Knowledge Search


×
 

[ScreenOS] Behavior of 'set flow' commands in asymmetric routing scenario

  [KB19924] Show Article Properties


Summary:

This article explains the behavior of ScreenOS for 'reverse-route' look-up options in case of asymmetric routing.

Symptoms:

Topology:


 
Solution:

A number of tests were run in the above topology with different flow settings. The debugs and results are shown below.

Conclusions:

  1. Whenever the command 'set flow reverse-route clear-text always' is set, there needs to be an active route for the reverse path through which the packet is received on the interface; otherwise the packet will be dropped.

  2. The command 'unset flow reverse-route clear-text' will cache the Source MAC address of the incoming packet and will use it to send the reply out through the same interface. Therefore, no reverse route lookup will happen.

  3. The command 'set flow reverse-route clear-text prefer' is a combination of the two commands above. The firewall will first try to do a reverse route lookup and if the reverse route is not available (Not available in the routing table, or maybe pointing to some other interface), it will cache the Source MAC address.

  4. When route 0 is reported in debug/Session, it means that the firewall has cached the Source MAC of the packet and couldn't find any valid route pointing to the same interface for the source IP in the routing table. It could be due to asymmetric routing in the network causing the packet to hit on the wrong interface of the firewall.

  5. You cannot achieve asymmetric routing on the firewall by any means. The packet needs to go in the reverse direction from which interface the packet is received; otherwise the firewall will detect it as spoof and will drop the packet.
 

Test 1:  set flow reverse-route clear-text always

The packet is hitting the fw1 at eth0/2 and default route on fw1 is thru eth0/1.
 
ssg20-wlan-> GET FF
Flow filter based on:
id:0 dst ip 5.5.5.5

ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
.....
Success Rate is 0 percent (0/5)
ssg20-wlan->
ssg20-wlan-> DEBUG FLOW BASIC
ssg20-wlan->
ssg20-wlan-> GET DB ST
****** 90408.0: <Untrust/ethernet0/2> packet received [128]****** ( packet is recived on eth0/2)
ipid = 27151(6a0f), @03d623f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/5300->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 17278, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16051) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2 (searching the reverse route to int e0/2 from which the packet received)
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0 (din’t find any route since the default route is through eth0/1)
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00000801, tunnel ffffffff, rc 0
flow got session.
flow session id 16051
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
90408.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=8282, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 90408.0: <Trust/ethernet0/0> packet received [128]******
ipid = 8282(205a), @03c22ef0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/5300,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16051
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x9671f14, orig vector 0x9671f14
prepare route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2 ( trying to send reverse packet through eth0/2 because set flow reverse-route is set to always)
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0 ( din’t find the route through eth0/2 so route is getting failed and packet drop)
route to 0.0.0.0
route failed to 5.5.5.5, nspflag=0x801
ifp2 ethernet0/2, out_ifp N/A, flag 00000801, tunnel ffffffff, rc -1
 

Test 2:  set flow reverse-route clear-text prefer

This command indicates to first check if there is any reverse route through the same interface. If reverse route is different then cache the mac from which the packet is received.
 
ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=3/3/4 ms

ssg20-wlan->

ssg20-wlan-> GET DB ST
****** 90531.0: <Untrust/ethernet0/2> packet received [128]****** (packet received on eth0/2)
ipid = 63584(f860), @03d72bf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/6500->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 16078, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16057) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2 (searching for a reverse route)
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0 (din’t find any reverse route)
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00000801, tunnel ffffffff, rc 0
cache src mac in session for reverse direction ( since there reverse route is not the same interface so it cached the source mac of the ethernet0/2)
flow got session.
flow session id 16057
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
90531.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=8787, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 90531.0: <Trust/ethernet0/0> packet received [128]******
ipid = 8787(2253), @03c1f6f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/6500,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16057
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 192.168.1.4->5.5.5.5.
90531.0: ethernet0/2(o) len=142:0014f6e8eac6->0017cbeaeb06/0800 (packet sent out through eth0/2)
192.168.1.4 -> 5.5.5.5/1
vhl=45, tos=00, id=8787, frag=0000, ttl=127 tlen=128
icmp:type=0, code=0

Test 3:  unset flow reverse-route clear-text

This command indicates that the device will cache the source mac from which the packet is received.
 
ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=3/3/4 ms
ssg20-wlan->

ssg20-wlan-> CL DB
ssg20-wlan-> GET DB ST
****** 90598.0: <Untrust/ethernet0/2> packet received [128]****** (packet received on eth0/2)
ipid = 45947(b37b), @03d77bf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/7000->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 15578, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16051) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
cache src mac in session for reverse direction (din’t check for any reverse route directly cached the source mac)
flow got session.
flow session id 16051
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
90598.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=9134, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 90598.0: <Trust/ethernet0/0> packet received [128]******
ipid = 9134(23ae), @03cccef0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/7000,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16051
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 192.168.1.4->5.5.5.5.
90598.0: ethernet0/2(o) len=142:0014f6e8eac6->0017cbeaeb06/0800 (packet sent out through eth0/2)
192.168.1.4 -> 5.5.5.5/1
vhl=45, tos=00, id=9134, frag=0000, ttl=127 tlen=128
icmp:type=0, code=0
 

Test 4: Set flow reverse route always and set another default route with the same preference through interface eth0/2.
This is a  backup route and is active because the preference is the same.

ssg20-wlan-> set flow reverse-route clear-text always
ssg20-wlan-> CL DB
ssg20-wlan-> get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (10 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 9 0.0.0.0/0 eth0/1 172.16.1.3 S 20 1 Root
* 16 0.0.0.0/0 eth0/2 192.168.1.3 S 20 1 Root (active backup route )
* 2 10.1.1.1/32 eth0/0 0.0.0.0 H 0 0 Root
* 3 172.16.1.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 6 192.168.1.2/32 eth0/2 0.0.0.0 H 0 0 Root
8 192.168.2.1/32 wireless0/0 0.0.0.0 H 0 0 Root
7 192.168.2.0/24 wireless0/0 0.0.0.0 C 0 0 Root
* 5 192.168.1.0/24 eth0/2 0.0.0.0 C 0 0 Root
* 4 172.16.1.2/32 eth0/1 0.0.0.0 H 0 0 Root
* 1 10.1.1.0/24 eth0/0 0.0.0.0 C 0 0 Root



IPv6 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv6 Dest-Routes for <trust-vr> (0 entries)
--------------------------------------------------------------------------------------

ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=3/3/4 ms

ssg20-wlan->
ssg20-wlan-> GET DB ST
****** 90748.0: <Untrust/ethernet0/2> packet received [128]****** (packet received on eth0/2)
ipid = 12676(3184), @03d83bf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/8000->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 14578, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16063) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2 (it is searching for a reverse route and out of 2 routes it found a backup route with same preference through eth0/2)
[ Dest] 15.route 5.5.5.5->192.168.1.3, to ethernet0/2
route to 192.168.1.3
arp entry found for 192.168.1.3
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 16063
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
90748.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=9841, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 90748.0: <Trust/ethernet0/0> packet received [128]******
ipid = 9841(2671), @03c2e6f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/8000,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16063
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 192.168.1.4->5.5.5.5.
90748.0: ethernet0/2(o) len=142:0014f6e8eac6->0017cbeaeb06/0800 (packet sent out through eth0/2)
192.168.1.4 -> 5.5.5.5/1
vhl=45, tos=00, id=9841, frag=0000, ttl=127 tlen=128
icmp:type=0, code=0


