Knowledge Search


×
 

[SRX] What is local..0 interface?

  [KB27211] Show Article Properties


Summary:

When a packet is sent to SRX's routing engine (RE), the packet must arrive at SRX local.0 interface, which is in junos-host zone.

Symptoms:

Testing topology:

       PC--------------------untrust(ge-0/0/1)-------SRX--(ge-0/0/0)trust
172.27.103.227               172.27.103.42              192.168.100.254


When PC pings the SRX's ge-0/0/0 interface, the ICMP packet will pass cross untrust-trust, trust-junos-host zone.
ICMP reply packet will be sent from local.0 interface.

Sample session output:

root@local# run show security flow session protocol icmp
Session ID: 714, Policy name: p10/12, Timeout: 4, Valid
In: 172.27.103.227/172 --> 192.168.100.254/35848;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84
Out: 192.168.100.254/35848 --> 172.27.103.227/172;icmp, If: .local..0, Pkts: 1, Bytes: 84
Cause:

When the traffic's destination is the SRX's self interface address, it will be handled by SRX RE.

The ICMP reply packet will be sent by RE from local.0 interface which is in junos-host zone.

The ICMP packet path is from untrust to trust and then from trust to junos-host. (In the scenario discussed here, a policy from untrust to trust is required. No policy from trust to junos-host is required)

Solution:

Flow trace:

root@local# run show log flow-debug

Mar 22 02:53:14 02:53:13.975195:CID-0:RT:<172.27.103.227/1->192.168.100.254/23928;1> matched filter a:
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:packet [84] ipid = 0, @4228031e
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 14, common flag 0x0, mbuf 0x42280100, rtbl_idx = 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: ge-0/0/1.0:172.27.103.227->192.168.100.254, icmp, (8/0)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: find flow: table 0x4dd0d5c0, hash 25028(0xffff), sa 172.27.103.227, da 192.168.100.254, sp 1, dp 23928, proto 1, tok 7
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_create_session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 192.168.100.254, sp 1, dp 23928
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: chose interface ge-0/0/1.0 as incoming nat if.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.100.254(23928)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.27.103.227, x_dst_ip 192.168.100.254, in ifp ge-0/0/1.0, out ifp N/A sp 1, dp 23928, ip_proto 1, tos 0


Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Doing DESTINATION addr route-lookup  <-- first routing lookup
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Changing out-ifp from .local..0 to ge-0/0/0.0 for dst: 192.168.100.254 in vr_id:0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: routed (x_dst_ip 192.168.100.254) from untrust (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.100.254
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone trust (0x0,0x15d78,0x5d78)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: permitted by policy p10(12)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: dip id = 0/0, 172.27.103.227/1->172.27.103.227/1 protocol 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_get_out_ifp: IN!
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:is_loop_pak: Found loop on ifp ge-0/0/0.0, addr: 192.168.100.254, rtt_idx: 0 addr_type:0x3.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_loopback_check: Setting interface: ge-0/0/0.0 as loop ifp.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:jsf sess interest check. regd plugins 19
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Allocating plugin info block for 20 plugin(s) from OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 19, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: No JSF plugins enabled for session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Releasing plugin info block for 20 plugin(s) to OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_service_lookup(): natp(0x516efd58): app_id, 0(0).
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: service lookup identified service 0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_complete_session, pak_ptr: 0x3fdedcb0, nsp: 0x516efd58, in_tunnel: 0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:construct v4 vector for nsp2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: existing vector list 200-4a607cf0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Session (id:20350) created for first pak 200
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_install_session======> 0x516efd58
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: nsp 0x516efd58, nsp2 0x516efdd8
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_xlate_pak
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_handle_icmp_xlate
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:xlate_icmp_pak
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: post addr xlation: 172.27.103.227->192.168.100.254.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:retcode: 0x204
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:pak_for_self : proto 1, dst port 23928, action 0x4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_create_session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 192.168.100.254, sp 1, dp 23928
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: chose interface ge-0/0/0.0 as incoming nat if. <-- packet has been sent to ge-0/0/0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.100.254(23928)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.27.103.227, x_dst_ip 192.168.100.254, in ifp ge-0/0/0.0, out ifp N/A sp 1, dp 23928, ip_proto 1, tos 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Doing DESTINATION addr route-lookup  <-- second routing lookup
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: routed (x_dst_ip 192.168.100.254) from trust (ge-0/0/0.0 in 0) to .local..0, Next-hop: 192.168.100.254
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone junos-host (0x0,0x15d78,0x5d78)
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: permitted by policy self-traffic-policy(1) <-- self-traffic-policy permit this packet
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: dip id = 0/0, 172.27.103.227/1->172.27.103.227/1 protocol 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_get_out_ifp: IN!
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: choose interface .local..0 as outgoing phy if
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: ge-0/0/0.0, addr: 192.168.100.254, rtt_idx: 0, addr_type:0x3
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:jsf sess interest check. regd plugins 19
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Allocating plugin info block for 20 plugin(s) from OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:-jsf int check: plugin id 19, svc_req 0x0. rc 4
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: No JSF plugins enabled for session
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Releasing plugin info block for 20 plugin(s) to OL
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_service_lookup(): natp(0x51a87bd0): app_id, 0(0).
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: service lookup identified service 0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow_first_final_check: in <ge-0/0/0.0>, out <.local..0>
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4dfd8660, nsp: 0x51a87bd0, in_tunnel: 0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:construct v4 vector for nsp2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: existing vector list 200-4a607cf0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: Session (id:28613) created for first pak 200
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efd58, 172.27.103.227/1 -> 192.168.100.254/23928:1,
If: ge-0/0/1.0, nsp-flag: 0x21 tok: 0x7, nh:0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efdd8, 192.168.100.254/23928 -> 172.27.103.227/1:1,
If: ge-0/0/0.0, nsp-flag: 0x8 tok: 0x6, nh:0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x51a87bd0, 172.27.103.227/1 -> 192.168.100.254/23928:1,
If: ge-0/0/0.0, nsp-flag: 0x1 tok: 0x6, nh:0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x51a87c50, 192.168.100.254/23928 -> 172.27.103.227/1:1,
If: .local..0, nsp-flag: 0x10 tok: 0x2, nh:0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: existing vector list 200-4a607cf0.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efd58, 172.27.103.227/1 -> 192.168.100.254/23928:1,
If: ge-0/0/1.0, nsp-flag: 0x21 tok: 0x7, nh:0x0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:nsp:0x516efdd8, 192.168.100.254/23928 -> 172.27.103.227/1:1,
If: .local..0, nsp-flag: 0x10 tok: 0x2, nh:0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: make_nsp_ready_no_resolve()
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: route lookup: dest-ip 172.27.103.227 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 7 out-zone 7 vsd 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: route to 172.27.103.227
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:no need update ha
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Installing c2s NP session wing
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:Installing s2c NP session wing
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow got session.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow session id 20350
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: vector bits 0x200 vector 0x4a607cf0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:mbuf 0x42280100, exit nh 0x40d722
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Mar 22 02:53:14 02:53:13.975195:CID-0:RT:<192.168.100.254/23928->172.27.103.227/1;1> matched filter a: <-- icmp reply
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:packet [84] ipid = 0, @4228031e
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x42280100, rtbl_idx = 0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: in_ifp <junos-host:.local..0>
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 54cc3ed0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: .local..0:192.168.100.254->172.27.103.227, icmp, (0/0) <-- icmp reply is from RE'local.0 interface
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: find flow: table 0x4dd0d5c0, hash 1212(0xffff), sa 192.168.100.254, da 172.27.103.227, sp 23928, dp 1, proto 1, tok 2
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow got session.
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: flow session id 20350
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: vector bits 0x200 vector 0x4a607cf0
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:mbuf 0x42280100, exit nh 0x100010
Mar 22 02:53:14 02:53:13.975195:CID-0:RT:flow_process_pkt_exception: Freeing lpak 3fded988 associated with mbuf 0x42280100
Mar 22 02:53:14 02:53:13.975195:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Modification History:

2019-07-11: Minor, non-technical edits.

Related Links: