This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
Next, we'll setup a scenario where we allow an IPv4 only host to connect to an IPv6 only host by using NAT-PT to go the other way, substituting an IPv6 address in for an IPv4 address. In many ways, it is very similar to 6to4 NAT, just in reverse.
For this example we'll move though one step at at time. First we map a /30 subnet of IPv4 space to a /126 of IPv6 space; enough room for 4 addresses on each network. We need to setup a static NAT rule, as well as a proxy-arp entry to support this.
IPv4 to IPv6 NAT configuration on SRX-11
[edit security nat]
juniper@SRX-11# show
static {
rule-set 4-to-6 {
from zone UNTRUST;
rule 4-to-6 {
match {
destination-address 172.18.1.80/30;
}
then {
static-nat {
prefix {
fd00:dead:babe::80/126;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/5.0 {
address {
172.18.1.80/30;
}
}
}
[edit security nat]
juniper@SRX-11#
After a quick test, a trace on the SRX shows that once again we need to configure source NAT as nobody likes a packet with an IPv6 destination and an IPv4 source.
trace on SRX-11 with only static NAT configured for IPv4 to IPv6 translation
Jan 25 13:29:32 13:29:31.1337951:CID-0:RT:<10.80.80.80/33248->172.18.1.81/5555;6> matched filter v4: Jan 25 13:29:32 13:29:31.1337967:CID-0:RT:packet [60] ipid = 40897, @0x4a3cd8da Jan 25 13:29:32 13:29:31.1337972:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4a3cd680, rtbl_idx = 0 Jan 25 13:29:32 13:29:31.1337980:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/5.0 Jan 25 13:29:32 13:29:31.1337987:CID-0:RT: ge-0/0/5.0:10.80.80.80/33248->172.18.1.81/5555, tcp, flag 2 syn Jan 25 13:29:32 13:29:31.1337996:CID-0:RT: find flow: table 0x5cb394d8, hash 32437(0xffff), sa 10.80.80.80, da 172.18.1.81, sp 33248, dp 5555, proto 6, tok 6 Jan 25 13:29:32 13:29:31.1338010:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 Jan 25 13:29:32 13:29:31.1338020:CID-0:RT: flow_first_create_session Jan 25 13:29:32 13:29:31.1338034:CID-0:RT:First path alloc and instl pending session, natp=0x5fc09558, id=7438 Jan 25 13:29:32 13:29:31.1338039:CID-0:RT: flow_first_in_dst_nat: in, out dst_adr 172.18.1.81, sp 33248, dp 5555 Jan 25 13:29:32 13:29:31.1338047:CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if. Jan 25 13:29:32 13:29:31.1338057:CID-0:RT: link IPv6 extension session wing to normal session wing Jan 25 13:29:32 13:29:31.1338064:CID-0:RT:flow_first_rule_dst_xlate: packet 10.80.80.80->172.18.1.81 nsp2 change to fd00:dead:babe:0:0:0:0:81. Jan 25 13:29:32 13:29:31.1338078:CID-0:RT:flow_first_routing_nat4to6: src_ip NULL, x_dst_ip fd00:dead:babe:0:0:0:0:81, in ifp ge-0/0/5.0, out ifp N/A sp 33248, dp 5555, ip_proto 6, tos 0 Jan 25 13:29:32 13:29:31.1338088:CID-0:RT:Doing DESTINATION addr route-lookup Jan 25 13:29:32 13:29:31.1338103:CID-0:RT:flow_rt_lkup success fd00:dead:babe:0:0:0:0:81, iifl 0x48, oifl 0x47 Jan 25 13:29:32 13:29:31.1338113:CID-0:RT: routed (x_dst_ip fd00:dead:babe:0:0:0:0:81) from UNTRUST (ge-0/0/5.0 in 0) to ge-0/0/4.0, Next-hop: fd00:dead:babe:0:0:0:0:81 Jan 25 13:29:32 13:29:31.1338126:CID-0:RT:flow_first_policy_search: policy search from zone UNTRUST-> zone TRUST (0x114,0x81e015b3,0x15b3) Jan 25 13:29:32 13:29:31.1338136:CID-0:RT:Policy lkup: vsys 0 zone(6:UNTRUST) -> zone(7:TRUST) scope:0 Jan 25 13:29:32 13:29:31.1338140:CID-0:RT: 10.80.80.80/33248 -> fd00:dead:babe:0:0:0:0:81/5555 proto 6 Jan 25 13:29:32 13:29:31.1338153:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 Jan 25 13:29:32 13:29:31.1338157:CID-0:RT: 10.80.80.80/33248 -> fd00:dead:babe:0:0:0:0:81/5555 proto 6 Jan 25 13:29:32 13:29:31.1338168:CID-0:RT: app 0, timeout 1800s, curr ageout 20s Jan 25 13:29:32 13:29:31.1338172:CID-0:RT: permitted by policy default-policy-00(2) Jan 25 13:29:32 13:29:31.1338175:CID-0:RT: packet passed, Permitted by policy. Jan 25 13:29:32 13:29:31.1338184:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False Jan 25 13:29:32 13:29:31.1338189:CID-0:RT:flow_first_src_xlate: incoming src port is : 57473. Jan 25 13:29:32 13:29:31.1338192:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False. Jan 25 13:29:32 13:29:31.1338196:CID-0:RT:no source nat found. Jan 25 13:29:32 13:29:31.1338198:CID-0:RT:destination ip is xlated to v6, with source ip is not xlated, drop it Jan 25 13:29:32 13:29:31.1338205:CID-0:RT:flow_initiate_first_path: first pak no session Jan 25 13:29:32 13:29:31.1338208:CID-0:RT: flow find session returns error. Jan 25 13:29:32 13:29:31.1338211:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1) Jan 25 13:29:33 13:29:32.1334410:CID-0:RT:<10.80.80.80/33248->172.18.1.81/5555;6> matched filter v4: Jan 25 13:29:33 13:29:32.1334425:CID-0:RT:packet [60] ipid = 40898, @0x4b4b33da Jan 25 13:29:33 13:29:32.1334431:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4b4b3180, rtbl_idx = 0 Jan 25 13:29:33 13:29:32.1334440:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/5.0 Jan 25 13:29:33 13:29:32.1334447:CID-0:RT: ge-0/0/5.0:10.80.80.80/33248->172.18.1.81/5555, tcp, flag 2 syn Jan 25 13:29:33 13:29:32.1334456:CID-0:RT: find flow: table 0x5cb394d8, hash 32437(0xffff), sa 10.80.80.80, da 172.18.1.81, sp 33248, dp 5555, proto 6, tok 6 Jan 25 13:29:33 13:29:32.1334470:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 Jan 25 13:29:33 13:29:32.1334481:CID-0:RT: flow_first_create_session Jan 25 13:29:33 13:29:32.1334485:CID-0:RT:flow_first_create_session: Found invalid sess. Start first path Jan 25 13:29:33 13:29:32.1334496:CID-0:RT:First path alloc and instl pending session, natp=0x5fc09728, id=7439 Jan 25 13:29:33 13:29:32.1334501:CID-0:RT: flow_first_in_dst_nat: in , out dst_adr 172.18.1.81, sp 33248, dp 5555 Jan 25 13:29:33 13:29:32.1334509:CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if. Jan 25 13:29:33 13:29:32.1334520:CID-0:RT: link IPv6 extension session wing to normal session wing Jan 25 13:29:33 13:29:32.1334528:CID-0:RT:flow_first_rule_dst_xlate: packet 10.80.80.80->172.18.1.81 nsp2 change