SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  SRX340 - SecureConnect on non ingress interface

    Posted 10-18-2022 15:47
    Hello Community,
    Here's the scenario:

    SRX340 connected to the Internet via PPPoE over GPON.
    PPPoE obtains in IPv4 address from a pool of /29, which is routed towards the SRX.
    I can easily use all of the /29 IPv4 addresses for example for NAT, no problems.
    lo0 interface is currently used for management purposes + GRE tunnels termination.
    All works well since years.

    Now I'm trying to set up an RA VPN using SecureConnect.

    The thing is, the ISP is blocking ingress traffic from the Internet over 443/TCP to the IPv4 address SRX obtains from PPPoE.
    No filtering for other addresses.
    ISP is not eager to lift this filtering.

    Is it possible to configure SecureConnect to use other interface than pp0.0, for example a subinterface of a LACP L3 LAG, which will be up as long as the LAN is up?
    I'm asking because I've tried to configure a public IPv4 on such subinterface, it was in the same zone as pp0.0 and a security policy was permitting the traffic.
    On both interfaces i've enabled ike, tcp-encap and https.
    Unfortunately all I get is a timeout on a secureconnect client.
    Wireshark run on a client shows only TCP SYN packets being sent without any response.
    Policy logging shows only timeouts (RT_FLOW_SESSION_CLOSE: session closed idle Timeout)
    tranceoptions for tcp-encap and remote-access shows nothing.

    Any ideas how this can be approached?

    Best Regards,
    dknt


  • 2.  RE: SRX340 - SecureConnect on non ingress interface

    Posted 10-27-2022 16:31
    I did some more digging into this and did a flow traceoptions.
    Client IP is 2.2.2.2
    SRX IP in non ingress interface is 1.1.1.1
    pp0.0 is an ingress interface and ae0.1101 is a dummy interface in an Internet security zone with an ip of 1.1.1.1/32.

    What I can see is:

    1.  443/tcp destined packet arrives on pp0.0 and is permitted (session 1).
    2. SRX figures out the destination IP is on a local interface and creates a second session (session 2)
    3. Session 2 is also permitted
    4.  SRX wants to combine the two sessions (Internet -> Internet + Internet -> local) but throws out an error and drops the packet