Test 5: Set flow reverse route always and set another default route with the preference of 40 through interface eth0/2

ssg20-wlan-> unset flow route 0.0.0.0/0 int e0/2
total routes deleted = 1
ssg20-wlan->
ssg20-wlan-> set f route 0.0.0.0/0 int e0/2 gateway 192.168.1.3 pref 40
ssg20-wlan-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (10 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 9 0.0.0.0/0 eth0/1 172.16.1.3 S 20 1 Root
16 0.0.0.0/0 eth0/2 192.168.1.3 S 40 1 Root (the backup route is inactive)
* 2 10.1.1.1/32 eth0/0 0.0.0.0 H 0 0 Root
* 3 172.16.1.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 6 192.168.1.2/32 eth0/2 0.0.0.0 H 0 0 Root
8 192.168.2.1/32 wireless0/0 0.0.0.0 H 0 0 Root
7 192.168.2.0/24 wireless0/0 0.0.0.0 C 0 0 Root
* 5 192.168.1.0/24 eth0/2 0.0.0.0 C 0 0 Root
* 4 172.16.1.2/32 eth0/1 0.0.0.0 H 0 0 Root
* 1 10.1.1.0/24 eth0/0 0.0.0.0 C 0 0 Root



IPv6 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv6 Dest-Routes for <trust-vr> (0 entries)
--------------------------------------------------------------------------------------
ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
.....
Success Rate is 0 percent (0/5)


ssg20-wlan-> GET DB ST
****** 90830.0: <Untrust/ethernet0/2> packet received [128]****** (packet received on eth0/2)
ipid = 17488(4450), @03d88bf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/8500->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 14078, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16061) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0 (no route found through backup route)
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00000801, tunnel ffffffff, rc 0
flow got session.
flow session id 16061
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
90830.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=10169, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 90830.0: <Trust/ethernet0/0> packet received [128]******
ipid = 10169(27b9), @03cd2ef0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/8500,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16061
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x9671f14, orig vector 0x9671f14
prepare route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0
route to 0.0.0.0
route failed to 5.5.5.5, nspflag=0x801
ifp2 ethernet0/2, out_ifp N/A, flag 00000801, tunnel ffffffff, rc -1 (Packet dropped)

Test 6: Set flow reverse route always, one default route through eth0/1, and a PBR from 10.1.1.2 to 5.5.5.5 through interface eth0/2

ssg20-wlan-> UNSET ROUTE 0.0.0.0/0 INT E0/2
total routes deleted = 1
ssg20-wlan-> GET CONFIG | I PBR
set pbr policy name a
set pbr policy a match-group a action-group 5.5.5.5 1
set interface ethernet0/0 pbr a
ssg20-wlan->
ssg20-wlan->
ssg20-wlan-> CL DB
ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=3/3/4 ms

ssg20-wlan-> GET DB ST
****** 90971.0: <Untrust/ethernet0/2> packet received [128]****** (packet received on ethernet0/2)
ipid = 44244(acd4), @03d8fbf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/9000->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 13578, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16056) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
PBR lookup params: dst-ip: 5.5.5.5, src-ip: 10.1.1.2, dst-port: 9000, src-port: 1024, protocol: 1, dscp: 0 (found a pbr for the reverse route which is through the same interface so packet is allowed even though default is through another interface)
[PBR route] 5.route 5.5.5.5->192.168.1.3, to ethernet0/2
route to 192.168.1.3
arp entry found for 192.168.1.3
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 16056
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
90971.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=10938, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 90971.0: <Trust/ethernet0/0> packet received [128]******
ipid = 10938(2aba), @03bf86f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/9000,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16056
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 192.168.1.4->5.5.5.5.
90971.0: ethernet0/2(o) len=142:0014f6e8eac6->0017cbeaeb06/0800 (packet sent out through eth0/2)
192.168.1.4 -> 5.5.5.5/1
vhl=45, tos=00, id=10938, frag=0000, ttl=127 tlen=128
icmp:type=0, code=0
 

Test 7: Set a default route through eth0/1. PBR through the default interface i.e eth0/1.

ssg20-wlan->
ssg20-wlan->
ssg20-wlan-> CL DB
ssg20-wlan-> PING 192.168.1.4 FROM LOOPBACK.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 1 seconds from loopback.1
.....
Success Rate is 0 percent (0/5)

ssg20-wlan-> GET DB ST
****** 91105.0: <Untrust/ethernet0/2> packet received [128]****** ( packet received on ethernet 0/2 )
ipid = 21754(54fa), @03d95bf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/9500->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.4, port 13078, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16061) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
PBR lookup params: dst-ip: 5.5.5.5, src-ip: 10.1.1.2, dst-port: 9500, src-port: 1024, protocol: 1, dscp: 0 (it does a route look-up which triggers pbr)
PBR: no route to (5.5.5.5) in vr trust-vr
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00000801, tunnel ffffffff, rc 0
flow got session.
flow session id 16061
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
91105.0: ethernet0/0(i) len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=12101, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0

****** 91105.0: <Trust/ethernet0/0> packet received [128]******
ipid = 12101(2f45), @03c4d6f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/9500,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16061
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x9671f14, orig vector 0x9671f14
prepare route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
PBR lookup params: dst-ip: 5.5.5.5, src-ip: 10.1.1.2, dst-port: 9500, src-port: 1024, protocol: 1, dscp: 0
PBR: no route to (5.5.5.5) in vr trust-vr
no route to (10.1.1.2->5.5.5.5) in vr trust-vr/0
route to 0.0.0.0
route failed to 5.5.5.5, nspflag=0x801 (since the pbr is through other interface so it will drop the packet)
ifp2 ethernet0/2, out_ifp N/A, flag 00000801, tunnel ffffffff, rc -1


Test 8: PBR through eth0/1 from 10.1.1.2 to 5.5.5.5, default route through eth0/2 and no  default route through eth0/1

****** 100272.0: <Untrust/ethernet0/2> packet received [128]****** (packet received on ethernet0/2)
ipid = 38175(951f), @03d44bf0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:5.5.5.5/17900->192.168.1.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 5.5.5.5->10.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null (packet hits the mip and gets translated to 10.1.1.2)
[ Dest] 1.route 10.1.1.2->10.1.1.2, to ethernet0/0
routed (x_dst_ip 10.1.1.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.
168.1.4, port 4678, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-9671f14.
Session (id:16047) created for first pak 1
flow_first_install_session======>
route to 10.1.1.2
arp entry found for 10.1.1.2
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.1.1.2->5.5.5.5) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2 (the packet is allowed through default route)
PBR lookup params: dst-ip: 5.5.5.5, src-ip: 10.1.1.2, dst-port: 17900, src-port: 1024, protocol: 1, dscp: 0
PBR: no route to (5.5.5.5) in vr trust-vr
[ Dest] 17.route 5.5.5.5->192.168.1.3, to ethernet0/2 (even though pbr is there since the pbr is not thru same interface so firewall neglects it and take the default route)
route to 192.168.1.3
arp entry found for 192.168.1.3
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 16047
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 5.5.5.5->10.1.1.2.
100272.0: ethernet0/0 len=142:001f16f5be61->0014f6e8eac0/0800
10.1.1.2 -> 5.5.5.5/1
vhl=45, tos=00, id=34200, frag=0000, ttl=128 tlen=128
icmp:type=0, code=0


****** 100272.0: <Trust/ethernet0/0> packet received [128]******
ipid = 34200(8598), @03c586f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.1.1.2/1024->5.5.5.5/17900,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 16047
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x1, vector addr 0x1ff2a10, orig vector 0x1ff2a10
post addr xlation: 192.168.1.4->5.5.5.5.
100272.0: ethernet0/2 len=142:0014f6e8eac6->0017cbeaeb06/0800
192.168.1.4 -> 5.5.5.5/1
vhl=45, tos=00, id=34200, frag=0000, ttl=127 tlen=128
icmp:type
0, code=0

 
Modification History:

2018-06-26: Corrected the information in Conclusion number 2, 3 and 4.

2017-12-07: Article reviewed for accuracy. Minor changes made. Article is correct and complete.

Related Links: