Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

In which scenarios will there be a MAC address 000000000000 and route id 0 in the session table?

0

0

Article ID: KB14328 KB Last Updated: 10 Jun 2009Version: 1.0
Summary:
'Route id 0' means that the source IP address of the session is not matching a route in the routing table of the firewall.
The information below explains in which case MAC address of a session  is 000000000000  and route id is 0 in session table with examples.
Symptoms:

Solution:

Topology

PC1 --------------------(NAT mode) Firewall -------------------- Router -------------------- Internet
.2        20.1.1.0/24  .1                                    .2   10.1.1.0/24   .1

Case 1 - Send packet to unknown host at 10.1.1.0/24 subnet

"hping 10.1.1.5 -S --rand-source" to unknown host 10.1.1.5 (it is not exist on 10.1.1.0/24 subnet)

Firewall-> get route
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 7 10.1.1.2/32 eth2/1 0.0.0.0 H 0 0 Root
* 9 20.1.1.1/32 eth2/2 0.0.0.0 H 0 0 Root
* 30 30.1.1.0/24 eth2/1 10.1.1.1 S 20 1 Root
* 8 20.1.1.0/24 eth2/2 0.0.0.0 C 0 0 Root
* 6 10.1.1.0/24 eth2/1 0.0.0.0 C 0 0 Root

Firewall-> get session
id 500039/s0*,vsys 0,flag 08200400/0000/0003,policy 1,time 1, dip 2 module 0
if 22(nspflag 0801):32.254.13.203/2669->10.1.1.5/0,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 0,wsf 0
if 21(nspflag 10000800):10.1.1.2/1739<-10.1.1.5/0,6,000000000000,sess token 6,vlan 0,tun 0,vsd 0,route 6,wsf 0
  1. For session wing1, the source IP address (32.254.13.203) is random and no reverse route for this on the route table, so router id is 0. If "set arp always-on-dest" is configured, the firewall do not cache the source MAC in the session table, so source MAC shows 000000000000
  2. For session wing2, the firewall is running as NAT mode, 10.1.1.2 is the destination IP address of 10.1.1.5 (unknown host), and from the firewall the reverse route for 10.1.1.5 is 10.1.1.0/24 (route id 6), but the firewall do not know the MAC address of 10.1.1.5, so source MAC of 10.1.1.5 is 000000000000

Case 2 - send packet to unknown host at 30.1.1.0/24 subnet

"hping 30.1.1.5 -S --rand-source" to unknown host 30.1.1.5. The next hop for 30.1.1.0/24 network is 10.1.1.1.

Firewall-> get route
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 7 10.1.1.2/32 eth2/1 0.0.0.0 H 0 0 Root
* 9 20.1.1.1/32 eth2/2 0.0.0.0 H 0 0 Root
* 30 30.1.1.0/24 eth2/1 10.1.1.1 S 20 1 Root
* 8 20.1.1.0/24 eth2/2 0.0.0.0 C 0 0 Root
* 6 10.1.1.0/24 eth2/1 0.0.0.0 C 0 0 Root

Firewall-> get session
id 500041/s0*,vsys 0,flag 08200400/0000/0003,policy 1,time 2, dip 2 module 0
if 22(nspflag 0801):163.160.143.148/1597->30.1.1.5/0,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 0,wsf 0
if 21(nspflag 10800800):10.1.1.2/1881<-30.1.1.5/0,6,001143eccf24,sess token 6,vlan 0,tun 0,vsd 0,route 30,wsf 0


  1. For session wing1, the source IP address (163.160.143.148) is random and no reverse route for this on the route table, so router id is 0. If "set arp always-on-dest" is configured, the firewall do not cache the source MAC in the session table, so source MAC shows 000000000000
  2. For session wing2, the firewall is running as NAT mode, 10.1.1.2 is the destination IP address of 30.1.1.5 (unknown host), and from the firewall the reverse route for 30.1.1.5 is 30.1.1.0/24 (route id 6), and the firewall know the MAC address of 30.1.1.5, it is from Router, so source mac is Router's MAC 001143eccf24.
  3. If  the route for 30.1.1.0/24 is deleted, session wing2 will be changed, because there is no reverse route for 30.1.1.5, then the firewall use route id 0, also the firewall did not get the ARP reply when creating session wing 1. So it is 0 mac.

    id 500039/s0*,vsys 0,flag 08200400/0000/0003,policy 1,time 2, dip 2 module 0
    if 22(nspflag 0801):2.142.231.48/1631->30.1.1.5/0,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 0,wsf 0
    if 21(nspflag 10004800):10.1.1.2/1912<-30.1.1.5/0,6,000000000000,sess token 6,vlan 0,tun 0,vsd 0,route 0,wsf 0

Case 3 - firewall has a default gateway

"hping 10.1.1.5 -S --rand-source" to unknown host 10.1.1.5 (it is not exist on 10.1.1.0/24 subnet)

Firewall-> get route
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 31 0.0.0.0/0 eth2/2 20.1.1.2 S 20 1 Root
* 7 10.1.1.2/32 eth2/1 0.0.0.0 H 0 0 Root
* 9 20.1.1.1/32 eth2/2 0.0.0.0 H 0 0 Root
* 8 20.1.1.0/24 eth2/2 0.0.0.0 C 0 0 Root
* 6 10.1.1.0/24 eth2/1 0.0.0.0 C 0 0 Root

id 500039/s0*,vsys 0,flag 08200400/0000/0003,policy 1,time 2, dip 2 module 0
if 22(nspflag 800801):79.181.84.42/2505->10.1.1.5/0,6,0015177ad236,sess token 4,vlan 0,tun 0,vsd 0,route 31,wsf 0
if 21(nspflag 10000800):10.1.1.2/1938<-10.1.1.5/0,6,000000000000,sess token 6,vlan 0,tun 0,vsd 0,route 6,wsf 0


  1. For session wing1, the source IP address (79.181.84.42) is random and there is a reverse route for this on the route table (route id 31), If "set arp always-on-dest" is not configured, the firewall cache the source MAC in the session table, so source MAC shows 0015177ad236 of PC1.
  2. For session wing2, the firewall is running as NAT mode, 10.1.1.2 is the destination IP address of 10.1.1.5 (unknown host), and from the firewall the reverse route for 10.1.1.5 is 10.1.1.0/24 (route id 6), but the firewall do not know the MAC address of 10.1.1.5, so source mac is 0.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search