Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Understanding Logical Tunnel Interface (lt-0/0/0) on SRX branch series platforms

0

0

Article ID: KB21260 KB Last Updated: 24 Feb 2020Version: 3.0
Summary:
This article provides information on the purpose and behavior of logical tunnel interfaces (lt-0/0/0), as well as how to configure and troubleshoot these interfaces on the SRX Branch Series platforms.
Symptoms:
Host 1 --> ge-0/0/1.0   ---SRX---  ge-0/0/2.0 <-- Host 2

Host 1 Network - 192.168.1.0/24, in routing-instance R1
Host 2 Network - 192.168.2.0/24, in routing-instance R2
  • The requirement is to form a logical connection between instances on the same Junos device and the route between the connected instances.
  • Establish connectivity (by using dynamic routing protocols) between the two hosts that are in two different routing-instances via a logical connection.
Solution:
Overview

In addition to sharing routes between instances, you can also form logical or physical connections between instances on the same Junos device and route between the connected instances.

To connect two routing instances with a logical connection, configure a logical tunnel interface for each instance. Then, configure a peer relationship between the logical tunnel interfaces, thus creating a point-to-point connection. To configure a point-to-point connection between two routing instances, configure the logical tunnel interface using the lt-fpc/pic/port format.

When configuring logical tunnel interfaces, note the following:
 
  • Configure each logical tunnel interface with one of the following encapsulation types: Ethernet, Ethernet circuit cross-connect (CCC), Ethernet Virtual Private LAN Service (VPLS), Frame Relay, Frame Relay CCC, Virtual LAN (VLAN), VLAN CCC, or VLAN VPLS.

  • Configure the IP, IPv6, International Organization for Standardization (ISO), or MPLS protocol family.

  • Configure only one peer unit for each logical interface. For example, unit 0 cannot peer with both unit 1 and unit 2.

  • To enable the logical tunnel interface, you must configure at least one physical interface statement.

In addition to logical tunnel interfaces, you can also use physical interfaces to connect and route between routing instances. This implementation method typically requires two physical ports, one for each instance.  Define the physical interfaces as you normally would and simply associate each interface with its respective routing instance under the [edit routing-instance instance-name] hierarchy.

If utilizing physical cables to connect instances, expect the session table to show two sessions. However, the same virtualization occurs with logical tunnels.
Setup
Host 1 --> ge-0/0/1.0 ---SRX--- ge-0/0/2.0 <-- Host 2
Where:
 
  • Host 1 Network - 192.168.1.0/24, in routing-instance R1

  • Host 2 Network - 192.168.2.0/24, in routing-instance R2

Add a logical unit in each of the routing-instances and configure peering between them to run the dynamic routing protocol on this point-to-point connection. This results in:

 
lt-0/0/0.1 in routing-instance R1
lt-0/0/0.2 in routing-instance R2

ge-0/0/1.0 and lt-0/0/0.1 are associated with security-zone Z1
ge-0/0/2.0 and lt-0/0/0.2 are associated with security-zone Z2
CLI Configuration

