Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Terminating VPN on Loopback interface failing

0

0

Article ID: KB8181 KB Last Updated: 21 Jun 2010Version: 4.0
Summary:
When using a loopback interface as the source interface for a route based tunnel, traffic may fail if the loopback interface is not bound to the same zone as the physical outbound interface.
Symptoms:

Environment:

  • Route based tunnel configured using a loopback interface as the source interface.

Symptoms & Errors:

  • Loopback interface bound to a custom 'VPN' zone, however default route is through an interface in an alternate zone.
  • The tunnel establishes however all traffic over VPN fails see debug below:
    ****** 00090.0: <Untrust/redundant2:1> packet received [112]******
      ipid = 11(000b), @d7834910
      packet passed sanity check.
      redundant2:1:192.168.1.132/61381->1.1.1.1/15021,50<Root>
      lookup tunnel sess with port 0x00000000
      lookup passthrough tunnel sess on redundant2:1 with port 0xefc53aad
      flow_first_sanity_check: in <redundant2:1>, out <N/A>
      chose interface redundant2:1 as incoming nat if.
      flow_first_routing: in <redundant2:1>, out <N/A>
      search route to (redundant2:1, 192.168.1.132->1.1.1.1) in vr trust-vr for vsd-1/flag-0/ifp-null
      [ Dest] 5.route 1.1.1.1->0.0.0.0, to loopback.1:1
      routed (x_dst_ip 1.1.1.1) from redundant2:1 (redundant2:1 in 1) to loopback.1:1
      policy search from zone 1-> zone 1000
      No SW RPC rule match, search HW rule
      Permitted by policy 11
      No src xlate   choose interface loopback.1:1 as outgoing phy if
      check nsrp pak fwd: in_tun=0xffffffff, VSD 1 for out ifp loopback.1:1
      vsd 1 is active
      no loop on ifp loopback.1.
      set interface loopback.1:1 as loop ifp.
      session application type 0, name None, nas_id 0, timeout 1800sec
      service lookup identified service 0.
      flow_first_final_check: in <redundant2:1>, out <loopback.1:1>
      existing vector list 221-ab795f0.
      Session (id:250057) created for first pak 221
      loopback session processing
      post addr xlation: 192.168.1.132->1.1.1.1.
      flow_first_sanity_check: in <loopback.1:1>, out <N/A>
      self check, not for us
      chose interface loopback.1:1 as incoming nat if.
      packet dropped: for self but not interested  loopback session failed
      existing vector list 221-ab795f0.
Solution:

The loopback interface must reside in the same zone as the physical outbound interface and the two interfaces must be grouped together.

In the above example, the loopback interface should reside in zone 1 (Untrust) as opposed to the custom tunnel zone id 1000.

To place the loopback and outgoing interfaces in the same group, through the WebUI:

  1. Click on Network -> Interfaces (on some models, you may also need to click on List).
  2. Edit the outgoing interface.
  3. In the "As member of loopback group" field, us the menu pull down and select the loopback interface you wish to group.
  4. Click OK

The loopback interface and the outgoing interface are now grouped together.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search