00:RT:mbuf 0x70dc7a00, exit nh 0xd0010



    ------------------------------
    OUSMANE NATHA DIARRA
    ------------------------------

    Original Message


  • 8.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-21-2023 12:00

    In the below firewall filter, swap the source and the destination address. Also apply the firewall filter on the interface ge-0/0/1 rather than ge-0/0/0

    set firewall family inet filter PBF-Filter term 2 from source-address 10.239.10.11/32
    set firewall family inet filter PBF-Filter term 2 from destination-address 10.172.19.90/32
    set firewall family inet filter PBF-Filter term 2 then routing-instance PBF-Instance
    set firewall family inet filter PBF-Filter term 3 then accept



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 9.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-24-2023 10:03

    Hi,

    I did the change but still not working

    set firewall family inet filter PBF-Filter term 1 from source-address 10.239.10.11/32
    set firewall family inet filter PBF-Filter term 1 from destination-address 10.172.19.90/32
    set firewall family inet filter PBF-Filter term 1 then routing-instance PBF-Instance

    set firewall family inet filter PBF-Filter term 2 from source-address 10.172.19.90/32
    set firewall family inet filter PBF-Filter term 2 from destination-address 10.239.10.11/32
    set firewall family inet filter PBF-Filter term 2 then routing-instance PBF-Instance
    set firewall family inet filter PBF-Filter term 3 then accept

    set interfaces ge-0/0/1 unit 0 family inet filter input PBF-Filter

    Traceroutre from client-int to 10.172.19.90 ---> NOK

    traceroute to client-int 10.239.10.11 (client-int) ---> OK

    In the log file, the return packet is still dropping on the SRX. The packet is taking interface g0/0/2 (10.172.98.6) instead of g0/0/0 (10.172.99.2)

    Sep 24 12:54:22 12:54:21.494548:CID-0:THREAD_ID-02:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.239.10.11, iifl 0x47, oifl 0x49
    Sep 24 12:54:22 12:54:21.494549:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  route lookup: dest-ip 10.239.10.11 orig ifp ge-0/0/0.0 output_ifp ge-0/0/2.0  orig-zone 9 out-zone 11 need_clear_fto 0 vsd 0, route_flag: 0x8
    Sep 24 12:54:22 12:54:21.494550:CID-0:THREAD_ID-02:LSYS_ID-00:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
    Sep 24 12:54:22 12:54:21.494550:CID-0:THREAD_ID-02:LSYS_ID-00:RT:  route to 10.172.98.6

    The log of the drop packet:

    Sep 24 12:54:26 12:54:26.498560:CID-0:THREAD_ID-01:LSYS_ID-00:RT:~~~FLOW <10.172.19.90/1->10.239.10.11/1;1,0x0> matched filter p1(0) of root-logical-system for iif ge-0/0/1.0:
    Sep 24 12:54:26 12:54:26.498564:CID-0:THREAD_ID-01:LSYS_ID-00:RT:   packet [88] ipid = 41615, @0x9e78b9ce
    Sep 24 12:54:26 12:54:26.498566:CID-0:THREAD_ID-01:LSYS_ID-00:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x71249a00, rtbl_idx = 5
    Sep 24 12:54:26 12:54:26.498568:CID-0:THREAD_ID-01:LSYS_ID-00:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0
    Sep 24 12:54:26 12:54:26.498570:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  ge-0/0/1.0:10.172.19.90->10.239.10.11, icmp, (3/3)
    Sep 24 12:54:26 12:54:26.498573:CID-0:THREAD_ID-01:LSYS_ID-00:RT: find flow: table 0x2a740100, hash 50144(0xffff), sa 10.172.19.90, da 10.239.10.11, sp 33453, dp 60583, proto 17, tok 10, conn-tag 0x00000000, vrf-grp-id 0
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:Found: session id 8420. sess tok 10
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:flow_find_session: This an Embedded ICMP pkt
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  flow got session (id 8420).
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  flow session id 8420
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:flow_ipv4_rt_lkup success 10.239.10.11, iifl 0x47, oifl 0x49
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  route lookup failed: dest-ip 10.239.10.11 orig ifp ge-0/0/0.0 output_ifp ge-0/0/2.0 fto 0x7f5ff640 orig-zone 9 out-zone 11 vsd 0 orig vrf-id 0 out vrf-id 0 orig vrf-grp-id 0 out vrf-grp-id 0
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  readjust timeout to 30s
    Sep 24 12:54:26 12:54:26.498574:CID-0:THREAD_ID-01:LSYS_ID-00:RT:  packet dropped,   pak dropped since re-route failed

    Best Regard



    ------------------------------
    OUSMANE NATHA DIARRA
    ------------------------------

    Original Message


  • 10.  RE: SRX PBR (or FBF) for retrurn static routing
    Best Answer

    Posted 09-25-2023 13:50
    Edited by OUSMANE NATHA DIARRA 09-26-2023 18:42

    If the session is initiated by 10.172.19.90, this solution should work.

    This solution should also have worked had it been applied on an MX instead of SRX.

    If the session is initiated by 10.239.10.11, then please try applying the following filter on the input of ge-0/0/0.0

    set firewall family inet filter <filter_name> term 1 from source-address 10.239.10.11/32
set firewall family inet filter <filter_name> term 1 from destination-address 10.172.19.90/32
set firewall family inet filter <filter_name> term 1 then packet-mode
set firewall family inet filter <filter_name> term 2 then accept.

    This will set the SRX selectively in the packet mode from its default flow mode.

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 11.  RE: SRX PBR (or FBF) for retrurn static routing

    Posted 09-26-2023 18:24

    Hello Sheetanshu,

    Its works now perfectly !!! Thansk a lot. 

    Below are the result :




    ------------------------------
    OUSMANE NATHA DIARRA
    ------------------------------

    Original Message