 
root@jtac# run show configuration | no-more 
## Last commit: 2011-06-17 05:03:28 UTC by root
version 10.2R3.10;
system {
    host-name jtac;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    lt-0/0/0 {
        unit 1 {
            encapsulation ethernet;
            peer-unit 2;
            family inet {
                address 10.20.30.1/30;
            }
        }
        unit 2 {
            encapsulation ethernet;
            peer-unit 1;
            family inet {
                address 10.20.30.2/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
}
policy-options {
    policy-statement p1 {
        from {
            instance R1;
            protocol direct;
        }
        then accept;
    }
    policy-statement p2 {
        from {
            instance R2;
            protocol direct;
        }
        then accept;
    }
}
security {
    zones {
        security-zone Z1 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                lt-0/0/0.1;
            }
        }
        security-zone Z2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
                lt-0/0/0.2;
            }
        }
    }
    policies {
        from-zone Z1 to-zone Z1 {
            policy Z1-Z1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Z2 to-zone Z2 {
            policy Z2-Z2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    flow {
        traceoptions {
            file lt-testing;
            flag basic-datapath;
            packet-filter 1 {
                source-prefix 192.168.1.2/32;
                destination-prefix 192.168.2.2/32;
            }
        }
    }
}
routing-instances {
    R1 {
        instance-type virtual-router;
        interface lt-0/0/0.1;
        interface ge-0/0/1.0;
        protocols {
            ospf {
                traceoptions {
                    file R1;
                    flag all;
                }
                export p1;
                area 0.0.0.0 {
                    interface lt-0/0/0.1;
                }
            }
        }
    }
    R2 {
        instance-type virtual-router;
        interface lt-0/0/0.2;
        interface ge-0/0/2.0;
        protocols {
            ospf {
                export p2;
                area 0.0.0.0 {
                    interface lt-0/0/0.2;
                }
            }
        }
    }
}
Verification
  1. Verify OSPF adjacency between two instances.  Use the show ospf neighbor command, as shown below:
    [edit]
    root@jtac# run show ospf neighbor instance R1 
    Address          Interface              State     ID               Pri  Dead
    10.20.30.2       lt-0/0/0.1             Full      10.20.30.2       128    34
    
    [edit]
    root@jtac# run show ospf neighbor instance R2    
    Address          Interface              State     ID               Pri  Dead
    10.20.30.1       lt-0/0/0.2             Full      10.20.30.1       128    36
  2. Verify the routing table in both instances.
    [edit]
    root@jtac# run show route 
    
    R1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.20.30.0/30      *[Direct/0] 00:50:18
                        > via lt-0/0/0.1
    10.20.30.1/32      *[Local/0] 00:50:18
                          Local via lt-0/0/0.1
    192.168.1.0/24     *[Direct/0] 00:20:24
                        > via ge-0/0/1.0
    192.168.1.1/32     *[Local/0] 00:20:24
                          Local via ge-0/0/1.0
    192.168.2.0/24     *[OSPF/150] 00:43:29, metric 0, tag 0
                        > to 10.20.30.2 via lt-0/0/0.1
    224.0.0.5/32       *[OSPF/10] 00:56:36, metric 1
                          MultiRecv
    
    R2.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.20.30.0/30      *[Direct/0] 00:50:18
                        > via lt-0/0/0.2
    10.20.30.2/32      *[Local/0] 00:50:18
                          Local via lt-0/0/0.2
    192.168.1.0/24     *[OSPF/150] 00:20:24, metric 0, tag 0
                        > to 10.20.30.1 via lt-0/0/0.2
    192.168.2.0/24     *[Direct/0] 00:43:29
                        > via ge-0/0/2.0
    192.168.2.1/32     *[Local/0] 00:56:35
                          Local via ge-0/0/2.0
    224.0.0.5/32       *[OSPF/10] 00:56:36, metric 1
                          MultiRecv
    
  3. Check the session table.
    [edit]
    root@jtac# run show security flow session | no-more    
    Session ID: 793, Policy name: self-traffic-policy/1, Timeout: 52, Valid
      In: 10.20.30.1/1 --> 224.0.0.5/1;ospf, If: lt-0/0/0.2, Pkts: 375, Bytes: 25680
      Out: 224.0.0.5/1 --> 10.20.30.1/1;ospf, If: .local..4, Pkts: 0, Bytes: 0
    
    Session ID: 794, Policy name: self-traffic-policy/1, Timeout: 58, Valid
      In: 10.20.30.2/1 --> 224.0.0.5/1;ospf, If: lt-0/0/0.1, Pkts: 384, Bytes: 26280
      Out: 224.0.0.5/1 --> 10.20.30.2/1;ospf, If: .local..5, Pkts: 0, Bytes: 0
    
    Session ID: 2122, Policy name: Z1-Z1/5, Timeout: 2, Valid
      In: 192.168.1.2/17 --> 192.168.2.2/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
      Out: 192.168.2.2/1 --> 192.168.1.2/17;icmp, If: lt-0/0/0.1, Pkts: 1, Bytes: 60
    
