Netscreen (SSG550) "odd policy behavior" help needed!



  • Hello,

    SITUATION:

    My Allow HTTP policy appears to fail (no received data via policy level logging), webpage fails to load.  Then oddly if I ping the IP of the webserver first then open the HTTP connection it works.   However, if I wait long enough the problem re-presents.  
    More info on setup below.

    Tried Juniper Support directly but this is a proof-of-concept lab on some devices not currently under support so they would not even talk to me.  If anyone at Juniper is reading and can help please do! If the concept is “proven” we will be getting the support subscription.  Unfortunately, I can not get the funds unless the layout works…

    DEVICES:  two SSG550s

    SETUP:

    Basically I have traffic from eth0/3 on the COREFW trying to HTTP to eth0/3 on the EDGEFW.   eth0/0 of the COREFW connects to eth0/1 of the EDGEFW.      The COREFW is in Layer 3 mode, with the EDGEFW in Layer 2 mode (vlan1 as arp-trace).  
    No NAT is in play, eventually I will have to use policy based NAT for all traffic behind the COREFW destined for the internet(eth0/0 of EDGEFW).     Actually, I have the exact same result accessing another system on the EDGEFW eth0/2 zone, so it does not seem to be a server specific issue.   However, I have NO issues accessing other webpages on systems attached to other zones on the COREFW.

    POLICIES CREATED:

    allowing HTTP  from the COREFW eth0/3 zone to the COREFW eth0/0 zone
        allowing HTTP from EDGEFW eth0/1 zone to EDGEFW eth0/3 zone

    PS-  This might happen with other protocols, but HTTP is all I have really tested in-depth.

    THANK YOU ALL SO MUCH IN ADVANCE!!!



  • Aweck,

    I am still concerned that the arp trace-route functionality is not finding the systems behind the coreFW.

    Besides that–

    Saw your post at : http://forums.juniper.net/t5/SRX-Services-Gateway/reverse-route/td-p/25566;jsessionid=A095F255934E9D6727BC9A3E85B1A35B

    Think the set flow reverse-route  might help?  Well unset arp always-on-dest for the older version I have.  Just came across that option so will be looking into it further.


    NOTE: This command is a replacement of the command, unset arp always-on-dest, used in previous ScreenOS versions.

    Now after enabling this command the firewall will not do a reverse route lookup. Rather it uses the mac-cache entry (entry is made with the first packet of the session) to forward the reverse packet i.e syn-ack to the same gateway from where the SYN packet had arrived initially.


    Also if I had to leave the tcp-syn-check disabled I came across a suggestion  to use enable SYN SYN ACK protection to help sure up the weakened security.  Have you heard about doing so?



  • Aweck,

    Confirmed no duplicate MACs.  Ran cmd:

    set interface vlan1 broadcast arp trace-route

    And received no errors to console.  Did find this odd bit:

    unknown mac address resolve method: ARP + Trace Route Packet

    See more below

    EDGE-FW-> get interface vlan1
    Interface vlan1:
      number 15, if_info 36120, if_index 0, VLAN tag 1, mode nat
      link up, phy-link up/full-duplex
      vsys Root, zone VLAN, vr trust-vr
      *ip 64.63.62.240/24  mac 0012.1eac.f90f
      *manage ip 64.63.62.240, mac 0012.1eac.f90f
      ping enabled, telnet enabled, SSH enabled, SNMP enabled
      web enabled, ident-reset disabled, SSL enabled
      DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
      bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
                total configured gbw 0kbps, total allocated gbw 0kbps
      DHCP-Relay disabled
      DHCP-server disabled
      unknown mac address resolve method: ARP + Trace Route Packet
      vlan trunk: Off
      bypass others IPSEC: Off
      bypass non IP: multicast
      In backup mode, only traffic from V1-Trust can manage the box



  • That is strange.  For some reason the Edge FW is seeing the MAC address correlated to 192.168.1.100 on both eth0/0 and eth0/1.



  • Might have just found the problem…  the trace bit did not seem to stick based on looking at my backup config.

    found:

    set interface vlan1 broadcast arp

    expected:

    set interface vlan1 broadcast arp trace-route

    I will fire up the lab and see what happens.  logic sound, sound about the routing?



  • This is the exact layout.  No switches in place just the the two firewalls, the router, and some PCs directly connected.  Each interface is also its own security zone.  Transparent  mode is in play on the edgeFW.  Each system node off the edgeFW is on the same segment (since device is in layer-2 mode).  My layout  seems sound to me, thinking the arp-trace setup on the edgefw should allow it to “route…pass traffic” to the internal segments without the need to go to the edge-router which is thier DGW.  Maybe something is preventing the arp-trace from passing to learn the macs where a hop is required on the corefw, thus forcing it to try the default DGW?  Seems the reason for the traffic return over eth0/0 on the edgeFW is that of the edge-router.

    internet
                                                        |
                                                        |
                                                edge-router  (static routes pointing to 64.63.62.250 for all private segments behind corefw)
                                                64.63.62.254
                                                        |
                                                        |
                                              eth0/0 of edgeFW

    eth0/1 of edgeFW-----------------------------------------------------------------------------------64.63.62.250 eth 0/0 of coreFW

    eth0/2 of edgeFW—directly connected to pc  64.63.62.200                                                            eth 0/1 of coreFW— private segment

    eth0/3 of edgeFW—direclty connected to pc  64.63.62.100                                                            eth 0/2 of coreFW— private segment

    eth 0/3 of coreFW— test pc at 192.168.1.100



  • Do eth0/0 and eth0/1 connect to the same layer-2 network?  How does eth0/1 factor into the layout?



