Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Inter-vsys routing fails and the output of debug flow basic displays the 'packet dropped, illegal src IP' error message

0

0
Article ID: KB25507 KB Last Updated: 13 Aug 2012Version: 1.0 Summary:
This article describes the issue of Inter-vsys routing failure and the packet dropped, illegal src IP error message being generated in the output of debug flow basic.
Symptoms:
Traffic from Subnet A of Vsys-1 to Subnet B of Vsys-2 fails. The output of debug flow basic displays the packet dropped, illegal src IP error message:

Sample output:

Here, you can see that the ethernet1/2 ingress interface is bound to vsys-1. The 9.9.9.9 destination IP is bound to another custom vsys.

****** 18523.0: <Trust-vsys1/ethernet1/2> packet received [128]******
ipid = 61705(f109), @0c99ed34
self:8.8.8.8/48028->9.9.9.9/1024,1(8/0)<vsys1>
flow_decap_vector IPv4 process
ethernet1/2:8.8.8.8/48028->9.9.9.9/1024,1(8/0)<vsys1>
no session found
flow_first_sanity_check: in <ethernet1/2>, out <ethernet1/3>
chose interface ethernet1/2 as incoming nat if.
IP classification from non-shared src if : vsys vsys1
flow_first_routing: in <ethernet1/2>, out <ethernet1/3>
search route to (ethernet1/2, 8.8.8.8->9.9.9.9) in vr vsys1-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 9.9.9.9->9.9.9.9, to ethernet1/3
routed (x_dst_ip 9.9.9.9) from ethernet1/2 (ethernet1/2 in 0) to ethernet1/3
Cross vsys (vsys1->vsys2) at ethernet1/3: need loopback push to Untrust
policy search from zone 19-> zone 1
policy_flow_search policy search nat_crt from zone 19-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys vsys1, ip 9.9.9.9, port 40085, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x1
Permitted by policy 1
dip id = 2, 8.8.8.8/48028->0.0.0.0/29576
choose interface ethernet1/3 as outgoing phy if
skip loopback check for cross vsys (vsys1->vsys2)
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/2>, out <ethernet1/3>
existing vector list 1-1bb3cc54.
Session (id:9058) created for first pak 1
loopback session processing
post addr xlation: 0.0.0.0->9.9.9.9.
flow_first_sanity_check: in <ethernet1/4>, out <N/A>
packet dropped, illegal src IP
loopback session failed
Cause:
This error message is generated, when:

  • The physical interface, which is bound to the default shared untrust zone in root-vsys for the purpose of inter-vsys routing, has no IP address assigned to it and the ingress interface is in NAT mode

  • The loopback interface, which is bound to the default shared untrust zone or shared dmz zone in root-vsys for the purpose of inter-vsys routing, has no IP address assigned to it and the ingress interface is in NAT mode.
Solution:
If an IP address is not assigned to the physical or loopback interface, then:

  • The interface based source Natting translates the source-ip as 0.0.0.0.

  • The traffic fails and the packet dropped, illegal src IP error message is found in the output of debug flow basic.

For more information, refer to KB25220 - [ScreenOS] How to setup inter-vsys routing by using the default shared untrust zone.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search