Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive][SRX] Traffic is dropped in intra zone policy based VPN with 'VPN firstpath permit check failed' message in flow trace options



Article ID: KB23082 KB Last Updated: 25 Jun 2020Version: 2.0

This article describes the issue of the 'VPN firstpath permit check failed' message in the flow traceoptions, when a policy based VPN is configured within the same zone.

 When the policy based VPN is configured within the same zone, the tunnel comes up; but traffic is dropped.  When the flow trace options are configured, the packets are dropped with the following message:

Flow Trace options:
Feb 22 01:37:29 01:37:29.170010:CID-0:RT:<>;1> matched filter pfe:

Feb 22 01:37:29 01:37:29.170010:CID-0:RT:packet [84] ipid = 29526, @423ea81c

Feb 22 01:37:29 01:37:29.170010:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 14, common flag 0x0, mbuf 0x423ea600, rtbl_idx = 0

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: flow process pak fast ifl 83 in_ifp ge-0/0/13.0

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: ge-0/0/13.0:>, icmp, (8/0)

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: find flow: table 0x4f535218, hash 61661(0xffff), sa, da, sp 0, dp 7184, proto 1, tok 6

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: flow_first_create_session

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/13.0>, out <N/A> dst_adr, sp 0, dp 7184

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: chose interface ge-0/0/13.0 as incoming nat if.

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: to

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip, x_dst_ip, in ifp ge-0/0/13.0, out ifp N/A sp 0, dp 7184, ip_proto 1, tos 0

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:Doing DESTINATION addr route-lookup

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: routed (x_dst_ip from 220 (ge-0/0/13.0 in 0) to ge-0/0/14.0, Next-hop:

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: policy search from zone 220-> zone 220 (0x0,0x1c10,0x1c10)

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: flow find session returns error.

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

root@TCN-79370-XT2R# show security policies from-zone 220 to-zone 220 policy 220_220
match {
    source-address [ ];
    destination-address [ ];
    application any;
then {
    permit {
        tunnel {
        ipsec-vpn ipsec_vpn;

Currently, Junos or ScreenOS does not support policy based VPN between the same zones. The workaround is to configure a route based VPN. The intra zone policy based VPN has never been supported in both ScreenOS and Junos.

Modification History:
This feature is very rarely used . So can be moved to  ‘[Archive]’ . 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search