ypascalin
Newbie
Posts: 1
|
 |
« on: February 12, 2010, 08:12:33 AM » |
|
Hello,
Some other topics have quite the same subject but even with those I wasn't able to solve my issue.
We have two ISP's eb-qual (192.168.26.0/24) and gaga (10.0.2.0/24) and the users are coming from the zone gogol (10.0.1.0/24). The goal is the following:
- Everyone from the zone gogol must use the path through the zone gaga.
- Except the server (10.0.1.2) must use the path through the zone eb-qual. Also the external server IP is 192.168.26.209.
The traffic is able to reach the server but the reply does not select the correct path. Here the current configuration:
## Last changed: 2010-02-12 14:16:30 UTC
version 10.0R2.10;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
output eb-qual;
}
address 192.168.26.208/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
filter {
input gogol-server;
}
address 10.0.1.1/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
filter {
output gaga;
}
address 10.0.2.1/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet common;
}
rib-groups {
common {
import-rib [ inet.0 eb-qual.inet.0 gaga.inet.0 ];
}
}
}
security {
nat {
source {
rule-set interface-nat-out {
from interface ge-0/0/1.0;
to interface [ ge-0/0/0.0 fe-0/0/2.0 ];
rule interface-nat-out {
match {
source-address 10.0.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set server-nat {
from zone eb-qual;
rule server-nat {
match {
destination-address 192.168.26.209/32;
}
then {
static-nat prefix 10.0.1.2/32;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
192.168.26.209/32;
}
}
}
}
zones {
security-zone eb-qual {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone gogol {
tcp-rst;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone gaga {
tcp-rst;
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
firewall {
filter gogol-server {
term 1 {
from {
source-address {
10.0.1.2/32;
}
}
then {
routing-instance eb-qual;
}
}
term 2 {
from {
source-address {
10.0.1.0/24;
}
}
then {
routing-instance gaga;
}
}
term 3 {
then accept;
}
}
filter eb-qual {
term 1 {
then {
count eb-qual;
log;
accept;
}
}
}
filter gaga {
term 1 {
then {
count gaga;
log;
accept;
}
}
}
}
routing-instances {
eb-qual {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.26.1;
}
}
}
gaga {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.2.254;
}
}
}
}
Have you any idea what may create this issue?
Here debugging output for a ping from IP 192.168.40.30 coming from the zone eb-qual to the address 192.168.26.206 (NAT to 10.0.1.2):
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:<192.168.40.30/2048->192.168.26.209/11100;1> matched filter f0:
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:packet [60] ipid = 11485, @42380c9e
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x42380b00
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow process pak fast ifl 70 in_ifp ge-0/0/0.0
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: ge-0/0/0.0:192.168.40.30->192.168.26.209, icmp, (8/0)
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: find flow: table 0x4d5c8238, hash 46214(0xffff), sa 192.168.40.30, da 192.168.26.209, sp 7936, dp 768, proto 1, tok 384
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow_first_create_session
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 192.168.26.209, sp 7936, dp 768
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: chose interface ge-0/0/0.0 as incoming nat if.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.40.30->192.168.26.209 nsp2 0.0.0.0->10.0.1.2.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.40.30, x_dst_ip 10.0.1.2, in ifp ge-0/0/0.0, out ifp N/A sp 7936, dp 768, ip_proto 1, tos 0
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:Doing DESTINATION addr route-lookup
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: routed (x_dst_ip 10.0.1.2) from eb-qual (ge-0/0/0.0 in 0) to ge-0/0/1.0, Next-hop: 10.0.1.2
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: policy search from zone eb-qual-> zone gogol
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_src_xlate: 192.168.40.30/7936 -> 192.168.26.209/768 | 10.0.1.2/768 -> 0.0.0.0/7936: nat_src_xlated: False, nat_src_xlate_failed: False
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(7936) to 10.0.1.2(768) returns status: 0, rule/pool id: 0/0, pst_nat: False.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: dip id = 0/0, 192.168.40.30/7936->192.168.40.30/7936
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_get_out_ifp: 1000 -> cone nat test
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: choose interface ge-0/0/1.0 as outgoing phy if
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 10.0.1.2, rtt_idx:0
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:policy is NULL (wx/pim scenario)
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:sm_flow_interest_check: app_id 0, policy 5, app_svc_en 0, flags 0x2. not interested
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:sm_flow_interest_check: app_id 1, policy 5, app_svc_en 0, flags 0x2. not interested
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_service_lookup(): natp(0x4b5d5628): app_id, 0(0).
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: service lookup identified service 0.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow_first_final_check: in <ge-0/0/0.0>, out <ge-0/0/1.0>
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: existing vector list 1200-45771548.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: Session (id:136) created for first pak 1200
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow_first_install_session======> 0x4b5d5628
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: nsp 0x4b5d5628, nsp2 0x4b5d5694
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: make_nsp_ready_no_resolve()
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: route lookup: dest-ip 192.168.40.30 orig ifp ge-0/0/0.0 output_ifp N/A orig-zone 6 out-zone 65535 vsd 0
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:Installing c2s NP session wing
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:Installing s2c NP session wing
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow got session.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow session id 136
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: post addr xlation: 192.168.40.30->10.0.1.2.
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:mbuf 0x42380b00, exit nh 0x80010
Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:<10.0.1.2/0->192.168.40.30/13148;1> matched filter f1:
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:packet [60] ipid = 489, @4238509e
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x42384f00
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: ge-0/0/1.0:10.0.1.2->192.168.40.30, icmp, (0/0)
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: find flow: table 0x4d5c8238, hash 28983(0xffff), sa 10.0.1.2, da 192.168.40.30, sp 768, dp 7936, proto 1, tok 448
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: flow got session.
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: flow session id 136
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: route lookup failed: dest-ip 192.168.40.30 orig ifp ge-0/0/0.0 output_ifp N/A fto 0x0 orig-zone 6 out-zone 65535 vsd 0
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: packet dropped, pak dropped since re-route failed
Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
|
