Traffic from Subnet A of Vsys-1 to Subnet B of Vsys-2 fails. The output of debug flow basic generates
the
packet dropped, Cross vsys deny:Null ifp error message.
Sample output:
Here, you can see that the
ethernet1/2 ingress interface is bound to
vsys-1. The
9.9.9.9 destination IP is bound to another custom vsys.
****** 18302.0: <Trust-vsys1/ethernet1/2> packet received [128]******
ipid = 8254(203e), @0c9a0094
self:8.8.8.8/46628->9.9.9.9/1024,1(8/0)<vsys1>
flow_decap_vector IPv4 process
ethernet1/2:8.8.8.8/46628->9.9.9.9/1024,1(8/0)<vsys1>
no session found
flow_first_sanity_check: in <ethernet1/2>, out <ethernet1/3>
chose interface ethernet1/2 as incoming nat if.
IP classification from non-shared src if : vsys vsys1
flow_first_routing: in <ethernet1/2>, out <ethernet1/3>
search route to (ethernet1/2, 8.8.8.8->9.9.9.9) in vr vsys1-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 9.9.9.9->9.9.9.9, to ethernet1/3
routed (x_dst_ip 9.9.9.9) from ethernet1/2 (ethernet1/2 in 0) to ethernet1/3
packet dropped, Cross vsys deny:Null ifp
This error message is generated in the output of debug flow basic when:
- No interface (physical or loopback interface) is bound to the default shared untrust zone in root-vsys.
- No interface (physical or loopback interface) is bound to a custom shared zone in root-vsys.
For inter-vsys traffic to work, either of the following conditions has to be met:
- At least one physical interface should be bound to the default shared untrust zone.
- At least one loopback interface should be bound to the default shared untrust zone.
- At least one loopback interface should be bound to the shared-dmz zone and the shared-dmz zone should be bound to ingress vsys (vsys1) and egress vsys (vsys2).
For more information, refer to
KB25220 - [ScreenOS] How to setup inter-vsys routing by using the default shared untrust zone.