Traffic from Subnet A of Vsys-1 to Subnet B of Vsys-2 fails. The output of debug flow basic displays the
packet dropped, illegal src IP error message:
Sample output:
Here, you can see that the ethernet1/2 ingress interface is bound to vsys-1. The
9.9.9.9 destination IP is bound to another custom vsys.
****** 18523.0: <Trust-vsys1/ethernet1/2> packet received [128]******
ipid = 61705(f109), @0c99ed34
self:8.8.8.8/48028->9.9.9.9/1024,1(8/0)<vsys1>
flow_decap_vector IPv4 process
ethernet1/2:8.8.8.8/48028->9.9.9.9/1024,1(8/0)<vsys1>
no session found
flow_first_sanity_check: in <ethernet1/2>, out <ethernet1/3>
chose interface ethernet1/2 as incoming nat if.
IP classification from non-shared src if : vsys vsys1
flow_first_routing: in <ethernet1/2>, out <ethernet1/3>
search route to (ethernet1/2, 8.8.8.8->9.9.9.9) in vr vsys1-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 9.9.9.9->9.9.9.9, to ethernet1/3
routed (x_dst_ip 9.9.9.9) from ethernet1/2 (ethernet1/2 in 0) to ethernet1/3
Cross vsys (vsys1->vsys2) at ethernet1/3: need loopback push to Untrust
policy search from zone 19-> zone 1
policy_flow_search policy search nat_crt from zone 19-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys vsys1, ip 9.9.9.9, port 40085, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x1
Permitted by policy 1
dip id = 2, 8.8.8.8/48028->0.0.0.0/29576
choose interface ethernet1/3 as outgoing phy if
skip loopback check for cross vsys (vsys1->vsys2)
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/2>, out <ethernet1/3>
existing vector list 1-1bb3cc54.
Session (id:9058) created for first pak 1
loopback session processing
post addr xlation: 0.0.0.0->9.9.9.9.
flow_first_sanity_check: in <ethernet1/4>, out <N/A>
packet dropped, illegal src IP
loopback session failed
This error message is generated, when:
- The physical interface, which is bound to the default shared untrust zone in root-vsys for the purpose of inter-vsys routing, has no IP address assigned to it and the ingress interface is in NAT mode
- The loopback interface, which is bound to the default shared untrust zone or shared dmz zone in root-vsys for the purpose of inter-vsys routing, has no IP address assigned to it and the ingress interface is in NAT mode.
If an IP address is not assigned to the physical or loopback interface, then:
- The interface based source Natting translates the source-ip as 0.0.0.0.
- The traffic fails and the packet dropped, illegal src IP error message is found in the output of debug flow basic.
For more information, refer to
KB25220 - [ScreenOS] How to setup inter-vsys routing by using the default shared untrust zone.