    Session ID: 2123, Policy name: Z2-Z2/6, Timeout: 2, Valid
      In: 192.168.1.2/17 --> 192.168.2.2/1;icmp, If: lt-0/0/0.2, Pkts: 1, Bytes: 60
      Out: 192.168.2.2/1 --> 192.168.1.2/17;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
    Total sessions: 4
    
    
In the following example, a single ICMP packet is sent between hosts which are in two different routing instances, which transits an SRX Branch device with a logical tunnel.  As expected, for this packet (ipid 60), session table shows two entries (IDs 2122 and 2123):
Jun 17 05:17:49 05:17:47.1931423:CID-0:RT:<192.168.1.2/17->192.168.2.2/1;1> matched filter 1:
Jun 17 05:17:49 05:17:47.1931423:CID-0:RT:packet [60] ipid = 297, @43ea261c
Jun 17 05:17:49 05:17:47.1931423:CID-0:RT:---- flow_process_pkt: (thd 6): flow_ctxt type 13, common flag 0x0, mbuf 0x43ea2480, 
rtbl_idx = 0
Jun 17 05:17:49 05:17:47.1931423:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/1.0
Jun 17 05:17:49 05:17:47.1931423:CID-0:RT:  ge-0/0/1.0:192.168.1.2->192.168.2.2, icmp, (8/0)
Jun 17 05:17:49 05:17:47.1931423:CID-0:RT: find flow: table 0x5cec9ba8, hash 22784(0xffff), sa 192.168.1.2, da 192.168.2.2, sp 17, 
dp 1, proto 1, tok 394
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:self ip check: not for self (address=c0a80202)
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  flow_first_create_session
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 192.168.2.2, sp 17, dp 1
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.2.2(1)
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.1.2, x_dst_ip 192.168.2.2, 
in ifp ge-0/0/1.0, out ifp N/A sp 17, dp 1, ip_proto 1, tos 0
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:Doing DESTINATION addr route-lookup
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  routed (x_dst_ip 192.168.2.2) from Z1 (ge-0/0/1.0 in 0) to lt-0/0/0.1, 
Next-hop: 10.20.30.2
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  policy search from zone Z1-> zone Z1 (0x0,0x110001,0x1)
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:flow_first_src_xlate: 192.168.1.2/17 -> 192.168.2.2/1 | 192.168.2.2/1 -> 
0.0.0.0/17: nat_src_xlated: False, nat_src_xlate_failed: False
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(17) to 192.168.2.2(1) returns status: 0, 
rule/pool id: 0/0, pst_nat: False.
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  dip id = 0/0, 192.168.1.2/17->192.168.1.2/17
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  choose interface lt-0/0/0.1 as outgoing phy if
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:is_loop_pak: No loop: on ifp: lt-0/0/0.1, addr: 192.168.2.2, rtt_idx:5
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:jsf sess interest check. regd plugins 10
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT: Allocating plugin info block for 12 plugin(s) from OL
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  1, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x2. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id  9, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:-jsf int check: plugin id 10, svc_req 0x0. rc 2
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT: No JSF plugins enabled for session
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT: Releasing plugin info block for 12 plugin(s) to OL
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:flow_first_service_lookup(): natp(0x5e8ad9b8): app_id, 0(0).
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  service lookup identified service 0.
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <lt-0/0/0.1>
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  existing vector list 200-51ab6360.
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  Session (id:2122) created for first pak 200
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT:  flow_first_install_session======> 0x5e8ad9b8
Jun 17 05:17:49 05:17:47.1931925:CID-0:RT: nsp 0x5e8ad9b8, nsp2 0x5e8ada1c
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  make_nsp_ready_no_resolve()
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  route lookup: dest-ip 192.168.1.2 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 
orig-zone 6 out-zone 6 vsd 0
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  route to 192.168.1.2
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:Doing jsf sess create notify
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:Installing c2s NP session wing
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:Installing s2c NP session wing
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  flow got session.
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  flow session id 2122
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:mbuf 0x43ea2480, exit nh 0x60010
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:<192.168.1.2/17->192.168.2.2/1;1> matched filter 1:
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:packet [60] ipid = 297, @43ea261c
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:---- flow_process_pkt: (thd 6): flow_ctxt type 0, common flag 0x0, mbuf 0x43ea2480, 
