Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] "do not support multiple DIP in loopback session. pak dropped" seen in debug logs

0

0

Article ID: KB29303 KB Last Updated: 24 Sep 2014Version: 1.0
Summary:

An internal host needs to be accessed from private LAN using a Mapped IP (MIP) address. However, the setup fails with the following error message on the firewall:

“do not support multiple DIP in loopback session. pak dropped”.

This article explains the error message and provides a workaround.

Symptoms:

Requirement: Access the internal host from internal LAN (192.168.1.15) using Mapped IP (MIP) address (1.1.1.10).

Customer's Setup:

192.168.1.10/32----Trust---(192.168.1.1/24) eth0/0 [SSG] eth0/2 (1.1.1.1)----Untrust-----
  • MIP ip: 1.1.1.10 configured for internal host 192.168.1.10 on egress interface eth0/2.
  • Policy id 1 from Trust to Untrust, Source: Any, Destination: Any with Interface based NAT i.e. dip id: 2 (This policy takes care of internet traffic)
  • Policy id 2 from Untrust to Trust, Source: Any, Destination: MIP (1.1.1.10) with interface based NAT, that is, Dynamic IP (DIP): 2 (This policy takes care of MIP traffic initiated from internet.)
  • Customer has interface based NAT applied in Policy id 2 as he would like MIP traffic initiated from internet to be NAT translated to firewall's internal interface IP.

Issue:

  • From Internet, customer is able to reach the internal host using MIP (hitting policy id 2).
  • However, customer is unable to reach internal server from private LAN using MIP.
  • In debug, we see the error : "do not support multiple DIP in loopback session. pak dropped loopback session failed".
****** 71868.0: <Trust/ethernet0/0> packet received [128]******
ipid = 24674(6062), @05eb7134
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.1.15/2400->1.1.1.10/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.1.15->1.1.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 15 for 1.1.1.10
[ Dest] 15.route 1.1.1.10->1.1.1.10, to ethernet0/2
routed (x_dst_ip 1.1.1.10) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.10, port 20178, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x1
Permitted by policy 1
src-nat dip id = 2, 192.168.1.15/2400->1.1.1.1/10670

choose interface ethernet0/2 as outgoing phy if
set interface ethernet0/2 as loop ifp.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <ethernet0/2>
existing vector list 1-e00ccc4.
Session (id:64061) created for first pak 1
loopback session processing
post addr xlation: 1.1.1.1->1.1.1.10.

flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 1.1.1.1->192.168.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 13 for 192.168.1.10
[ Dest] 13.route 192.168.1.10->192.168.1.10, to ethernet0/0
routed (x_dst_ip 192.168.1.10) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.10, port 11908, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2/1/0x9
Permitted by policy 2
src-nat dip id = 2, 1.1.1.1/10670->192.168.1.1/23646

choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-e00ccc4.
Session (id:64058) created for first pak 1
do not support multiple DIP in loopback session. pak dropped
loopback session failed


Cause:

This error is seen because the customer has multiple DIPs applied in a loopback session (policy id 1 and policy id 2 in this case).

Solution:

Workaround :

  • Configure an extended dip on eth0/2 where DIP ip : 192.168.1.1
  • Configure specific policy for MIP ip from Trust to Untrust, Source: Any, Destination: 1.1.1.10 with above DIP.
  • Remove source translation from policy id 2 (MIP policy).
  • Thus, we have source translation used only in one policy (policy id 3).

Note: Place the specific MIP policy above Any to Any policy.

****** 73267.0: <Trust/ethernet0/0> packet received [128]******
ipid = 26248(6688), @05e0e134
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.1.15/2700->1.1.1.10/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.1.15->1.1.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 15 for 1.1.1.10
[ Dest] 15.route 1.1.1.10->1.1.1.10, to ethernet0/2
routed (x_dst_ip 1.1.1.10) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.10, port 19878, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/0/0x9
Permitted by policy 3
src-nat dip id = 4, 192.168.1.15/2700->192.168.1.1/1025

choose interface ethernet0/2 as outgoing phy if
set interface ethernet0/2 as loop ifp.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <ethernet0/2>
existing vector list 1-e00ccc4.
Session (id:64057) created for first pak 1
loopback session processing
post addr xlation: 192.168.1.1->1.1.1.10.
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 192.168.1.1->192.168.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 13 for 192.168.1.10
[ Dest] 13.route 192.168.1.10->192.168.1.10, to ethernet0/0
routed (x_dst_ip 192.168.1.10) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.10, port 21553, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2/2/0x9
Permitted by policy 2
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-e00ccc4.
Session (id:64055) created for first pak 1
vector index1 1, vector index2 1
existing vector list 1-e00ccc4.
existing v6 vector list 1-dedbf9c.
new vector index 1.
loopback session created
flow_first_install_session======>
route to 192.168.1.10
cached arp entry with MAC 002688ea390f for 192.168.1.10
arp entry found for 192.168.1.10
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 10800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 192.168.1.10->192.168.1.15) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
cached route 13 for 192.168.1.15
[ Dest] 13.route 192.168.1.15->192.168.1.15, to ethernet0/0
route to 192.168.1.15
cached arp entry with MAC 002688ea3900 for 192.168.1.15
arp entry found for 192.168.1.15
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 64057
flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/2
flow vector index 0x1, vector addr 0x1a7a8f0, orig vector 0x1a7a8f0
post addr xlation: 192.168.1.1->192.168.1.10.
packet send out to 002688e8c300 (cached) through ethernet0/0
.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search