Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Inter-vsys routing fails and debug flow basic generates the 'packet dropped, Cross vsys deny:Null ifp' error message

0

0

Article ID: KB25505 KB Last Updated: 10 Aug 2012Version: 1.0
Summary:
This article describes the issue of inter-vsys routing failure and the packet dropped, Cross vsys deny:Null ifp error message being generated in the output of debug flow basic.
Symptoms:
Traffic from Subnet A of Vsys-1 to Subnet B of Vsys-2 fails. The output of debug flow basic generates the packet dropped, Cross vsys deny:Null ifp error message.


Sample output:

Here, you can see that the ethernet1/2 ingress interface is bound to vsys-1. The 9.9.9.9 destination IP is bound to another custom vsys.
****** 18302.0: <Trust-vsys1/ethernet1/2> packet received [128]******
ipid = 8254(203e), @0c9a0094
self:8.8.8.8/46628->9.9.9.9/1024,1(8/0)<vsys1>
flow_decap_vector IPv4 process
ethernet1/2:8.8.8.8/46628->9.9.9.9/1024,1(8/0)<vsys1>
no session found
flow_first_sanity_check: in <ethernet1/2>, out <ethernet1/3>
chose interface ethernet1/2 as incoming nat if.
IP classification from non-shared src if : vsys vsys1
flow_first_routing: in <ethernet1/2>, out <ethernet1/3>
search route to (ethernet1/2, 8.8.8.8->9.9.9.9) in vr vsys1-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 9.9.9.9->9.9.9.9, to ethernet1/3
routed (x_dst_ip 9.9.9.9) from ethernet1/2 (ethernet1/2 in 0) to ethernet1/3
packet dropped, Cross vsys deny:Null ifp

Cause:
This error message is generated in the output of debug flow basic when:

  • No interface (physical or loopback interface) is bound to the default shared untrust zone in root-vsys.

  • No interface (physical or loopback interface) is bound to a custom shared zone in root-vsys.
Solution:
For inter-vsys traffic to work, either of the following conditions has to be met:

  • At least one physical interface should be bound to the default shared untrust zone.

  • At least one loopback interface should be bound to the default shared untrust zone.

  • At least one loopback interface should be bound to the shared-dmz zone and the shared-dmz zone should be bound to ingress vsys (vsys1) and egress vsys (vsys2).

For more information, refer to KB25220 - [ScreenOS] How to setup inter-vsys routing by using the default shared untrust zone.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search