rtbl_idx = 0
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT: flow_process_pkt_exception mbuf 43ea2480, ifd=75, ctxt_type=0, in_ifp <Z2:lt-0/0/0.2>
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  lt-0/0/0.2:192.168.1.2->192.168.2.2, icmp, (8/0)
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT: find flow: table 0x5cec9ba8, hash 22784(0xffff), sa 192.168.1.2, da 192.168.2.2, 
sp 17, dp 1, proto 1, tok 520
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:self ip check: not for self (address=c0a80202)
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  flow_first_create_session
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  flow_first_in_dst_nat: in <lt-0/0/0.2>, out <N/A> dst_adr 192.168.2.2, sp 17, dp 1
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  chose interface lt-0/0/0.2 as incoming nat if.
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.2.2(1)
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.1.2, x_dst_ip 192.168.2.2, 
in ifp lt-0/0/0.2, out ifp N/A sp 17, dp 1, ip_proto 1, tos 0
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:Doing DESTINATION addr route-lookup
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  routed (x_dst_ip 192.168.2.2) from Z2 (lt-0/0/0.2 in 0) to ge-0/0/2.0, 
Next-hop: 192.168.2.2
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  policy search from zone Z2-> zone Z2 (0x0,0x110001,0x1)
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:flow_first_src_xlate: 192.168.1.2/17 -> 192.168.2.2/1 | 192.168.2.2/1 -> 0.0.0.0/17: 
nat_src_xlated: False, nat_src_xlate_failed: False
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(17) to 192.168.2.2(1) returns status: 0, 
rule/pool id: 0/0, pst_nat: False.
Jun 17 05:17:49 05:17:47.1932426:CID-0:RT:  dip id = 0/0, 192.168.1.2/17->192.168.1.2/17
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  choose interface ge-0/0/2.0 as outgoing phy if
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/2.0, addr: 192.168.2.2, rtt_idx:4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:jsf sess interest check. regd plugins 10
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT: Allocating plugin info block for 12 plugin(s) from OL
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  1, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x2. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id  9, svc_req 0x0. rc 4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:-jsf int check: plugin id 10, svc_req 0x0. rc 2
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT: No JSF plugins enabled for session
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT: Releasing plugin info block for 12 plugin(s) to OL
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:flow_first_service_lookup(): natp(0x5e8adb50): app_id, 0(0).
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  service lookup identified service 0.
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  flow_first_final_check: in <lt-0/0/0.2>, out <ge-0/0/2.0>
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  existing vector list 200-51ab6360.
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  Session (id:2123) created for first pak 200
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  flow_first_install_session======> 0x5e8adb50
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT: nsp 0x5e8adb50, nsp2 0x5e8adbb4
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  make_nsp_ready_no_resolve()
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  route lookup: dest-ip 192.168.1.2 orig ifp lt-0/0/0.2 output_ifp lt-0/0/0.2 
orig-zone 8 out-zone 8 vsd 0
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  route to 10.20.30.1
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:Doing jsf sess create notify
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:Installing c2s NP session wing
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:Installing s2c NP session wing
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  flow got session.
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:  flow session id 2123
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:mbuf 0x43ea2480, exit nh 0x70010
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT: flow_exit: SZ 0 cached_session 0
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT:flow_process_pkt_exception: Freeing lpak 59f7edc8 associated with mbuf 0x43ea2480
Jun 17 05:17:49 05:17:47.1932928:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
 
Note: To establish communication (bidirectional) between two hosts which are in two separate security zones and routing instances, connected though a logical tunnel interface - the SRX Branch Series does not require any inter-zone security policy, all that is needed is an intra-zone policy.

The logical tunnel interface, which acts as a termination point in the first instance and as an originating point in the second instance, is the reason for two entries in the session table for the same packet.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search