Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

"debug flow basic" does not reference policy id responsible for dropped packets

0

0

Article ID: KB10481 KB Last Updated: 25 Jun 2010Version: 4.0
Summary:
"debug flow basic" on firewalls may show "packet dropped, denied by policy", but there is no mention of the policy responsible for the dropped packet.
Symptoms:
It is difficult to troubleshoot issues without a a reference to the policy responsible for the dropped packets, especially if the firewall has many policies configured.

In this example, no policy id is referenced for the dropped packet:

****** 804606.0: <Trust/bgroup0> packet received [60]******
  ipid = 1278(04fe), @036eb730
  packet passed sanity check.
  bgroup0:192.168.1.33/49154->5.5.5.5/1280,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 192.168.1.33->5.5.5.5) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 42.route 5.5.5.5->172.24.28.1, to ethernet0/0
  routed (x_dst_ip 5.5.5.5) from bgroup0 (bgroup0 in 0) to ethernet0/0
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 5.5.5.5, port 34905, proto 1)
  No SW RPC rule match, search HW rule
  packet dropped, denied by policy



Conversely, "debug flow basic" for permitted packets do reference the appropriate policy id.

****** 804687.0: <Trust/bgroup0> packet received [60]******
  ipid = 1643(066b), @0376bf30
  packet passed sanity check.
  bgroup0:192.168.1.33/50178->5.5.5.5/1280,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 192.168.1.33->5.5.5.5) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 42.route 5.5.5.5->172.24.28.1, to ethernet0/0
  routed (x_dst_ip 5.5.5.5) from bgroup0 (bgroup0 in 0) to ethernet0/0
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 5.5.5.5, port 33881, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 2
  choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/0>
  existing vector list 1-71e3154.
  Session (id:15910) created for first pak 1
  flow_first_install_session======>
  route to 172.24.28.1
  arp entry found for 172.24.28.1
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 10800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 5.5.5.5->192.168.1.33) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 192.168.1.33->192.168.1.33, to bgroup0
  route to 192.168.1.33
  arp entry found for 192.168.1.33
  ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 15910
  post addr xlation: 172.24.28.177->5.5.5.5.
 flow_send_vector_, vid = 0, is_layer2_if=0

Solution:
ScreenOS 6.1 has been enhanced to reference the "policy id" when a packet is denied by policy, and will have the following format:
          policy id (xxx)
          packet dropped, denied by policy



With ScreenOS 6.0 and below, a work-around is to enable logging on the policy that you suspect the packet is hitting.  Then rerun the test and review 'debug flow basic', and the policy ID will be reported if it matched the policy that was logged.

****** 1732254.0: <Trust/trust> packet received [48]******
ipid = 28292(6e84), @02847e70
packet passed sanity check.
trust:192.168.1.33/4778->5.5.5.5/23,6<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 192.168.1.33->5.5.5.5) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 47.route 5.5.5.5->172.24.28.1, to untrust
routed (x_dst_ip 5.5.5.5) from trust (trust in 0) to untrust
policy search from zone 2-> zone 1
policy_flow_search  policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 5.5.5.5, port 23, proto 6)
No SW RPC rule match, search HW rule
log this session (pid=2)
packet dropped, denied by policy
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search