  • Aweck,

    The mac mentioned below before the “host moved” bit is the MAC of the edge-ROUTERs internal interface.  So do I have something wrong in my basic setup (routing).  I have zero other devices on the network so it can not be a duplicate issue.  Thinking that has to be a routing issue but I seem to be overlooking something.  Below is the snipit with the edge-ROUTERs mac.  and then I added the basic layout info again.

    more layout info –
                  edge-router
                      -connects to eth0/0 on edgeFW
                      -static routes to all segments behind corefw (routes point to eth0/0 of coreFW)
                    edge-fw
                      -layer two mode ARP-TRACERT(all segments on same segment to include edge-router ip off eth0/0)
                      -static route to allow mgt from behind corefw over vlan1
                    core-fw
                      -layer 3
              -all zones in one TRUST-VR

    ****** 03034.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 573(023d), @1d71f910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1905,6 <root>found mac 001f33bf739c on ethernet0/0
    xpt: host move from L2-core to ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      packet dropped, first pak not sync</root></l2-hsv>



  • Looks like the Netscreen does not like something regarding the surrounding network architecture.  The FW is seeing the first syn-packet coming in L2-core (eth0/1).  However, when the 1st return packet attempts to go back the FW sees the resolved MAC address of 1.100 off some other zone - zone id 100 (eth0/0).  That is why ‘unset flow tcp-syn-check’ works to resolve the issue.

    Pinging across the FW first makes the FW think that it sees the resolved MAC address of 1.100 off of L2-core (eth0/1), so the session can successfully establish for a brief period of time (until presumably some other traffic is causing the FW to think the resolved MAC address of 1.100 is off of eth0/0 again).

    Could be that there is MAC conflict??  More likely cause I think would be that traffic with that MAC address is showing up off eth0/0 as well as eth0/1, confusing the FW as to which interface/zone pair it actually lies off.



  • EDGEFW POST 1c

    Got syn_ack, 64.63.62.100(80)->192.168.1.100(1910), nspflag 0x3800, 0x3801
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34924(886c), @1d47b910
      packet passed sanity check.
      L2-core:192.168.1.100/1910->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      Got ack, 192.168.1.100(1910)->64.63.62.100(80), natpflag 0x80, nspflag 0x3801, 0x3800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 599(0257), @1d7c8110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1908,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [59]******
      ipid = 600(0258), @1d7c8910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1908,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34925(886d), @1d47c110
      packet passed sanity check.
      L2-core:192.168.1.100/1908->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34926(886e), @1d47c910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34927(886f), @1d4fa110
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 601(0259), @1d7c9110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1909,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [315]******
      ipid = 602(025a), @1d7c9910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1909,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34928(8870), @1d4fa910
      packet passed sanity check.
      L2-core:192.168.1.100/1909->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [428]******
      ipid = 34931(8873), @1d498910
      packet passed sanity check.
      L2-core:192.168.1.100/1910->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-hsv 3="" ethernet0="">packet received [1057]******
      ipid = 603(025b), @1d7ca110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1910,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [471]******
      ipid = 34940(887c), @1d4fb110
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [466]******
      ipid = 34941(887d), @1d4fb910
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.  packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-hsv 3="" ethernet0="">packet received [462]******
      ipid = 604(025c), @1d7ca910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03065.0: <l2-hsv 3="" ethernet0="">packet received [1382]******
      ipid = 605(025d), @1d7cb110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [67]******
      ipid = 34946(8882), @1d4fc110
      packet passed sanity check.
      L2-core:192.168.1.100/59131->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      no session found
      policy search from zone 101-> zone 100
    policy_flow_search  policy search nat_crt from zone 101-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 5
      choose interface L2-internet as outgoing phy if
      session application type 16, name DNS, nas_id 0, timeout 60sec
      service lookup identified service 16.
      Session (id:218) created for first pak
      flow got session.
      flow session id 218
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34947(8883), @1d4fc910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34948(8884), @1d4fd110
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34949(8885), @1d4fd910
      packet passed sanity check.
      L2-core:192.168.1.100/1910->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03065.0: <l2-core 1="" ethernet0="">packet received [65]******
      ipid = 34950(8886), @1d4fe110
      packet passed sanity check.
      L2-core:192.168.1.100/59514->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 204
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03066.0: <l2-core 1="" ethernet0="">packet received [67]******
      ipid = 34951(8887), @1d4fe910
      packet passed sanity check.
      L2-core:192.168.1.100/59131->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 218
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03067.0: <l2-core 1="" ethernet0="">packet received [67]******
      ipid = 34952(8888), @1d4d7110
      packet passed sanity check.
      L2-core:192.168.1.100/59131->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 218
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03069.0: <l2-core 1="" ethernet0="">packet received [67]******
      ipid = 34955(888b), @1d4ff910
      packet passed sanity check.
      L2-core:192.168.1.100/59131->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 218
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03070.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 606(025e), @1d7cb910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1908,6, 5011(fin) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03070.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34965(8895), @1d504910
      packet passed sanity check.
      L2-core:192.168.1.100/1908->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03070.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 607(025f), @1d7cc110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1909,6, 5011(fin) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03070.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34966(8896), @1d505110
      packet passed sanity check.
      L2-core:192.168.1.100/1909->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03070.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 608(0260), @1d7cc910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6, 5011(fin) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03070.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34968(8898), @1d506110
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03070.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 609(0261), @1d7cd110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6, 5011(fin) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03070.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 610(0262), @1d7cd910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1910,6, 5011(fin) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03070.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34970(889a), @1d507110
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03070.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34971(889b), @1d507910
      packet passed sanity check.
      L2-core:192.168.1.100/1910->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.

    THANKS!!!</root></l2-core></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-core></root></l2-core></root></l2-core></root></l2-core></root></l2-core></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-core></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core>



  • EDGEFW POST PART 1b

    tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1292]******
      ipid = 584(0248), @1d725910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [480]******
      ipid = 34875(883b), @1d474110
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34882(8842), @1d474910
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:214) created for first pak
      flow got session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1907)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 585(0249), @1d726110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn_ack, 64.63.62.100(80)->192.168.1.100(1907), nspflag 0x3800, 0x3801
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34883(8843), @1d475110
      packet passed sanity check.
      L2-core:192.168.1.100/1908->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:215) created for first pak
      flow got session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1908)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 586(024a), @1d726910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1908,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn_ack, 64.63.62.100(80)->192.168.1.100(1908), nspflag 0x3800, 0x3801
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34885(8845), @1d475910
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      Got ack, 192.168.1.100(1907)->64.63.62.100(80), natpflag 0x80, nspflag 0x3801, 0x3800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34886(8846), @1d476110
      packet passed sanity check.
      L2-core:192.168.1.100/1908->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      Got ack, 192.168.1.100(1908)->64.63.62.100(80), natpflag 0x80, nspflag 0x3801, 0x3800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [480]******
      ipid = 34887(8847), @1d476910
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [481]******
      ipid = 34888(8848), @1d477110
      packet passed sanity check.
      L2-core:192.168.1.100/1908->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 215
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 587(024b), @1d727110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1002]******
      ipid = 588(024c), @1d727910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34889(8849), @1d477910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 589(024d), @1d7c3110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 590(024e), @1d7c3910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34892(884c), @1d478110
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1110]******
      ipid = 591(024f), @1d7c4110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [472]******
      ipid = 34897(8851), @1d478910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [466]******
      ipid = 34900(8854), @1d479110
      packet passed sanity check.
      L2-core:192.168.1.100/1907->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34906(885a), @1d479910
      packet passed sanity check.
      L2-core:192.168.1.100/1909->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:216) created for first pak
      flow got session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1909)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 592(0250), @1d7c4910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1909,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn_ack, 64.63.62.100(80)->192.168.1.100(1909), nspflag 0x3800, 0x3801
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34907(885b), @1d498110
      packet passed sanity check.
      L2-core:192.168.1.100/1909->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      Got ack, 192.168.1.100(1909)->64.63.62.100(80), natpflag 0x80, nspflag 0x3801, 0x3800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 593(0251), @1d7c5110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1500]******
      ipid = 594(0252), @1d7c5910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1216]******
      ipid = 595(0253), @1d7c6110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34909(885d), @1d47a110
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1194]******
      ipid = 596(0254), @1d7c6910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1907,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 214
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [1187]******
      ipid = 597(0255), @1d7c7110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [470]******
      ipid = 34920(8868), @1d47a910
      packet passed sanity check.
      L2-core:192.168.1.100/1909->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 216
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34923(886b), @1d47b110
      packet passed sanity check.
      L2-core:192.168.1.100/1910->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:217) created for first pak
      flow got session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1910)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 598(0256), @1d7c7910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1910,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 217
      skip ttl adjust for packet from self.
      tcp seq check.</root></l2-hsv></root></l2-core></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-core></root></l2-core></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-hsv>



  • EDGEFW POST 1a  –------- tcp sync issue found

    Below is the debugging of the EdgeFW.   The problem looks to be a tcp sync issue:

    “packet dropped, first pak not sync”

    So I ran:     unset flow tcp-syn-check      and everything works fine.

    Unfortunately, seems like the best practice is to leave it enabled… correct?   Maybe my general layout causing routing issues?

    more layout info –
                  edge-router
                     -connects to eth0/0 on edgeFW
                     -static routes to all segments behind corefw (routes point to eth0/0 of coreFW)
                   edge-fw
                      -layer two mode ARP-TRACERT(all segments on same segment to include edge-router ip off eth0/0)
                      -static route to allow mgt from behind corefw over vlan1
                   core-fw
                      -layer 3
          -all zones in one TRUST-VR

    I did capture packet to the default gateway (.254 and acts as dns server for this lab) in the output below.  That might help diag.

    -----------DEBUG OUTPUT----------

    EDGE-FW-> debug flow basic
    EDGE-FW-> undebug all
    EDGE-FW-> get db str
    ****** 03034.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34836(8814), @1d46a910
      packet passed sanity check.
      L2-core:192.168.1.100/1905->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:200) created for first pak
      flow got session.
      flow session id 200
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1905)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03034.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 573(023d), @1d71f910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1905,6 <root>found mac 001f33bf739c on ethernet0/0
    xpt: host move from L2-core to ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      packet dropped, first pak not sync
    ****** 03037.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 574(023e), @1d720110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1905,6 <root>found mac 001f33bf739c on ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      packet dropped, first pak not sync
    ****** 03037.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34840(8818), @1d46b910
      packet passed sanity check.
      L2-core:192.168.1.100/1905->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:201) created for first pak
      flow got session.
      flow session id 201
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1905)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03037.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 575(023f), @1d720910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1905,6 <root>found mac 001f33bf739c on ethernet0/0
    xpt: host move from L2-core to ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      packet dropped, first pak not sync
    ****** 03043.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 576(0240), @1d721110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1905,6 <root>found mac 001f33bf739c on ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      packet dropped, first pak not sync
    ****** 03043.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34841(8819), @1d46c910
      packet passed sanity check.
      L2-core:192.168.1.100/1905->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:203) created for first pak
      flow got session.
      flow session id 203
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1905)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03043.0: <l2-hsv 3="" ethernet0="">packet received [40]******
      ipid = 577(0241), @1d721910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1905,6 <root>found mac 001f33bf739c on ethernet0/0
    xpt: host move from L2-core to ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      packet dropped, first pak not sync
    ****** 03057.0: <l2-core 1="" ethernet0="">packet received [65]******
      ipid = 34846(881e), @1d46d910
      packet passed sanity check.
      L2-core:192.168.1.100/59514->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      no session found
      policy search from zone 101-> zone 100
    policy_flow_search  policy search nat_crt from zone 101-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 5
      choose interface L2-internet as outgoing phy if
      session application type 16, name DNS, nas_id 0, timeout 60sec
      service lookup identified service 16.
      Session (id:204) created for first pak
      flow got session.
      flow session id 204
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03058.0: <l2-core 1="" ethernet0="">packet received [65]******
      ipid = 34848(8820), @1d46e110
      packet passed sanity check.
      L2-core:192.168.1.100/59514->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 204
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03059.0: <l2-core 1="" ethernet0="">packet received [60]******
      ipid = 34849(8821), @1d46f110
      packet passed sanity check.
      L2-core:192.168.1.100/50688->64.63.62.100/512,1(8/0) <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      Session (id:206) created for first pak
      flow got session.
      flow session id 206
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03059.0: <l2-hsv 3="" ethernet0="">packet received [60]******
      ipid = 578(0242), @1d722110
      packet passed sanity check.
      L2-hsv:64.63.62.100/512->192.168.1.100/50688,1(0/0) <root>found mac 001f33bf739c on ethernet0/0
    xpt: host move from L2-core to ethernet0/0
      no session found
      policy search from zone 103-> zone 100
    policy_flow_search  policy search nat_crt from zone 103-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 7
      choose interface L2-internet as outgoing phy if
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      Session (id:207) created for first pak
      flow got session.
      flow session id 207
      skip ttl adjust for packet from self.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03059.0: <l2-internet 0="" ethernet0="">packet received [60]******
      ipid = 578(0242), @1d408910
      packet passed sanity check.
      L2-internet:64.63.62.100/512->192.168.1.100/50688,1(0/0) <root>found mac 00121eadee80 on ethernet0/1
      no session found
      policy search from zone 100-> zone 101
    policy_flow_search  policy search nat_crt from zone 100-> zone 101
      No SW RPC rule match, search HW rule
      Permitted by policy 12
      choose interface L2-core as outgoing phy if
