Hi -
I am currently having a very strange issue. I have a setup that is
basically a core switch, with ospf enabled and connected to a
netscreen-isg2000 running screenos 6.0.0r4 . So, I am on a host in the
cluster, connected to the core switch. I can ssh to the core switch's
ip'ed interface that is connected to the netscreen without a problem,
but if I try to ssh to the loopback, it connects for about 15-20 seconds
and then disconnects. I set a flow filter, and got some messages like
the ones i have pasted below. It appears that the issue is the
netscreen dropping packets because of "not sync" does anyone have any
experience with issue like this? A quick search just found that the way
to "solve" this issue is to disable syn flood protection, but I'd prefer
to not use that hack.
Thanks in advance!
Leslie
***** 9491008.0: <Trust/ethernet1/3> packet received [92]******
ipid = 17509(4465), @03b9c118
packet passed sanity check.
ethernet1/3:10.128.1.11/54737->10.131.255.1/22,6<Root>
no session found
flow_first_inline_vector: in <ethernet1/3>, out <N/A>
chose interface ethernet1/3 as incoming nat if.
flow_first_inline_vector: in <ethernet1/3>, out <N/A>
search route to (ethernet1/3, 10.128.1.11->10.131.255.1) in vr
trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 6033.route 10.131.255.1->10.128.127.2, to ethernet1/3
routed (x_dst_ip 10.131.255.1) from ethernet1/3 (ethernet1/3 in 0) to
ethernet1/3
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys
Root, ip 10.131.255.1, port 22, proto 6)
No SW RPC rule match, search HW rule
Searching global policy.
Permitted by policy 320002
No src xlate choose interface ethernet1/3 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet1/3
vsd 0 is active
no loop on ifp ethernet1/3.
session application type 22, name None, nas_id 0, timeout 28800sec
ALG vector is not attached
service lookup identified service 0.
flow_first_inline_vector: in <ethernet1/3>, out <ethernet1/3>
**** jump to packet:10.131.255.1->10.128.1.11
no more encapping needed
send out through normal path.
flow_ip_send: 4493:10.131.255.1->10.128.1.11,6 => ethernet1/3(40)
flag 0x0, vlan 0
no l2info for packet.
no route for packet
search route to (null, 0.0.0.0->10.128.1.11) in vr trust-vr for
vsd-0/flag-2000/ifp-ethernet1/3
[ Dest] 6.route 10.128.1.11->10.128.1.11, to ethernet1/3
route to 10.128.1.11
arp entry found for 10.128.1.11 mac 001d6086f98a
**** pak processing end.
packet dropped, first pak not sync
**st: <Trust|ethernet1/3|Root|0> 3a14f40:
0:10.128.1.11/d394->10.131.255.1/16,6,40
****** 9491063.0: <Trust/ethernet1/3> packet received [40]******
ipid = 0(0000), @03a14f40
packet passed sanity check.
ethernet1/3:10.128.1.11/54164->10.131.255.1/22,6, 5004(rst)<Root>
no session found
flow_first_inline_vector: in <ethernet1/3>, out <N/A>
chose interface ethernet1/3 as incoming nat if.
flow_first_inline_vector: in <ethernet1/3>, out <N/A>
search route to (ethernet1/3, 10.128.1.11->10.131.255.1) in vr
trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 6033.route 10.131.255.1->10.128.127.2, to ethernet1/3
routed (x_dst_ip 10.131.255.1) from ethernet1/3 (ethernet1/3 in 0) to
ethernet1/3
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys
Root, ip 10.131.255.1, port 22, proto 6)
No SW RPC rule match, search HW rule
Searching global policy.
Permitted by policy 320002
No src xlate choose interface ethernet1/3 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet1/3
vsd 0 is active
no loop on ifp ethernet1/3.
session application type 22, name None, nas_id 0, timeout 28800sec
ALG vector is not attached
service lookup identified service 0.
flow_first_inline_vector: in <ethernet1/3>, out <ethernet1/3>
packet dropped, first pak not sync
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
