Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Limitations when using mgt interface for pass-through traffic

0

0

Article ID: KB14752 KB Last Updated: 10 Jul 2009Version: 1.0
Summary:
The pass-through traffics between mgt interface and other interfaces were dropped with "flow_first_sanity_check: in <mgt>, out <N/A>" or "Warning - ifp is not sat port. carr_in_ifp=mgt" messages in the output of debug flow basic.
Symptoms:
By default, the mgt interface is bound to MGT zone in ASIC based platforms, and ScreenOS do not allow the pass-through traffic, but there are conditions which allow the pass-through traffic between mgt interface and other interfaces.

For example, PC1 send ping to PC2, but this packet is dropped on "flow_first_sanity_check".

PC1 ------------ mgt(MGT zone) ISG2000 (Untrust zone) e3/1 ------------ PC2
172.27.14.202    172.27.14.212                 172.1.1.1                172.1.1.110


nsisg2000-> get db st
****** 72450.0: <MGT/mgt> packet received [84]******
 ipid = 0(0000), @6de0f870
 packet passed sanity check.
 mgt:172.27.14.202/89->172.1.1.10/44290,1(8/0)<Root>
 no session found
 
flow_first_sanity_check: in <mgt>, out <N/A> <-- LOOK HERE
Solution:
In order to allow the pass-through traffic between mgt interface and other interface. There are two methods, but these are not recommended configuration because all the pass-through traffics via mgt interface will be handled on the Flow CPU, and also if a IDP policy set for the permit policy, all the packets will be dropped because the IDP inspection is not supported between the mgt (sub-mgt) interface to other interfaces because the mgt interface do not use the ASIC.


1. Bind mgt interface to non-MGT zone
It is supported as of 6.2.0r1, in 6.2.0r1 we have introduced new feature - Management VR, then we allow to change the zone for mgt interface. When the default MGT zone of mgt interface is changed, ScreenOS treat the mgt interface as the normal interface.

nsisg2000-> set int mgt zone ?
                        ^-------unknown keyword zone

OR

2. Create a sub-mgt interface and bind to non-MGT zone

For example,

PC1 ---------- switch ------- mgt.1(Trust zone) ISG2000 (Untrust zone) e3/1 ------------ PC2
172.27.14.202 172.27.14.212 172.1.1.1 172.1.1.110

set int mgt.1 tag 14 zone Trust
set int mgt.1 ip 172.27.14.212/24

set policy from Trust to Untrust any any any permit

After that the pass-through traffic is allowed on the flow level, see below examples.

// After binding the mgt interface to non-MGT zone

****** 19344.0: <Trust/mgt> packet received [84]******
ipid = 0(0000), @6de0a870
packet passed sanity check.
flow_decap_vector IPv4 process
mgt:172.27.14.202/36->172.1.1.10/560,1(8/0)<Root>
no session found
flow_first_inline_vector: in <mgt>, out <N/A>
chose interface mgt as incoming nat if.
flow_first_inline_vector: in <mgt>, out <N/A>
search route to (mgt, 172.27.14.202->172.1.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 5 for 172.1.1.10
[ Dest] 5.route 172.1.1.10->172.1.1.10, to ethernet3/1
routed (x_dst_ip 172.1.1.10) from mgt (mgt in 0) to ethernet3/1
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 172.1.1.10, port 13481, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x1
Permitted by policy 1
dip id = 2, 172.27.14.202/36->172.1.1.1/34858
choose interface ethernet3/1 as outgoing phy if
no loop on ifp ethernet3/1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_inline_vector: in <mgt>, out <ethernet3/1>
SM_RULE:0
existing vector list 0-7e41bc4.
Session (id:500127) created for first pak 0
flow_first_install_session======>
route to 172.1.1.10
cached arp entry with MAC 00c12605b8cf for 172.1.1.10
arp entry found for 172.1.1.10
ifp2 ethernet3/1, out_ifp ethernet3/1, flag 10800000, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet3/1, 172.1.1.10->172.27.14.202) in vr trust-vr for vsd-0/flag-3000/ifp-mgt
cached route 7 for 172.27.14.202
[ Dest] 7.route 172.27.14.202->172.27.14.202, to mgt
route to 172.27.14.202
cached arp entry with MAC 001ec9b17f3c for 172.27.14.202
arp entry found for 172.27.14.202
ifp2 mgt, out_ifp mgt, flag 00800001, tunnel ffffffff, rc 1
flow got session.
flow session id 500127
flow_main_body_vector in ifp mgt out ifp ethernet3/1
flow vector index 0x0, vector addr 0x3400748, orig vector 0x3400748
post addr xlation: 172.1.1.1->172.1.1.10.
packet send out to 00c12605b8cf (cached) through ethernet3/1
**st: <Untrust|ethernet3/1|Root|0> 4f9c118: ff90:172.1.1.10/230->172.1.1.1/882a,1,84
****** 19344.0: <Untrust/ethernet3/1> packet received [84]******
ipid = 65424(ff90), @04f9c118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet3/1:172.1.1.10/560->172.1.1.1/34858,1(0/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 500127
flow_main_body_vector in ifp ethernet3/1 out ifp N/A
flow vector index 0x0, vector addr 0x3400748, orig vector 0x3400748
post addr xlation: 172.1.1.10->172.27.14.202.
packet send out to 001ec9b17f3c (cached) through mgt

