Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Traffic flow between two shared interfaces in a VSYS

0

0

Article ID: KB25556 KB Last Updated: 19 Sep 2012Version: 2.0
Summary:
When traffic is passed between two shared interfaces on the same VSYS, the traffic fails. So, IP classification has to be configured on the zones for the Networks that are participating in the communication; this will help the traffic to pass through successfully. This article describes this issue and how to resolve it.
Symptoms:
IP classification has to be configured in the following scenarios:

  • When there are two interfaces in two different shared zones and communication is required between the two interfaces.

  • When there are two interfaces present in same shared zone and communication is required between the two interfaces.

If IP classification is not configured, the packet will be dropped, which generates the following error message:
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:-2
packet dropped, IP classification failed
Based on the following scenario, the issue can be verified:




Loopback.1 and Loopback.5 are present in the root_test1 zone and Loopback.2 is present in Root_test2. Both of the zones are a part of the Root VSYS:
1002 root_test1 Sec(L3) Shared trust-vr null Root
1003 Root_test2 Sec(L3) Shared trust-vr null Root

When traffic is initiated from Loopback.1 to Loopback.5 or Loopback.2, traffic fails and the output of debug flow basic is as follows:
****** 10124.0: <root_test1/loopback.1> packet received [128]******
ipid = 37662(931e), @0cb47c94
self:3.3.3.3/16900->4.4.4.4/1024,1(8/0)<Root>
flow_decap_vector IPv4 process
loopback.1:3.3.3.3/16900->4.4.4.4/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <loopback.1>, out <loopback.2>
chose interface loopback.1 as incoming nat if.
flow_first_routing: in <loopback.1>, out <loopback.2>
search route to (loopback.1, 3.3.3.3->4.4.4.4) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 9.route 4.4.4.4->4.4.4.4, to loopback.2
routed (x_dst_ip 4.4.4.4) from loopback.1 (loopback.1 in 0) to loopback.2
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:-2
packet dropped, IP classification failed
Cause:

Solution:
To avoid the above situation, you need to configure IP classifications on root_test1 and Root_test2. The configuration is as follows:
set zone "root_test1" ip-classification
set zone "Root_test2" ip-classification
set zone "root_test1" ip-classification net 3.3.3.3/32 vsys "Root"
set zone "root_test1" ip-classification net 7.7.7.7/32 vsys "Root"
set zone "Root_test2" ip-classification net 4.4.4.4/32 vsys "Root"
set zone "Root_test2" ip-classification net 7.7.7.7/32 vsys "Root"

After the above configuration is in place, any of the three IP addresses can communicate with any other IP address. The output of debug flow basic after the configuration change is as follows:
****** 13135.0: <Root_test2/loopback.2> packet received [128]******
ipid = 57213(df7d), @0cb47c94
self:4.4.4.4/21700->7.7.7.7/1024,1(8/0)<Root>
flow_decap_vector IPv4 process
loopback.2:4.4.4.4/21700->7.7.7.7/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <loopback.2>, out <loopback.5>
chose interface loopback.2 as incoming nat if.
IP classification from src IP : vsys Root,rc:1
flow_first_routing: in <loopback.2>, out <loopback.5>
search route to (loopback.2, 4.4.4.4->7.7.7.7) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 14.route 7.7.7.7->7.7.7.7, to loopback.5
routed (x_dst_ip 7.7.7.7) from loopback.2 (loopback.2 in 0) to loopback.5
IP classification from dst IP : vsys Root,rc:1
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:0

policy search from zone 1003-> zone 1002
policy_flow_search policy search nat_crt from zone 1003-> zone 1002
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 7.7.7.7, port 878, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 15/1/0x9
Permitted by policy 15
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search