Knowledge Search


×
 

[SRX] Traffic is dropped in intra zone policy based VPN with 'VPN firstpath permit check failed' message in flow trace options

  [KB23082] Show Article Properties


Summary:
 This article describes the issue of the 'VPN firstpath permit check failed' message in the flow traceoptions, when a policy based VPN is configured within the same zone.
Symptoms:
 When the policy based VPN is configured within the same zone, the tunnel comes up; but traffic is dropped.  When the flow trace options are configured, the packets are dropped with the following message:

Flow Trace options:

Feb 22 01:37:29 01:37:29.170010:CID-0:RT:<1.1.1.1/0->4.4.4.1/7184;1> matched filter pfe:

Feb 22 01:37:29 01:37:29.170010:CID-0:RT:packet [84] ipid = 29526, @423ea81c

Feb 22 01:37:29 01:37:29.170010:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 14, common flag 0x0, mbuf 0x423ea600, rtbl_idx = 0

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: flow process pak fast ifl 83 in_ifp ge-0/0/13.0

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: ge-0/0/13.0:1.1.1.1->4.4.4.1, icmp, (8/0)

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: find flow: table 0x4f535218, hash 61661(0xffff), sa 1.1.1.1, da 4.4.4.1, sp 0, dp 7184, proto 1, tok 6

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0

Feb 22 01:37:29 01:37:29.170010:CID-0:RT: flow_first_create_session

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/13.0>, out <N/A> dst_adr 4.4.4.1, sp 0, dp 7184

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: chose interface ge-0/0/13.0 as incoming nat if.

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 4.4.4.1(7184)

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 1.1.1.1, x_dst_ip 4.4.4.1, in ifp ge-0/0/13.0, out ifp N/A sp 0, dp 7184, ip_proto 1, tos 0

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:Doing DESTINATION addr route-lookup

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: routed (x_dst_ip 4.4.4.1) from 220 (ge-0/0/13.0 in 0) to ge-0/0/14.0, Next-hop: 2.2.2.2

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: policy search from zone 220-> zone 220 (0x0,0x1c10,0x1c10)

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Feb 22 01:37:29 01:37:29.170290:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: flow find session returns error.

Feb 22 01:37:29 01:37:29.170290:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Configuration:

root@TCN-79370-XT2R# show security policies from-zone 220 to-zone 220 policy 220_220
match {
    source-address [ 4.4.4.1/32 1.1.1.1/32 ];
    destination-address [ 1.1.1.1/32 4.4.4.1/32 ];
    application any;
}
then {
    permit {
        tunnel {
        ipsec-vpn ipsec_vpn;
        }
    }
}


Cause:
 
Solution:
Currently, Junos or ScreenOS does not support policy based VPN between the same zones. The workaround is to configure a route based VPN. The intra zone policy based VPN has never been supported in both ScreenOS and Junos.


Related Links: