Juniper SSG 550 (Netscreen) : Daten werden nicht in den Tunnel geschoben sondern über das Untrust Interface geschickt

Folgendes wurde beobachtet:

Nach der Einrichtung eines neuen VPN-Tunnels wurde vergessen mit einer statischen Route Daten zum Zielnetz in diesen Tunnel zu routen. Diese Route wurde nachgetragen, die Daten kamen aber immer noch nicht an.

Ein Blick in den debug Flow zeigt, dass sich der Firewall eines Route-Caches bedient, das war uns neu.

Seit der Version 6.3 ist dies neu. Abschalten kann man den Cache mit:

unset flow route-cache

Hier ist der Auszug aus dem debug Flow:

***** 3879435.0: <Trust/ethernet1/0> packet received [60]******

ipid = 1787(06fb), @2d5c9110

packet passed sanity check.

flow_decap_vector IPv4 process

ethernet1/0:10.136.172.201/5419->192.168.60.12/1,1(8/0)<Root>

no session found

flow_first_sanity_check: in <ethernet1/0>, out <N/A>

chose interface ethernet1/0 as incoming nat if.

flow_first_routing: in <ethernet1/0>, out <N/A>

search route to (ethernet1/0, 10.136.172.201->192.168.60.12) in vr trust-vr for vsd-0/flag-0/ifp-null

  cached route 7 for 192.168.60.12

[ Dest] 7.route 192.168.60.12->171.33.185.177, to ethernet0/2

routed (x_dst_ip 192.168.60.12) from ethernet1/0 (ethernet1/0 in 0) to ethernet0/2

policy search from zone 2-> zone 1

policy_flow_search  policy search nat_crt from zone 2-> zone 1

RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.60.12, port 14384, proto 1)

No SW RPC rule match, search HW rule

swrs_search_ip: policy matched id/idx/action = 8/4/0x9

Permitted by policy 8

dip id = 2, 10.136.172.201/5419->171.33.185.178/26936

choose interface ethernet0/2 as outgoing phy if

no loop on ifp ethernet0/2.

session application type 0, name None, nas_id 0, timeout 60sec

service lookup identified service 0.

flow_first_final_check: in <ethernet1/0>, out <ethernet0/2>

existing vector list 1-b26c6e4.

Session (id:255759) created for first pak 1

flow_first_install_session======>

route to 171.33.185.177

cached arp entry with MAC 000000000000 for 171.33.185.177

arp entry found for 171.33.185.177

ifp2 ethernet0/2, out_ifp ethernet0/2, flag 10800800, tunnel ffffffff, rc 1

outgoing wing prepared, ready

handle cleartext reverse route

search route to (ethernet0/2, 192.168.60.12->10.136.172.201) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet1/0

cached route 5 for 10.136.172.201

[ Dest] 5.route 10.136.172.201->10.136.61.1, to ethernet1/0

route to 10.136.61.1

cached arp entry with MAC 0204963596c5 for 10.136.61.1

arp entry found for 10.136.61.1

ifp2 ethernet1/0, out_ifp ethernet1/0, flag 00800801, tunnel ffffffff, rc 1

flow got session.

flow session id 255759

flow_main_body_vector in ifp ethernet1/0 out ifp ethernet0/2

flow vector index 0x1, vector addr 0x195b8f0, orig vector 0x195b8f0

post addr xlation: 171.33.185.178->192.168.60.12.