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      Session (id:208) created for first pak
      flow got session.
      flow session id 208
      skip ttl adjust for packet from self.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03059.0: <l2-core 1="" ethernet0="">packet received [65]******
      ipid = 34850(8822), @1d46f910
      packet passed sanity check.
      L2-core:192.168.1.100/59514->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 204
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03060.0: <l2-core 1="" ethernet0="">packet received [60]******
      ipid = 34851(8823), @1d470110
      packet passed sanity check.
      L2-core:192.168.1.100/50944->64.63.62.100/512,1(8/0) <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      Session (id:210) created for first pak
      flow got session.
      flow session id 210
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03060.0: <l2-hsv 3="" ethernet0="">packet received [60]******
      ipid = 579(0243), @1d723110
      packet passed sanity check.
      L2-hsv:64.63.62.100/512->192.168.1.100/50944,1(0/0) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 210
      skip ttl adjust for packet from self.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03061.0: <l2-core 1="" ethernet0="">packet received [60]******
      ipid = 34852(8824), @1d471110
      packet passed sanity check.
      L2-core:192.168.1.100/51200->64.63.62.100/512,1(8/0) <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      Session (id:211) created for first pak
      flow got session.
      flow session id 211
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03061.0: <l2-hsv 3="" ethernet0="">packet received [60]******
      ipid = 580(0244), @1d723910
      packet passed sanity check.
      L2-hsv:64.63.62.100/512->192.168.1.100/51200,1(0/0) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 211
      skip ttl adjust for packet from self.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03061.0: <l2-core 1="" ethernet0="">packet received [65]******
      ipid = 34853(8825), @1d471910
      packet passed sanity check.
      L2-core:192.168.1.100/59514->64.63.62.254/53,17 <root>found mac 001f33bf739c on ethernet0/0
      flow packet already have session.
      flow session id 204
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.254.
      packet already has mac 001f33bf739c send out to L2-internet directly.
    ****** 03062.0: <l2-core 1="" ethernet0="">packet received [60]******
      ipid = 34854(8826), @1d472110
      packet passed sanity check.
      L2-core:192.168.1.100/51456->64.63.62.100/512,1(8/0) <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      Session (id:212) created for first pak
      flow got session.
      flow session id 212
      skip ttl adjust for packet from self.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03062.0: <l2-hsv 3="" ethernet0="">packet received [60]******
      ipid = 581(0245), @1d724110
      packet passed sanity check.
      L2-hsv:64.63.62.100/512->192.168.1.100/51456,1(0/0) <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 212
      skip ttl adjust for packet from self.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [48]******
      ipid = 34860(882c), @1d4d6910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      no session found
      policy search from zone 101-> zone 103
    policy_flow_search  policy search nat_crt from zone 101-> zone 103
      No SW RPC rule match, search HW rule
      Permitted by policy 3
      choose interface L2-hsv as outgoing phy if
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:213) created for first pak
      flow got session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn, 192.168.1.100(1906)->64.63.62.100(80), nspflag 0x3801, 0x2800
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [48]******
      ipid = 582(0246), @1d724910
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      Got syn_ack, 64.63.62.100(80)->192.168.1.100(1906), nspflag 0x3800, 0x3801
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [40]******
      ipid = 34861(882d), @1d472910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      Got ack, 192.168.1.100(1906)->64.63.62.100(80), natpflag 0x80, nspflag 0x3801, 0x3800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [428]******
      ipid = 34863(882f), @1d473110
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
      packet already has mac 001d0fcecb8f send out to L2-hsv directly.
    ****** 03064.0: <l2-hsv 3="" ethernet0="">packet received [360]******
      ipid = 583(0247), @1d725110
      packet passed sanity check.
      L2-hsv:64.63.62.100/80->192.168.1.100/1906,6 <root>found mac 00121eadee80 on ethernet0/1
      flow packet already have session.
      flow session id 213
      skip ttl adjust for packet from self.
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
      packet already has mac 00121eadee80 send out to L2-core directly.
    ****** 03064.0: <l2-core 1="" ethernet0="">packet received [434]******
      ipid = 34868(8834), @1d473910
      packet passed sanity check.
      L2-core:192.168.1.100/1906->64.63.62.100/80,6 <root>found mac 001d0fcecb8f on ethernet0/3
      flow packet already have session.
      flow session id 213
      skip ttl adjust for p</root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-core></root></l2-core></root></l2-internet></root></l2-hsv></root></l2-core></root></l2-core></root></l2-core></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core></root></l2-hsv></root></l2-hsv></root></l2-core>