to fd00:dead:babe:0:0:0:0:81. Jan 25 13:29:33 13:29:32.1334542:CID-0:RT:flow_first_routing_nat4to6: src_ip NULL, x_dst_ip fd00:dead:babe:0:0:0:0:81, in ifp ge-0/0/5.0, out ifp N/A sp 33248, dp 5555, ip_proto 6, tos 0 Jan 25 13:29:33 13:29:32.1334552:CID-0:RT:Doing DESTINATION addr route-lookup Jan 25 13:29:33 13:29:32.1334568:CID-0:RT:flow_rt_lkup success fd00:dead:babe:0:0:0:0:81, iifl 0x48, oifl 0x47 Jan 25 13:29:33 13:29:32.1334577:CID-0:RT: routed (x_dst_ip fd00:dead:babe:0:0:0:0:81) from UNTRUST (ge-0/0/5.0 in 0) to ge-0/0/4.0, Next-hop: fd00:dead:babe:0:0:0:0:81 Jan 25 13:29:33 13:29:32.1334590:CID-0:RT:flow_first_policy_search: policy search from zone UNTRUST-> zone TRUST (0x114,0x81e015b3,0x15b3) Jan 25 13:29:33 13:29:32.1334600:CID-0:RT:Policy lkup: vsys 0 zone(6:UNTRUST) -> zone(7:TRUST) scope:0 Jan 25 13:29:33 13:29:32.1334604:CID-0:RT: 10.80.80.80/33248 -> fd00:dead:babe:0:0:0:0:81/5555 proto 6 Jan 25 13:29:33 13:29:32.1334617:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 Jan 25 13:29:33 13:29:32.1334621:CID-0:RT: 10.80.80.80/33248 -> fd00:dead:babe:0:0:0:0:81/5555 proto 6 Jan 25 13:29:33 13:29:32.1334630:CID-0:RT: app 0, timeout 1800s, curr ageout 20s Jan 25 13:29:33 13:29:32.1334635:CID-0:RT: permitted by policy default-policy-00(2) Jan 25 13:29:33 13:29:32.1334638:CID-0:RT: packet passed, Permitted by policy. Jan 25 13:29:33 13:29:32.1334647:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False Jan 25 13:29:33 13:29:32.1334651:CID-0:RT:flow_first_src_xlate: incoming src port is : 57473. Jan 25 13:29:33 13:29:32.1334655:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False. Jan 25 13:29:33 13:29:32.1334659:CID-0:RT:no source nat found. Jan 25 13:29:33 13:29:32.1334661:CID-0:RT:destination ip is xlated to v6, with source ip is not xlated, drop it Jan 25 13:29:33 13:29:32.1334667:CID-0:RT:flow_initiate_first_path: first pak no session Jan 25 13:29:33 13:29:32.1334671:CID-0:RT: flow find session returns error. Jan 25 13:29:33 13:29:32.1334674:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
We remedy this situation by adding a source NAT rule
source NAT configuration for IPv4 to IPv6 translation on SRX-11
[edit security nat source]
juniper@SRX-11# show
pool IPv6 {
address {
fd00:dead:babe:1::50/126;
}
}
rule-set 4-to-6 {
from zone UNTRUST;
to zone TRUST;
rule 4-to-6 {
match {
source-address 10.80.80.80/30;
destination-address fd00:dead:babe::80/126;
}
then {
source-nat {
pool {
IPv6;
}
}
}
}
}
[edit security nat source]
juniper@SRX-11#
To test if this works or not, we start a netcat listener on the client on port 6666
IPv6 listener on client
juniper@client:~$ echo "This is an IPv4 to IPv6 server to client NAT-PT test" > testfile juniper@client:~$ nc6 -vn6l -p 6666 < testfile nc6: listening on :: 6666 ... nc6: connect to fd00:dead:babe::81 6666 from fd00:dead:babe:1::50 38411 juniper@client:~$
We connect to the client from the server using it's mapped IPv4 address, and recievie our message successfully.
