Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] What is local..0 interface?

0

0

Article ID: KB27211 KB Last Updated: 12 Jul 2019Version: 2.0
Summary:

When a packet is sent to SRX's routing engine (RE), the packet must arrive at SRX local.0 interface, which is in junos-host zone.

Symptoms:

Testing topology:

       PC--------------------untrust(ge-0/0/1)-------SRX--(ge-0/0/0)trust
172.27.103.227               172.27.103.42              192.168.100.254


When PC pings the SRX's ge-0/0/0 interface, the ICMP packet will pass cross untrust-trust, trust-junos-host zone.
ICMP reply packet will be sent from local.0 interface.

Sample session output:

root@local# run show security flow session protocol icmp
Session ID: 714, Policy name: p10/12, Timeout: 4, Valid
In: 172.27.103.227/172 --> 192.168.100.254/35848;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84
Out: 192.168.100.254/35848 --> 172.27.103.227/172;icmp, If: .local..0, Pkts: 1, Bytes: 84
Cause:

When the traffic's destination is the SRX's self interface address, it will be handled by SRX RE.

The ICMP reply packet will be sent by RE from local.0 interface which is in junos-host zone.

The ICMP packet path is from untrust to trust and then from trust to junos-host. (In the scenario discussed here, a policy from untrust to trust is required. No policy from trust to junos-host is required)

Solution:

Flow trace:

root@local# run show log flow-debug

Mar 22 02:53:14 02:53:13.975195:CID-0:RT:<172.27.103.227/1->192.168.100.254/23928;1> matched filter a:
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:packet [84] ipid = 0, @4228031e
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 14, common flag 0x0, mbuf 0x42280100, rtbl_idx = 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: ge-0/0/1.0:172.27.103.227->192.168.100.254, icmp, (8/0)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: find flow: table 0x4dd0d5c0, hash 25028(0xffff), sa 172.27.103.227, da 192.168.100.254, sp 1, dp 23928, proto 1, tok 7
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_create_session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 192.168.100.254, sp 1, dp 23928
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: chose interface ge-0/0/1.0 as incoming nat if.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.100.254(23928)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.27.103.227, x_dst_ip 192.168.100.254, in ifp ge-0/0/1.0, out ifp N/A sp 1, dp 23928, ip_proto 1, tos 0


Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Doing DESTINATION addr route-lookup  <-- first routing lookup
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Changing out-ifp from .local..0 to ge-0/0/0.0 for dst: 192.168.100.254 in vr_id:0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: routed (x_dst_ip 192.168.100.254) from untrust (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.100.254
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone trust (0x0,0x15d78,0x5d78)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: permitted by policy p10(12)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: dip id = 0/0, 172.27.103.227/1->172.27.103.227/1 protocol 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_get_out_ifp: IN!
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:is_loop_pak: Found loop on ifp ge-0/0/0.0, addr: 192.168.100.254, rtt_idx: 0 addr_type:0x3.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_loopback_check: Setting interface: ge-0/0/0.0 as loop ifp.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:jsf sess interest check. regd plugins 19
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Allocating plugin info block for 20 plugin(s) from OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 19, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: No JSF plugins enabled for session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Releasing plugin info block for 20 plugin(s) to OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_service_lookup(): natp(0x516efd58): app_id, 0(0).
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: service lookup identified service 0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_complete_session, pak_ptr: 0x3fdedcb0, nsp: 0x516efd58, in_tunnel: 0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:construct v4 vector for nsp2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: existing vector list 200-4a607cf0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Session (id:20350) created for first pak 200
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_install_session======> 0x516efd58
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: nsp 0x516efd58, nsp2 0x516efdd8
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_xlate_pak
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_handle_icmp_xlate
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:xlate_icmp_pak
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: post addr xlation: 172.27.103.227->192.168.100.254.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:retcode: 0x204
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:pak_for_self : proto 1, dst port 23928, action 0x4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_create_session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 192.168.100.254, sp 1, dp 23928
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: chose interface ge-0/0/0.0 as incoming nat if. <-- packet has been sent to ge-0/0/0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.100.254(23928)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.27.103.227, x_dst_ip 192.168.100.254, in ifp ge-0/0/0.0, out ifp N/A sp 1, dp 23928, ip_proto 1, tos 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Doing DESTINATION addr route-lookup  <-- second routing lookup
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: routed (x_dst_ip 192.168.100.254) from trust (ge-0/0/0.0 in 0) to .local..0, Next-hop: 192.168.100.254
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone junos-host (0x0,0x15d78,0x5d78)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: permitted by policy self-traffic-policy(1) <-- self-traffic-policy permit this packet
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: dip id = 0/0, 172.27.103.227/1->172.27.103.227/1 protocol 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_get_out_ifp: IN!
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: choose interface .local..0 as outgoing phy if
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: ge-0/0/0.0, addr: 192.168.100.254, rtt_idx: 0, addr_type:0x3
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:jsf sess interest check. regd plugins 19
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Allocating plugin info block for 20 plugin(s) from OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 19, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: No JSF plugins enabled for session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Releasing plugin info block for 20 plugin(s) to OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_service_lookup(): natp(0x51a87bd0): app_id, 0(0).
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: service lookup identified service 0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_final_check: in <ge-0/0/0.0>, out <.local..0>
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4dfd8660, nsp: 0x51a87bd0, in_tunnel: 0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:construct v4 vector for nsp2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: existing vector list 200-4a607cf0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Session (id:28613) created for first pak 200
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efd58, 172.27.103.227/1 -> 192.168.100.254/23928:1,
If: ge-0/0/1.0, nsp-flag: 0x21 tok: 0x7, nh:0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efdd8, 192.168.100.254/23928 -> 172.27.103.227/1:1,
If: ge-0/0/0.0, nsp-flag: 0x8 tok: 0x6, nh:0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x51a87bd0, 172.27.103.227/1 -> 192.168.100.254/23928:1,
If: ge-0/0/0.0, nsp-flag: 0x1 tok: 0x6, nh:0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x51a87c50, 192.168.100.254/23928 -> 172.27.103.227/1:1,
If: .local..0, nsp-flag: 0x10 tok: 0x2, nh:0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: existing vector list 200-4a607cf0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efd58, 172.27.103.227/1 -> 192.168.100.254/23928:1,
If: ge-0/0/1.0, nsp-flag: 0x21 tok: 0x7, nh:0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efdd8, 192.168.100.254/23928 -> 172.27.103.227/1:1,
If: .local..0, nsp-flag: 0x10 tok: 0x2, nh:0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: make_nsp_ready_no_resolve()
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: route lookup: dest-ip 172.27.103.227 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 7 out-zone 7 vsd 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: route to 172.27.103.227
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:no need update ha
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Installing c2s NP session wing
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Installing s2c NP session wing
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow got session.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow session id 20350
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: vector bits 0x200 vector 0x4a607cf0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:mbuf 0x42280100, exit nh 0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Mar 22 02:53:14 02:53:13.975195:CID-0:RT:<192.168.100.254/23928->172.27.103.227/1;1> matched filter a: <-- icmp reply
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:packet [84] ipid = 0, @4228031e
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x42280100, rtbl_idx = 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: in_ifp <junos-host:.local..0>
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 54cc3ed0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: .local..0:192.168.100.254->172.27.103.227, icmp, (0/0) <-- icmp reply is from RE'local.0 interface
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: find flow: table 0x4dd0d5c0, hash 1212(0xffff), sa 192.168.100.254, da 172.27.103.227, sp 23928, dp 1, proto 1, tok 2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow got session.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow session id 20350
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: vector bits 0x200 vector 0x4a607cf0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:mbuf 0x42280100, exit nh 0x100010
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_process_pkt_exception: Freeing lpak 3fded988 associated with mbuf 0x42280100
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Modification History:

2019-07-11: Minor, non-technical edits.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search