  • My fault-    thought I had come back and posted the Edge output.  None the less please check back in a day or two.  Hoping to get the guys upgraded before I or you spend anymore time debugging .

    Best Regards



  • The debugs on the Core looked good.  In both cases the behavior looked similar - the only difference being that the Edge does not respond in the first case.  It would be interesting to see if the packets are making it to the Edge FW in the first case and if so what it is doing with the incoming packets.



  • UPDATE-

    Just found the $70 dollar J-care package (Juniper Networks Customer Services J-Care Core - technical support - 1 year) that looks to get me the software updates!  Thought I was to need the $700 dollar package which would require approval signature…  Will get them updated to 6.3 and report back.  Thanks again.



  • Part 2b

    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9825(2661), @3d54b110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9826(2662), @3d54b910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51055(c76f), @3d4e0910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9827(2663), @3d54c110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9828(2664), @3d54c910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51056(c770), @3d4e1110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9829(2665), @3d54d110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9830(2666), @3d54d910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9831(2667), @3d54e110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51057(c771), @3d4e1910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9832(2668), @3d54e910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [174]******
      ipid = 9833(2669), @3d54f110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51058(c772), @3d486910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51059(c773), @3d4e2110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02190.0: <internal 3="" ethernet0="">packet received [517]******
      ipid = 51119(c7af), @3d42d110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02190.0: <core 0="" ethernet0="">packet received [124]******
      ipid = 9879(2697), @3d550110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02190.0: <internal 3="" ethernet0="">packet received [470]******
      ipid = 51150(c7ce), @3d42e110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02190.0: <core 0="" ethernet0="">packet received [208]******
      ipid = 9898(26aa), @3d550910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02190.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9899(26ab), @3d551110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02190.0: <core 0="" ethernet0="">packet received [213]******
      ipid = 9900(26ac), @3d551910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02190.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51152(c7d0), @3d4e6910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02190.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51155(c7d3), @3d4e7110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6, 5011(fin) <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02190.0: <core 0="" ethernet0="">packet received [40]******
      ipid = 9911(26b7), @3d552110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02190.0: <core 0="" ethernet0="">packet received [40]******
      ipid = 9912(26b8), @3d552910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6, 5011(fin) <root>existing session found. sess token 14
      flow got session.
      flow session id 193
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02190.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51156(c7d4), @3d4e7910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 193
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [48]******
      ipid = 51173(c7e5), @3d42f910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1837->64.63.62.100/80,6 <root>no session found
      chose interface ethernet0/3 as incoming nat if.
      search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
      [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
      routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
      policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 17
      No src xlate  choose interface ethernet0/0 as outgoing phy if
      no loop on ifp ethernet0/0.
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:199) created for first pak 103
      route to 64.63.62.100
      arp entry found for 64.63.62.100
      nsp2 wing prepared, ready
      cache mac in the session
      flow got session.
      flow session id 199
      tcp seq check.
      Got syn, 192.168.1.100(1837)->64.63.62.100(80), nspflag 0x9801, 0x800
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [48]******
      ipid = 9935(26cf), @3d553110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1837,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 199
      tcp seq check.
      Got syn_ack, 64.63.62.100(80)->192.168.1.100(1837), nspflag 0x1800, 0x9801  post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51174(c7e6), @3d4ea910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1837->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 199
      tcp seq check.
      Got ack, 192.168.1.100(1837)->64.63.62.100(80), natpflag 0x40, nspflag 0x9801, 0x1800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [454]******
      ipid = 51175(c7e7), @3d430110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1837->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 199
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [208]******
      ipid = 9952(26e0), @3d553910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1837,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 199
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 9953(26e1), @3d554110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1837,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 199
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [238]******
      ipid = 9954(26e2), @3d554910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1837,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 199
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51176(c7e8), @3d4eb110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1837->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 199
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51179(c7eb), @3d430910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1837->64.63.62.100/80,6, 5011(fin) <root>existing session found. sess token 18
      flow got session.
      flow session id 199
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [40]******
      ipid = 9959(26e7), @3d555110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1837,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 199
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [48]******
      ipid = 51188(c7f4), @3d4eb910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1838->64.63.62.100/80,6 <root>no session found
      chose interface ethernet0/3 as incoming nat if.
      search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
      [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
      routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
      policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
      No SW RPC rule match, search HW rule
      Permitted by policy 17
      No src xlate  choose interface ethernet0/0 as outgoing phy if
      no loop on ifp ethernet0/0.
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      Session (id:200) created for first pak 103
      route to 64.63.62.100
      arp entry found for 64.63.62.100
      nsp2 wing prepared, ready
      cache mac in the session
      flow got session.
      flow session id 200
      tcp seq check.
      Got syn, 192.168.1.100(1838)->64.63.62.100(80), nspflag 0x9801, 0x800
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [40]******
      ipid = 9966(26ee), @3d555910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1837,6, 5011(fin) <root>existing session found. sess token 14
      flow got session.
      flow session id 199
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51189(c7f5), @3d431110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1837->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 199
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [48]******
      ipid = 9969(26f1), @3d556110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1838,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 200
      tcp seq check.
      Got syn_ack, 64.63.62.100(80)->192.168.1.100(1838), nspflag 0x1800, 0x9801
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51190(c7f6), @3d4ec110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1838->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 200
      tcp seq check.
      Got ack, 192.168.1.100(1838)->64.63.62.100(80), natpflag 0x40, nspflag 0x9801, 0x1800, timeout=150
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [454]******
      ipid = 51191(c7f7), @3d4ec910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1838->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 200
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [208]******
      ipid = 10004(2714), @3d556910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1838,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 200
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [1500]******
      ipid = 10005(2715), @3d785110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1838,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 200
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [238]******
      ipid = 10006(2716), @3d785910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1838,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 200
      tcp seq check.
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51192(c7f8), @3d431910
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1838->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 200
      tcp seq check.
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51195(c7fb), @3d432110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1838->64.63.62.100/80,6, 5011(fin) <root>existing session found. sess token 18
      flow got session.
      flow session id 200
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [40]******
      ipid = 10011(271b), @3d786110
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1838,6 <root>existing session found. sess token 14
      flow got session.
      flow session id 200
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <core 0="" ethernet0="">packet received [40]******
      ipid = 10018(2722), @3d786910
      packet passed sanity check.
      ethernet0/0:64.63.62.100/80->192.168.1.100/1838,6, 5011(fin) <root>existing session found. sess token 14
      flow got session.
      flow session id 200
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02193.0: <internal 3="" ethernet0="">packet received [40]******
      ipid = 51196(c7fc), @3d4ed110
      packet passed sanity check.
      ethernet0/3:192.168.1.100/1838->64.63.62.100/80,6 <root>existing session found. sess token 18
      flow got session.
      flow session id 200
      tcp seq check.
      flow_tcp_fin_vector()
      post addr xlation: 192.168.1.100->64.63.62.100.</root></internal></root></core></root></core></root></internal></root></internal></root></core></root></core></root></core></root></internal></root></internal></root></core></root></internal></root></core></root></internal></root></core></root></internal></root></internal></root></core></root></core></root></core></root></internal></root></internal></root></core></root></internal></root></internal></root></core></root></core></root></internal></root></internal></root></core></root></core></root></core></root></internal></root></core></root></internal></root></internal></root></internal></root></core></root></core></root></internal></root></core></root></core></root></core></root></internal></root></core></root></core></root></internal></root></core></root></core>



  • **PART 2a

    2222222222222222222222222222222222222222
    DOING THE EXACT SAME THING but will ping the dst-ip first(successfully  4 times), then
    attempt HTTP(works with one load of webpage,  –accessing webpage via the dst-ip).
    22222222222222222222222222222222222222222**

