Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Packet was not being transmitted out the VPN. Debug Flow reported 'packet dropped, no way(tunnel) out'

0

0

Article ID: KB7253 KB Last Updated: 31 Dec 2018Version: 7.0
Summary:

This article describes a situation in which packets from the trust side of a route-based VPN are not forwarded through the VPN.

This could happen if two VPN's are bound to the same tunnel interface without the correct gateway hop specified, or if the traffic is not matching the Proxy ID's negotiated when "Proxy-id check" is enabled.

Symptoms:

On a route-based VPN, packets are not forwarded through the VPN. In debug flow basic output, the packet is being dropped and the following error is reported:

packet dropped, no way(tunnel) out.

Cause:

This error can be seen in 2 scenarios:

1. Two VPNs are bound to the same tunnel interface without the correct gateway hop specified.    

2. The traffic is not matching the Proxy-ID's negotiated, and the Proxy ID check feature is enabled. When a newly added subnet is trying the access through the VPN where the Proxy ID's are not configured for the new IP or if the Proxy ID negotiated is for the NAT'd IP and the packet goes out with the different IP address.

Solution:

Scenario 1

When two VPNs are bound to the same tunnel interface without the correct gateway hop specified, the error can be corrected by:

  • Removing the extra VPN that is not needed
  • Adding the correct gateway in the route for the VPN (see example below)
  • Creating another tunnel interface for the other VPN.

For example, assume you are trying to route network 10.1.1.0/24 through a VPN tunnel via interface tunnel.3. If there are multiple VPNs bound to interface tunnel.3, your static route needs to look like the following:

set route 10.1.1.0/24 interface tunnel.3 gateway 172.16.10.1

where 172.16.10.1 is the IP address of interface where the tunnel is terminated on the peer. This would be the same address as the next-hop in the NHTB table. An equivalent NHTB would look like the following:

ssg5-> get i tunnel.3
Interface tunnel.3:
description tunnel.3
number 20, if_info 1784, if_index 3, mode route
link ready
vsys Root, zone Untrust, vr trust-vr
admin mtu 1500, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 unnumbered, source interface adsl1
*manage ip 0.0.0.0
bound vpn:
SRX210-VPN
SSG5-VPN

Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN
U 80.10.10.99 0x00000006 SRX210-VPN
U 172.16.10.1 0x00000005 SSG5-VPN <--- This is the VPN in question

Refer to the 'Multiple Tunnels Per Tunnel Interface' section in the ScreenOS C&E VPN volume.
 

Scenario 2

When the traffic is not matching the Proxy-id's negotiated, and the Proxy ID feature is enabled, the error can be corrected by:

  • If it is a newly added subnet, adding a new proxy ID for the new subnet or modifying the existing Proxy ID's to include the new subnet (on both the VPN peers)
  • In the debug flow basic output, verifying that the NAT is processed as per the Proxy ID's negotiated.

For example, if the VPN was initially configured to allow traffic from 10.1.2.1/24 to 192.168.1.1/24, the proxy ID would look like:

get sa id 0x002
proxy id: local 10.1.2.1/255.255.255.0, remote 192.168.1.1/255.255.255.0, proto 0, port 0/0

If you are adding a new subnet 10.1.10.1/24 in your network and if you are trying to access the remote network from the new network, add a new proxy-id for 10.1.10.1/24 for the VPN or modify the subnet mask of the existing Proxy id (10.1.2.1/255.255.240.00) to include the new subnet.

Note: The traffic passing over the VPN should exactly match the Proxy-id when "Proxy-id check" is enabled.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search