connectivity test from server to client
juniper@server:~$ nc 172.18.1.81 6666 This is an IPv4 to IPv6 server to client NAT-PT test ^C juniper@server:~$
The session on the NAT device looks as follows:
IPv4 to IPv6 NAT session
juniper@SRX-11# run show security flow session nat
Session ID: 7703, Policy name: default-policy-00/2, Timeout: 1794, Valid
In: 10.80.80.80/38413 --> 172.18.1.81/6666;tcp, If: ge-0/0/5.0, Pkts: 3, Bytes: 164
Out: fd00:dead:babe::81/6666 --> fd00:dead:babe:1::50/38413;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 205
Total sessions: 1
[edit security nat]
juniper@SRX-11# run show security flow session nat extensive
Session ID: 7703, Status: Normal
Flag: 0x4000000
Policy name: default-policy-00/2
Source NAT pool: IPv6
Maximum timeout: 1800, Current timeout: 1792
Session State: Valid
Start time: 20647, Duration: 8
In: 10.80.80.80/38413 --> 172.18.1.81/6666;tcp,
Interface: ge-0/0/5.0,
Session token: 0x6, Flag: 0x621
Route: 0xa0010, Gateway: 172.18.1.12, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 3, Bytes: 164
Out: fd00:dead:babe::81/6666 --> fd00:dead:babe:1::50/38413;tcp,
Interface: ge-0/0/4.0,
Session token: 0x7, Flag: 0x622
Route: 0xc0010, Gateway: fd00:dead:babe::81, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 2, Bytes: 205
Total sessions: 1
[edit security nat]
juniper@SRX-11#
The accompanying NAT rules from the operational perspective.
NAT rules for IPv4 to IPv6
juniper@SRX-11# run show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1
Static NAT rule: 4-to-6 Rule-set: 4-to-6
Rule-Id : 1
Rule position : 1
From zone : UNTRUST
Destination addresses : 172.18.1.80
Host addresses : fd00:dead:babe::80
Netmask : 30
Host routing-instance : N/A
Translation hits : 718
Successful sessions : 73
Failed sessions : 645
Number of sessions : 1
[edit security nat]
juniper@SRX-11# run show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1
source NAT rule: 4-to-6 Rule-set: 4-to-6
Rule-Id : 1
Rule position : 1
From zone : UNTRUST
To zone : TRUST
Match
Source addresses : 10.80.80.80 - 10.80.80.83
Destination addresses : fd00:dead:babe::80 - fd00:dead:babe::83
Destination port : 0 - 0
Action : IPv6
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 10
Successful sessions : 10
Failed sessions : 0
Number of sessions : 1
[edit security nat]
juniper@SRX-11#
The packet trace for an IPv4 to IPv6 NAT session.
packet trace on SRX-11
Jan 25 13:45:36 13:45:35.1582696:CID-0:RT:<10.80.80.80/38413->172.18.1.81/6666;6> matched filter v4: Jan 25 13:45:36 13:45:35.1582712:CID-0:RT:packet [60] ipid = 21959, @0x496960da Jan 25 13:45:36 13:45:35.1582717:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x49695e80, rtbl_idx = 0 Jan 25 13:45:36 13:45:35.1582726:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/5.0 Jan 25 13:45:36 13:45:35.1582733:CID-0:RT: ge-0/0/5.0:10.80.80.80/38413->172.18.1.81/6666, tcp, flag 2 syn Jan 25 13:45:36 13:45:35.1582743:CID-0:RT: find flow: table 0x5cb394d8, hash 26340(0xffff), sa 10.80.80.80, da 