    CORE-FW-> set ff src-ip 192.168.1.100 dst-ip 64.63.62.100
    filter added
    CORE-FW-> clear db
    CORE-FW-> debug flow basic
    CORE-FW-> clear db
    CORE-FW-> undebug all
    CORE-FW-> get db str
    ****** 02170.0: <internal 3="" ethernet0="">packet received [60]******
     ipid = 51033(c759), @3d4dc910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/42496->64.63.62.100/512,1(8/0) <root>no session found
     chose interface ethernet0/3 as incoming nat if.
     search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
     [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
     routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
     policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
     No SW RPC rule match, search HW rule
     Permitted by policy 17
     No src xlate   choose interface ethernet0/0 as outgoing phy if
     no loop on ifp ethernet0/0.
     session application type 0, name None, nas_id 0, timeout 60sec
     service lookup identified service 0.
     Session (id:189) created for first pak 1
     route to 64.63.62.100
     arp entry found for 64.63.62.100
     nsp2 wing prepared, ready
     cache mac in the session
     flow got session.
     flow session id 189
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02170.0: <core 0="" ethernet0="">packet received [60]******
     ipid = 9766(2626), @3d540110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/512->192.168.1.100/42496,1(0/0) <root>existing session found. sess token 14
     flow got session.
     flow session id 189
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02171.0: <internal 3="" ethernet0="">packet received [60]******
     ipid = 51034(c75a), @3d42a910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/42752->64.63.62.100/512,1(8/0) <root>no session found
     chose interface ethernet0/3 as incoming nat if.
     search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
     [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
     routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
     policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
     No SW RPC rule match, search HW rule
     Permitted by policy 17
     No src xlate   choose interface ethernet0/0 as outgoing phy if
     no loop on ifp ethernet0/0.
     session application type 0, name None, nas_id 0, timeout 60sec
     service lookup identified service 0.
     Session (id:190) created for first pak 1
     route to 64.63.62.100
     arp entry found for 64.63.62.100
     nsp2 wing prepared, ready
     cache mac in the session
     flow got session.
     flow session id 190
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02171.0: <core 0="" ethernet0="">packet received [60]******
     ipid = 9769(2629), @3d541110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/512->192.168.1.100/42752,1(0/0) <root>existing session found. sess token 14
     flow got session.
     flow session id 190
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02172.0: <internal 3="" ethernet0="">packet received [60]******
     ipid = 51035(c75b), @3d4dd110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/43008->64.63.62.100/512,1(8/0) <root>no session found
     chose interface ethernet0/3 as incoming nat if.
     search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
     [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
     routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
     policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
     No SW RPC rule match, search HW rule
     Permitted by policy 17
     No src xlate   choose interface ethernet0/0 as outgoing phy if
     no loop on ifp ethernet0/0.
     session application type 0, name None, nas_id 0, timeout 60sec
     service lookup identified service 0.
     Session (id:191) created for first pak 1
     route to 64.63.62.100
     arp entry found for 64.63.62.100
     nsp2 wing prepared, ready
     cache mac in the session
     flow got session.
     flow session id 191
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02172.0: <core 0="" ethernet0="">packet received [60]******
     ipid = 9774(262e), @3d541910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/512->192.168.1.100/43008,1(0/0) <root>existing session found. sess token 14
     flow got session.
     flow session id 191
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02173.0: <internal 3="" ethernet0="">packet received [60]******
     ipid = 51036(c75c), @3d4dd910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/43264->64.63.62.100/512,1(8/0) <root>no session found
     chose interface ethernet0/3 as incoming nat if.
     search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
     [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
     routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
     policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
     No SW RPC rule match, search HW rule
     Permitted by policy 17
     No src xlate   choose interface ethernet0/0 as outgoing phy if
     no loop on ifp ethernet0/0.
     session application type 0, name None, nas_id 0, timeout 60sec
     service lookup identified service 0.
     Session (id:192) created for first pak 1
     route to 64.63.62.100
     arp entry found for 64.63.62.100
     nsp2 wing prepared, ready
     cache mac in the session
     flow got session.
     flow session id 192
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02173.0: <core 0="" ethernet0="">packet received [60]******
     ipid = 9777(2631), @3d542110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/512->192.168.1.100/43264,1(0/0) <root>existing session found. sess token 14
     flow got session.
     flow session id 192
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [48]******
     ipid = 51045(c765), @3d4de110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>no session found
     chose interface ethernet0/3 as incoming nat if.
     search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
     [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
     routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
     policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
     No SW RPC rule match, search HW rule
     Permitted by policy 17
     No src xlate   choose interface ethernet0/0 as outgoing phy if
     no loop on ifp ethernet0/0.
     session application type 6, name HTTP, nas_id 0, timeout 300sec
     service lookup identified service 0.
     Session (id:193) created for first pak 103
     route to 64.63.62.100
     arp entry found for 64.63.62.100
     nsp2 wing prepared, ready
     cache mac in the session
     flow got session.
     flow session id 193
     tcp seq check.
     Got syn, 192.168.1.100(1836)->64.63.62.100(80), nspflag 0x9801, 0x800
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [48]******
     ipid = 9782(2636), @3d542910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     Got syn_ack, 64.63.62.100(80)->192.168.1.100(1836), nspflag 0x1800, 0x9801
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51046(c766), @3d485110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     Got ack, 192.168.1.100(1836)->64.63.62.100(80), natpflag 0x40, nspflag 0x9801, 0x1800, timeout=150
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [517]******
     ipid = 51047(c767), @3d4de910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [266]******
     ipid = 9799(2647), @3d543110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9800(2648), @3d543910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51048(c768), @3d4df110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9805(264d), @3d544110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14  flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9806(264e), @3d544910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9807(264f), @3d545110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51049(c769), @3d42b110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9812(2654), @3d545910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9813(2655), @3d546110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9814(2656), @3d546910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51050(c76a), @3d485910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51051(c76b), @3d459110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9817(2659), @3d547110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9818(265a), @3d547910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9819(265b), @3d548110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9820(265c), @3d548910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51052(c76c), @3d486110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9821(265d), @3d549110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9822(265e), @3d549910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51053(c76d), @3d4df910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9823(265f), @3d54a110
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.
    ****** 02175.0: <internal 3="" ethernet0="">packet received [40]******
     ipid = 51054(c76e), @3d4e0110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1836->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 02175.0: <core 0="" ethernet0="">packet received [1500]******
     ipid = 9824(2660), @3d54a910
     packet passed sanity check.
     ethernet0/0:64.63.62.100/80->192.168.1.100/1836,6 <root>existing session found. sess token 14
     flow got session.
     flow session id 193
     tcp seq check.
     post addr xlation: 64.63.62.100->192.168.1.100.</root></core></root></internal></root></core></root></internal></root></core></root></core></root></internal></root></core></root></core></root></core></root></core></root></internal></root></internal></root></core></root></core></root></core></root></internal></root></core></root></core></root></core></root></internal></root></core></root></core></root></internal></root></internal></root></core></root></internal></root></core></root></internal></root></core></root></internal></root></core></root></internal></root></core></root></internal>