    Oct 27 17:28:17 17:28:17.321469:CID-0:RT:~~~FLOW <1.1.1.1/46110->2.2.2.2/443;6,0x0> matched filter pf1(0) of root-logical-system for iif pp0.0:
    Oct 27 17:28:17 17:28:17.321469:CID-0:RT: packet [52] ipid = 6460, @0x5ecb0126
    Oct 27 17:28:17 17:28:17.321469:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x5ecaff00, rtbl_idx = 0
    Oct 27 17:28:17 17:28:17.321469:CID-0:RT: flow process pak fast ifl 91 in_ifp pp0.0
    Oct 27 17:28:17 17:28:17.321469:CID-0:RT: pp0.0:1.1.1.1/46110->2.2.2.2/443, tcp, flag 2 syn
    Oct 27 17:28:17 17:28:17.321469:CID-0:RT: find flow: table 0x61a4ca8, hash 35360(0xffff), sa 1.1.1.1, da 2.2.2.2, sp 46110, dp 443, proto 6, tok 7, conn-tag 0x00000000, vrf-grp-id 0
    Oct 27 17:28:17 17:28:17.321626:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    Oct 27 17:28:17 17:28:17.321626:CID-0:RT: flow_first_create_session
    Oct 27 17:28:17 17:28:17.321626:CID-0:RT:Save init hash spu id 0 to nsp and nsp2!
    Oct 27 17:28:17 17:28:17.321626:CID-0:RT:First path alloc and instl pending session, natp=0x159e05b8, id=115964429191
    Oct 27 17:28:17 17:28:17.321626:CID-0:RT: flow_first_in_dst_nat: in <pp0.0>, out <N/A> dst_adr 2.2.2.2, sp 46110, dp 443
    Oct 27 17:28:17 17:28:17.321626:CID-0:RT: chose interface pp0.0 as incoming nat if.
    Oct 27 17:28:17 17:28:17.321700:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 2.2.2.2(443)
    Oct 27 17:28:17 17:28:17.321700:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(2)
    Oct 27 17:28:17 17:28:17.321700:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 115964429191 implicit mask(0x0), service request(0x0)
    Oct 27 17:28:17 17:28:17.321700:CID-0:RT:-jsf : no plugin ingress interested for session 115964429191
    Oct 27 17:28:17 17:28:17.321700:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 1.1.1.1, x_dst_ip 2.2.2.2, in ifp pp0.0, out ifp N/A sp 46110, dp 443, ip_proto 6, tos 0
    Oct 27 17:28:17 17:28:17.321770:CID-0:RT:Doing DESTINATION addr route-lookup
    Oct 27 17:28:17 17:28:17.321770:CID-0:RT:flow_ipv4_rt_lkup success 2.2.2.2, iifl 0x5b, oifl 0x0
    Oct 27 17:28:17 17:28:17.321770:CID-0:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0
    Oct 27 17:28:17 17:28:17.321770:CID-0:RT:Changing out-ifp from .local..0 to ae0.1101 for dst: 2.2.2.2 in vr_id:0
    Oct 27 17:28:17 17:28:17.321770:CID-0:RT: routed (x_dst_ip 2.2.2.2) from Internet (pp0.0 in 0) to ae0.1101, Next-hop: 2.2.2.2
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT:Policy lkup: vsys 0 zone(7:Internet) -> zone(7:Internet) scope:0
    src vrf (0) dsv vrf (0) scope:0
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT: 1.1.1.1/46110 -> 2.2.2.2/443 proto 6
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone Internet (0x0,0xb41e01bb,0x1bb), result: 0x24949a20, pending: 0?
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT: app 58, timeout 1800s, curr ageout 20s
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT: permitted by policy TEST_SecureConnect(142)
    Oct 27 17:28:17 17:28:17.321827:CID-0:RT: packet passed, Permitted by policy.
    Oct 27 17:28:17 17:28:17.321934:CID-0:RT:flow_first_policy_search:policy explicit matched or jdpi final matched, set session with dynamic_appid 0
    Oct 27 17:28:17 17:28:17.321934:CID-0:RT:flow_first_policy_search: Policy final match
    Oct 27 17:28:17 17:28:17.321934:CID-0:RT: flow_conn_track_ent_lookup: zone connection track 0x7
    Oct 27 17:28:17 17:28:17.321950:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
    Oct 27 17:28:17 17:28:17.321950:CID-0:RT:flow_first_src_xlate: incoming src port is : 46110.
    Oct 27 17:28:17 17:28:17.321950:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False, nat_eim: False.
    Oct 27 17:28:17 17:28:17.321950:CID-0:RT: dip id = 0/0, 1.1.1.1/46110->1.1.1.1/46110 protocol 0
    Oct 27 17:28:17 17:28:17.321950:CID-0:RT: choose interface ae0.1101(P2P) as outgoing phy if
    Oct 27 17:28:17 17:28:17.321950:CID-0:RT:is_loop_pak: Found loop on ifp ae0.1101, addr: 2.2.2.2, rtt_idx: 0 addr_type:0x2.
    Oct 27 17:28:17 17:28:17.322007:CID-0:RT:flow_first_loopback_check: Setting interface: ae0.1101 as loop ifp.
    Oct 27 17:28:17 17:28:17.322018:CID-0:RT:[JSF]Normal interest check. regd plugins 44, enabled impl mask 0x0
    Oct 27 17:28:17 17:28:17.322018:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322070:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322070:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 115964429191, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:-jsf : no plugin interested for session 115964429191, free sess plugin info
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:jsf pre int check result 0 0 0 0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: service lookup identified service 58.
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: flow_first_final_check: in <pp0.0>, out <ae0.1101>
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:In flow_first_complete_session
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_complete_session, pak_ptr: 0x22c9110, nsp: 0x159e05b8, in_tunnel: 0x0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:before copy: nsp vec_list 0x0, nsp2 vec_list 0x2
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:after copy: nsp vec_list 0x2, nsp2 vec_list 0x2
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:construct v4 vector for nsp2 and nsp
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: existing vector list 0x2-0x68614610.
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:vector index for nsp2: 2
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: existing vector list 0x2-0x68614610.
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:vector index for nsp: 2
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: Session (id:115964429191) created for first pak 2
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:first pak processing successful
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: flow_first_install_session======> 0x159e05b8
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: nsp 0x159e05b8, nsp2 0x159e0658, local_pak 0x22c9110
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_proc_loop_back:In loopback session processing
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:duplicate_local_pak: duplicated pak has zone: Unknown, ifp: none, vsys: root-logical-system, 1.1.1.1->2.2.2.2, lports b41e01bb, tlen 52
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_xlate_pak
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: post addr xlation: 1.1.1.1->2.2.2.2.
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:proc_loopback_common: Found loop if ae0.1101
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:check self-traffic on ae0.1101, in_tunnel 0x0 dp 443
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:retcode: 0x604
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:pak_for_self : proto 6, dst port 443, action 0x4
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: flow_first_create_session
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:Loopback first path alloc pending session, natp=0x15c27918, id=115964433120
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: flow_first_in_dst_nat: in <ae0.1101>, out <N/A> dst_adr 2.2.2.2, sp 46110, dp 443
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: chose interface ae0.1101 as incoming nat if.