172.18.1.81, sp 38413, dp 6666, proto 6, tok 6 Jan 25 13:45:36 13:45:35.1582756:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 Jan 25 13:45:36 13:45:35.1582767:CID-0:RT: flow_first_create_session Jan 25 13:45:36 13:45:35.1582780:CID-0:RT:First path alloc and instl pending session, natp=0x5fc275a8, id=7703 Jan 25 13:45:36 13:45:35.1582785:CID-0:RT: flow_first_in_dst_nat: in, out dst_adr 172.18.1.81, sp 38413, dp 6666 Jan 25 13:45:36 13:45:35.1582793:CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if. Jan 25 13:45:36 13:45:35.1582805:CID-0:RT: link IPv6 extension session wing to normal session wing Jan 25 13:45:36 13:45:35.1582812:CID-0:RT:flow_first_rule_dst_xlate: packet 10.80.80.80->172.18.1.81 nsp2 change to fd00:dead:babe:0:0:0:0:81. Jan 25 13:45:36 13:45:35.1582826:CID-0:RT:flow_first_routing_nat4to6: src_ip NULL, x_dst_ip fd00:dead:babe:0:0:0:0:81, in ifp ge-0/0/5.0, out ifp N/A sp 38413, dp 6666, ip_proto 6, tos 0 Jan 25 13:45:36 13:45:35.1582837:CID-0:RT:Doing DESTINATION addr route-lookup Jan 25 13:45:36 13:45:35.1582853:CID-0:RT:flow_rt_lkup success fd00:dead:babe:0:0:0:0:81, iifl 0x48, oifl 0x47 Jan 25 13:45:36 13:45:35.1582862:CID-0:RT: routed (x_dst_ip fd00:dead:babe:0:0:0:0:81) from UNTRUST (ge-0/0/5.0 in 0) to ge-0/0/4.0, Next-hop: fd00:dead:babe:0:0:0:0:81 Jan 25 13:45:36 13:45:35.1582875:CID-0:RT:flow_first_policy_search: policy search from zone UNTRUST-> zone TRUST (0x114,0x960d1a0a,0x1a0a) Jan 25 13:45:36 13:45:35.1582885:CID-0:RT:Policy lkup: vsys 0 zone(6:UNTRUST) -> zone(7:TRUST) scope:0 Jan 25 13:45:36 13:45:35.1582889:CID-0:RT: 10.80.80.80/38413 -> fd00:dead:babe:0:0:0:0:81/6666 proto 6 Jan 25 13:45:36 13:45:35.1582902:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 Jan 25 13:45:36 13:45:35.1582907:CID-0:RT: 10.80.80.80/38413 -> fd00:dead:babe:0:0:0:0:81/6666 proto 6 Jan 25 13:45:36 13:45:35.1582917:CID-0:RT: app 0, timeout 1800s, curr ageout 20s Jan 25 13:45:36 13:45:35.1582922:CID-0:RT: permitted by policy default-policy-00(2) Jan 25 13:45:36 13:45:35.1582925:CID-0:RT: packet passed, Permitted by policy. Jan 25 13:45:36 13:45:35.1582934:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False Jan 25 13:45:36 13:45:35.1582939:CID-0:RT:flow_first_src_xlate: incoming src port is : 3478. Jan 25 13:45:36 13:45:35.1582953:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/4, pst_nat: False. Jan 25 13:45:36 13:45:35.1582966:CID-0:RT: dip id = 4/0, 10.80.80.80/38413->fd00:dead:babe:1:0:0:0:50/38413 Jan 25 13:45:36 13:45:35.1582978:CID-0:RT: choose interface ge-0/0/4.0(P2P) as outgoing phy if Jan 25 13:45:36 13:45:35.1582981:CID-0:RT:flow_first_loopback_check_nat4to6 pak_ptr iphdr 0x496960da ,lp_iphdr_info 0xbf97da1c Jan 25 13:45:36 13:45:35.1582991:CID-0:RT:is_loop_pak_v6: No loop: on ifp: ge-0/0/4.0, addr: fd00:dead:babe:0:0:0:0:81, rtt_idx:0 Jan 25 13:45:36 13:45:35.1583002:CID-0:RT:-jsf : Alloc sess plugin info for session 7703 Jan 25 13:45:36 13:45:35.1583006:CID-0:RT:[JSF]Normal interest check. regd