  • Below are two debug dumps ran on the core firewall (all interfaces in route mode), will post the output from edge firewall soon.  The first debug shows the HTTP session fail, the second one is successful but only after first pinging the dst-ip.  Not sure this helps gather enough info but any help is most appreciated.  I have to cut and paste the debug outputs separately in three total post as I hit a character count limit to post.

    There is a post PART1 - failed attempt
          &
    post PART 2a & 2b - successful attempt

    **PART 1
    111111111111111111111111111111111111111111111111111111111111111111111111

    THIS IS A TEST THAT FAILS (webpage never opens or even finds a page to try).  
    NO previous communicat to the dst-ip has been attmpted, NOT even ping.

    111111111111111111111111111111111111111111111111111111111111111111111111**

    CORE-FW-> set ff src-ip 192.168.1.100 dst-ip 64.63.62.100 dst-port 80
    filter added
    CORE-FW-> debug flow basic
    CORE-FW-> clear db
    CORE-FW-> undebug all
    CORE-FW-> get db str
    ****** 01365.0: <internal 3="" ethernet0="">packet received [48]******
     ipid = 50572(c58c), @3d75f910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1835->64.63.62.100/80,6 <root>no session found
     chose interface ethernet0/3 as incoming nat if.
     search route to (ethernet0/3, 192.168.1.100->64.63.62.100) in vr trust-vr for vsd-0/flag-0/ifp-null
     [Dest] 1.route 64.63.62.100->0.0.0.0, to ethernet0/0
     routed (64.63.62.100, 0.0.0.0) from ethernet0/3 (ethernet0/3 in 0) to ethernet0/0
     policy search from zone 104-> zone 100
    policy_flow_search  policy search nat_crt from zone 104-> zone 100
     No SW RPC rule match, search HW rule
     Permitted by policy 17
     No src xlate   choose interface ethernet0/0 as outgoing phy if
     no loop on ifp ethernet0/0.
     session application type 6, name HTTP, nas_id 0, timeout 300sec
     service lookup identified service 0.
     Session (id:139) created for first pak 103
     route to 64.63.62.100
     arp entry found for 64.63.62.100
     nsp2 wing prepared, ready
     cache mac in the session
     flow got session.
     flow session id 139
     tcp seq check.
     Got syn, 192.168.1.100(1835)->64.63.62.100(80), nspflag 0x9801, 0x800
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 01368.0: <internal 3="" ethernet0="">packet received [48]******
     ipid = 50577(c591), @3d762110
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1835->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 139
     tcp seq check.
     Got syn, 192.168.1.100(1835)->64.63.62.100(80), nspflag 0x9801, 0x800
     post addr xlation: 192.168.1.100->64.63.62.100.
    ****** 01374.0: <internal 3="" ethernet0="">packet received [48]******
     ipid = 50582(c596), @3d763910
     packet passed sanity check.
     ethernet0/3:192.168.1.100/1835->64.63.62.100/80,6 <root>existing session found. sess token 18
     flow got session.
     flow session id 139
     tcp seq check.
     Got syn, 192.168.1.100(1835)->64.63.62.100(80), nspflag 0x9801, 0x800
     post addr xlation: 192.168.1.100->64.63.62.100.
    CORE-FW-></root></internal></root></internal></root></internal>



  • For anyone else reading this post here is a decent link on debugging:

    http://forums.juniper.net/t5/Firewalls/Troubleshooting-Tips-Debug-commands/td-p/6203

    Will post my result later tonight or over the weekend.  Hopefully, the former.



  • I will give the debugging a shot.  Anyway to get the newer version without active support?

    Thanks Again!


 

39
Online

38.4k
Users

12.7k
Topics

44.5k
Posts