// After creating a sub-mgt interface and bind to non-MGT zone


****** 00078.0: <Trust/mgt.1> packet received [84]******
ipid = 0(0000), @6de12874
packet passed sanity check.
mgt.1:172.27.14.202/0->172.1.1.10/48200,1(8/0)<Root>
no session found
flow_first_inline_vector: in <mgt.1>, out <N/A>
chose interface mgt.1 as incoming nat if.
flow_first_inline_vector: in <mgt.1>, out <N/A>
search route to (mgt.1, 172.27.14.202->172.1.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 4.route 172.1.1.10->172.1.1.10, to ethernet3/1
routed (x_dst_ip 172.1.1.10) from mgt.1 (mgt.1 in 0) to ethernet3/1
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 172.1.1.10, port 1021, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip id = 2, 172.27.14.202/0->172.1.1.1/61046
choose interface ethernet3/1 as outgoing phy if
no loop on ifp ethernet3/1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_inline_vector: in <mgt.1>, out <ethernet3/1>
SM_RULE:0
existing vector list 1-2e2b0560.
Session (id:1000118) created for first pak 1
flow_first_install_session======>
route to 172.1.1.10
arp entry found for 172.1.1.10
nsp2 wing prepared, ready
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet3/1, 172.1.1.10->172.27.14.202) in vr trust-vr for vsd-0/flag-3000/ifp-mgt.1
[ Dest] 2.route 172.27.14.202->172.27.14.202, to mgt.1
route to 172.27.14.202
flow got session.
flow session id 1000118
post addr xlation: 172.1.1.1->172.1.1.10.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00c12605b8cf through ethernet3/1
**st: <Untrust|ethernet3/1|Root|0> 80224118: 14db:172.1.1.10/bc48->172.1.1.1/ee76,1,84
****** 00078.0: <Untrust/ethernet3/1> packet received [84]******
ipid = 5339(14db), @80224118
packet passed sanity check.
ethernet3/1:172.1.1.10/48200->172.1.1.1/61046,1(0/0)<Root>
existing session found. sess token 6
flow got session.
flow session id 1000118
existing vector list 1-2e2b0560.
post addr xlation: 172.1.1.10->172.27.14.202.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 001ec9b17f3c through mgt.1

// If IDP policy is set for ISG-IDP platforms

****** 00142.0: <Trust/mgt.1> packet received [84]******
ipid = 0(0000), @6de1a874
packet passed sanity check.
mgt.1:172.27.14.202/0->172.1.1.10/17993,1(8/0)<Root>
no session found
flow_first_inline_vector: in <mgt.1>, out <N/A>
chose interface mgt.1 as incoming nat if.
flow_first_inline_vector: in <mgt.1>, out <N/A>
search route to (mgt.1, 172.27.14.202->172.1.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 4.route 172.1.1.10->172.1.1.10, to ethernet3/1
routed (x_dst_ip 172.1.1.10) from mgt.1 (mgt.1 in 0) to ethernet3/1
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 172.1.1.10, port 30230, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip id = 2, 172.27.14.202/0->172.1.1.1/10239
choose interface ethernet3/1 as outgoing phy if
no loop on ifp ethernet3/1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_inline_vector: in <mgt.1>, out <ethernet3/1>
flow_set_idp_vector
SM_RULE:1
install vector flow_ttl_vector
install vector flow_idp_client_vector
install vector flow_l2prepare_xlate_vector
install vector flow_idp_server_vector
install vector flow_frag_list_vector
install vector flow_fragging_vector
install vector flow_send_shape_vector
install vector NULL
create new vector list 801-2e2b1ac0.
Session (id:1000119) created for first pak 801
flow_first_install_session======>
route to 172.1.1.10
arp entry found for 172.1.1.10
nsp2 wing prepared, ready
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet3/1, 172.1.1.10->172.27.14.202) in vr trust-vr for vsd-0/flag-3000/ifp-mgt.1
[ Dest] 2.route 172.27.14.202->172.27.14.202, to mgt.1
route to 172.27.14.202
Success installing work and forward sessions
flow got session.
flow session id 1000119
flow_idp_client_vector: in <mgt.1>, out <ethernet3/1>
flow sm client vector: process (flag 0x00000000)
st_lpak_2_tag: Warning - ifp is not sat port. carr_in_ifp=mgt.1 <--- LOOK HERE
TR st_lpak_2_tag:null carr_in_ifp: 003a4fa8 00ac2df4 00ad5498 00ad4788 00ad4b18 00a72dd4 00349f6c 003a3ce8
000823e4 000823a0



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search