plugins 12, enabled impl mask 0x0 Jan 25 13:45:36 13:45:35.1583014:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4 Jan 25 13:45:36 13:45:35.1583022:CID-0:RT: Error : parameter wrong natp 0x5fc275a8, plugin_id 0 Jan 25 13:45:36 13:45:35.1583026:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4 Jan 25 13:45:36 13:45:35.1583031:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0, impl mask 0x0. rc 4 Jan 25 13:45:36 13:45:35.1583039:CID-0:RT: Error : parameter wrong natp 0x5fc275a8, plugin_id 0 Jan 25 13:45:36 13:45:35.1583042:CID-0:RT:-jsf int check: plugin id 17, svc_req 0x0, impl mask 0x0. rc 4 Jan 25 13:45:36 13:45:35.1583046:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3 Jan 25 13:45:36 13:45:35.1583049:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0, impl mask 0x0. rc 4 Jan 25 13:45:36 13:45:35.1583057:CID-0:RT:-jsf int check: plugin id 24, svc_req 0x0, impl mask 0x0. rc 4 Jan 25 13:45:36 13:45:35.1583061:CID-0:RT:-jsf int check: plugin id 29, svc_req 0x0, impl mask 0x0. rc 2 Jan 25 13:45:36 13:45:35.1583065:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 33084133081088, impli mask(0x0), post_nat cnt 0 svc req(0x0) Jan 25 13:45:36 13:45:35.1583071:CID-0:RT:-jsf : no plugin interested for session 7703, free sess plugin info Jan 25 13:45:36 13:45:35.1583076:CID-0:RT:flow_first_service_lookup(): natp(0x5fc275a8): app_id, 0(0). Jan 25 13:45:36 13:45:35.1583080:CID-0:RT: service lookup identified service 0. Jan 25 13:45:36 13:45:35.1583083:CID-0:RT: flow_first_final_check: in , out Jan 25 13:45:36 13:45:35.1583087:CID-0:RT:flow_first_final_check: flow_set_xlate_vector. Jan 25 13:45:36 13:45:35.1583090:CID-0:RT:In flow_first_complete_session Jan 25 13:45:36 13:45:35.1583092:CID-0:RT:flow_first_complete_session: pak_ptr is xlated packet Jan 25 13:45:36 13:45:35.1583097:CID-0:RT:flow_first_complete_session, pak_ptr: 0xbf97d9d8, nsp: 0x5fc275a8, in_tunnel: 0x0 Jan 25 13:45:36 13:45:35.1583102:CID-0:RT:construct v4 vector for nsp2 Jan 25 13:45:36 13:45:35.1583105:CID-0:RT: existing ipv6 vector list 0x1002-0x589f8be0. Jan 25 13:45:36 13:45:35.1583109:CID-0:RT:construct v6 vector for nsp2 Jan 25 13:45:36 13:45:35.1583111:CID-0:RT: existing vector list 0x1002-0x589f3000. Jan 25 13:45:36 13:45:35.1583115:CID-0:RT: Session (id:7703) created for first pak 1002 Jan 25 13:45:36 13:45:35.1583118:CID-0:RT:first pak processing successful Jan 25 13:45:36 13:45:35.1583121:CID-0:RT: flow_first_install_session======> 0x5fc275a8 Jan 25 13:45:36 13:45:35.1583124:CID-0:RT: nsp 0x5fc275a8, nsp2 0x5fc2762c Jan 25 13:45:36 13:45:35.1583129:CID-0:RT: make_nsp_ready_no_resolve() Jan 25 13:45:36 13:45:35.1583137:CID-0:RT:flow_ipv4_rt_lkup success 10.80.80.80, iifl 0x48, oifl 0x48 Jan 25 13:45:36 13:45:35.1583144:CID-0:RT: route lookup: dest-ip 10.80.80.80 orig ifp ge-0/0/5.0 output_ifp ge-0/0/5.0 orig-zone 6 out-zone 6 vsd 0 Jan 25 13:45:36 13:45:35.1583169:CID-0:RT: route to 172.18.1.12 Jan 25 13:45:36 13:45:35.1583185:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms. Jan 