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 2.2.2.2(443)
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(2)
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 115964433120 implicit mask(0x0), service request(0x0)
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:-jsf : no plugin ingress interested for session 115964433120
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 1.1.1.1, x_dst_ip 2.2.2.2, in ifp ae0.1101, out ifp N/A sp 46110, dp 443, ip_proto 6, tos 0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:Doing DESTINATION addr route-lookup
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_ipv4_rt_lkup success 2.2.2.2, iifl 0x7e, oifl 0x0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: routed (x_dst_ip 2.2.2.2) from Internet (ae0.1101 in 0) to .local..0, Next-hop: 2.2.2.2
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:Policy lkup: vsys 0 zone(7:Internet) -> zone(2:junos-host) scope:0
    src vrf (0) dsv vrf (0) scope:0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: 1.1.1.1/46110 -> 2.2.2.2/443 proto 6
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0
    src vrf (0) dsv vrf (0) scope:443
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: 1.1.1.1/46110 -> 2.2.2.2/443 proto 6
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone junos-host (0x0,0xb41e01bb,0x1bb), result: 0x59ce7a0, pending: 0?
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: app 58, timeout 1800s, curr ageout 20s
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: permitted by policy self-traffic-policy(1)
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT: packet passed, Permitted by policy.
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_policy_search:policy explicit matched or jdpi final matched, set session with dynamic_appid 0
    Oct 27 17:28:17 17:28:17.322123:CID-0:RT:flow_first_policy_search: Policy final match
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: flow_conn_track_ent_lookup: zone connection track 0x2
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:flow_first_src_xlate: incoming src port is : 46110.
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False, nat_eim: False.
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: dip id = 0/0, 1.1.1.1/46110->1.1.1.1/46110 protocol 0
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: choose interface .local..0(P2P) as outgoing phy if
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: ae0.1101, addr: 2.2.2.2, rtt_idx: 0, addr_type:0x2
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:[JSF]Normal interest check. regd plugins 44, enabled impl mask 0x0
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:get NULL sess plugin info 0x15c27918
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:-jsf : Alloc sess plugin info for session in cookie 115964433120
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: Allocating plugin info block for plugin(43)
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: Allocating plugin info block for plugin(23)
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: Allocating plugin info block for plugin(25)
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: Allocating plugin info block for plugin(44)
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: Allocating plugin info block for plugin(55)
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:[JSF]Plugins(0x80180002800000, count 5) enabled for session = 115964433120, impli mask(0xf), post_nat cnt 13 svc req(0x0)
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:[JSF]c2s order list:
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 23/junos-tcp-svr-emul
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 25/junos-ssl-term
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 43/junos-remote-access-gw
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 44/junos-ssl-init
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 55/junos-tcp-clt-emul
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:[JSF]s2c order list:
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 55/junos-tcp-clt-emul
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 44/junos-ssl-init
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 43/junos-remote-access-gw
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 25/junos-ssl-term
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: 23/junos-tcp-svr-emul
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: service lookup identified service 58.
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: flow_first_final_check: in <ae0.1101>, out <.local..0>
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:natp(0x15c27918): no tcp sequence check(0x00000000) as 0x00000000/0x00010000.
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:In flow_first_complete_session
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:flow_first_complete_session, pak_ptr: 0x2716080, nsp: 0x15c27918, in_tunnel: 0x0
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:before copy: nsp vec_list 0x8080, nsp2 vec_list 0x8802
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:after copy: nsp vec_list 0x8082, nsp2 vec_list 0x8802
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:construct v4 vector for nsp2 and nsp
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: existing vector list 0x8802-0x6881c600.
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:vector index for nsp2: 8802
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: existing vector list 0x8082-0x6881c660.
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:vector index for nsp: 8082
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT: Session (id:115964433120) created for first pak 8082
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:combine_loopback_session:Ready to merge loop sessions: 115964429191 & 115964433120
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:combine_loopback_session:First session:
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:nsp:0x159e05b8, 1.1.1.1/46110 -> 2.2.2.2/443:6, If: pp0.0, nsp-flag: 0x21 tok: 0x7, nh:0x0
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:nsp:0x159e0658, 2.2.2.2/443 -> 1.1.1.1/46110:6, If: ae0.1101, nsp-flag: 0x18 tok: 0x7, nh:0xfffb0006
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:combine_loopback_session:Second session:
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:nsp:0x15c27918, 1.1.1.1/46110 -> 2.2.2.2/443:6, If: ae0.1101, nsp-flag: 0x2601 tok: 0x7, nh:0x0
    Oct 27 17:28:17 17:28:17.322619:CID-0:RT:nsp:0x15c279b8, 2.2.2.2/443 -> 1.1.1.1/46110:6, If: .local..0, nsp-flag: 0x2610 tok: 0x2, nh:0xfffb0006
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT:combine_loopback_session: Error ! : the session jsf_plugin_info 0x0 in natp mismatch 0x187790c0 in new_natp
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT:flow_first_install_session: Loopback session processing aborted
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT:get NULL sess plugin info 0x159e05b8
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT: Error : parameter wrong natp 0x0, plugin_id 10
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT:first path session installation failed
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT: flow find session returns error.
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT:flow_proc_rc: -1.
    Oct 27 17:28:17 17:28:17.323115:CID-0:RT: ---- flow_process_pkt rc 0x7 (fp rc -1)