25 13:45:36 13:45:35.1583189:CID-0:RT:no need update ha Jan 25 13:45:36 13:45:35.1583191:CID-0:RT:Installing c2s NP session wing Jan 25 13:45:36 13:45:35.1583193:CID-0:RT:Installing s2c NP session wing Jan 25 13:45:36 13:45:35.1583205:CID-0:RT:first path session installation succeeded Jan 25 13:45:36 13:45:35.1583208:CID-0:RT: flow got session. Jan 25 13:45:36 13:45:35.1583210:CID-0:RT: flow session id 7703 Jan 25 13:45:36 13:45:35.1583215:CID-0:RT: vector bits 0x1002 vector 0x589f3000 Jan 25 13:45:36 13:45:35.1583221:CID-0:RT:flow_tcp_wsf_update: wsf 4 Jan 25 13:45:36 13:45:35.1583227:CID-0:RT:flow_xlate_pak Jan 25 13:45:36 13:45:35.1583231:CID-0:RT:natpt_composeIPv6Hdr, ipfrag is 0, clear is 0, df is 64, flag 0 Jan 25 13:45:36 13:45:35.1583236:CID-0:RT: v6_natpt_xlate, packet length change -20 Jan 25 13:45:36 13:45:35.1583240:CID-0:RT: post addr xlation: fd00:dead:babe:1:0:0:0:50->fd00:dead:babe:0:0:0:0:81. Jan 25 13:45:36 13:45:35.1583251:CID-0:RT:**** jump to packet after xlate:fd00:dead:babe:1:0:0:0:50->fd00:dead:babe:0:0:0:0:81 Jan 25 13:45:36 13:45:35.1583261:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x49695e80): ret(0x00000000): vector(0x842e270). Jan 25 13:45:36 13:45:35.1583269:CID-0:RT: flow_fragging_vector1_v6: in ifp out ifp Jan 25 13:45:36 13:45:35.1583274:CID-0:RT:flow_fragging_vector1_v6: pmtu is recalculated 1500 Jan 25 13:45:36 13:45:35.1583277:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x49695e80): ret(0x00000000): vector(0x842e860). Jan 25 13:45:36 13:45:35.1583286:CID-0:RT:mbuf 0x49695e80, exit nh 0xc0010 Jan 25 13:45:36 13:45:35.1583289:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x49695e80): ret(0x00000000): vector(0x842db10). Jan 25 13:45:36 13:45:35.1583296:CID-0:RT: **** pak processing end. Jan 25 13:45:36 13:45:35.1583298:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0) Jan 25 13:45:36 13:45:35.1589437:CID-0:RT:<10.80.80.80/38413->172.18.1.81/6666;6> matched filter v4: Jan 25 13:45:36 13:45:35.1589454:CID-0:RT:packet [52] ipid = 21960, @0x4a950bda Jan 25 13:45:36 13:45:35.1589460:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4a950980, rtbl_idx = 0 Jan 25 13:45:36 13:45:35.1589471:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/5.0 Jan 25 13:45:36 13:45:35.1589479:CID-0:RT: ge-0/0/5.0:10.80.80.80/38413->172.18.1.81/6666, tcp, flag 10 Jan 25 13:45:36 13:45:35.1589494:CID-0:RT: find flow: table 0x5cb394d8, hash 26340(0xffff), sa 10.80.80.80, da 172.18.1.81, sp 38413, dp 6666, proto 6, tok 6 Jan 25 13:45:36 13:45:35.1589512:CID-0:RT:Found: session id 0x1e17. sess tok 6 Jan 25 13:45:36 13:45:35.1589516:CID-0:RT: flow got session. Jan 25 13:45:36 13:45:35.1589519:CID-0:RT: flow session id 7703 Jan 25 13:45:36 13:45:35.1589525:CID-0:RT: vector bits 0x1002 vector 0x589f3000 Jan 25 13:45:36 13:45:35.1589533:CID-0:RT: tcp seq check. Jan 25 13:45:36 13:45:35.1589536:CID-0:RT: refreshing session Jan 25 13:45:36 13:45:35.1589541:CID-0:RT:flow_xlate_pak Jan 25 13:45:36 13:45:35.1589547:CID-0:RT:natpt_composeIPv6Hdr, ipfrag is 0, clear is 0, df is 64, flag 0 Jan 25 13:45:36 13:45:35.1589553:CID-0:RT: v6_natpt_xlate, packet length change -20 Jan 25 13:45:36 13:45:35.1589559:CID-0:RT: post addr xlation: fd00:dead:babe:1:0:0:0:50->fd00:dead:babe:0:0:0:0:81. Jan 25 13:45:36 13:45:35.1589575:CID-0:RT:**** jump to packet after xlate:fd00:dead:babe:1:0:0:0:50->fd00:dead:babe:0:0:0:0:81 Jan 25 13:45:36 13:45:35.1589588:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x4a950980): ret(0x00000000): vector(0x842e270). Jan 25 13:45:36 13:45:35.1589599:CID-0:RT: flow_fragging_vector1_v6: in ifp out ifp Jan 25 13:45:36 13:45:35.1589605:CID-0:RT:flow_fragging_vector1_v6: pmtu is recalculated 1500 Jan 25 13:45:36 13:45:35.1589609:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x4a950980): ret(0x00000000): vector(0x842e860). Jan 25 13:45:36 13:45:35.1589621:CID-0:RT:mbuf 0x4a950980, exit nh 0xc0010 Jan 25 13:45:36 13:45:35.1589626:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x4a950980): ret(0x00000000): vector(0x842db10). Jan 25 13:45:36 13:45:35.1589636:CID-0:RT: **** pak processing end. Jan 25 13:45:36 13:45:35.1589640:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0) Jan 25 13:45:36 13:45:35.1598836:CID-0:RT:<10.80.80.80/38413->172.18.1.81/6666;6> matched filter v4: Jan 25 13:45:36 13:45:35.1598852:CID-0:RT:packet [52] ipid = 21961, @0x4a22acda Jan 25 13:45:36 13:45:35.1598857:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x4a22aa80, rtbl_idx = 0 Jan 25 13:45:36 13:45:35.1598865:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/5.0 Jan 25 13:45:36 13:45:35.1598871:CID-0:RT: ge-0/0/5.0:10.80.80.80/38413->172.18.1.81/6666, tcp, flag 10 Jan 25 13:45:36 13:45:35.1598881:CID-0:RT: find flow: table 0x5cb394d8, hash 26340(0xffff), sa 10.80.80.80, da 172.18.1.81, sp 38413, dp 6666, proto 6, tok 6 Jan 25 13:45:36 13:45:35.1598894:CID-0:RT:Found: session id 0x1e17. sess tok 6 Jan 25 13:45:36 13:45:35.1598897:CID-0:RT: flow got session. Jan 25 13:45:36 13:45:35.1598899:CID-0:RT: flow session id 7703 Jan 25 13:45:36 13:45:35.1598903:CID-0:RT: vector bits 0x1002 vector 0x589f3000 Jan 25 13:45:36 13:45:35.1598908:CID-0:RT: tcp seq check. Jan 25 13:45:36 13:45:35.1598911:CID-0:RT:flow_xlate_pak Jan 25 13:45:36 13:45:35.1598915:CID-0:RT:natpt_composeIPv6Hdr, ipfrag is 0, clear is 0, df is 64, flag 0 Jan 25 13:45:36 13:45:35.1598920:CID-0:RT: v6_natpt_xlate, packet length change -20 Jan 25 13:45:36 13:45:35.1598924:CID-0:RT: post addr xlation: fd00:dead:babe:1:0:0:0:50->fd00:dead:babe:0:0:0:0:81. Jan 25 13:45:36 13:45:35.1598936:CID-0:RT:**** jump to packet after xlate:fd00:dead:babe:1:0:0:0:50->fd00:dead:babe:0:0:0:0:81 Jan 25 13:45:36 13:45:35.1598945:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x4a22aa80): ret(0x00000000): vector(0x842e270). Jan 25 13:45:36 13:45:35.1598953:CID-0:RT: flow_fragging_vector1_v6: in ifp out ifp Jan 25 13:45:36 13:45:35.1598958:CID-0:RT:flow_fragging_vector1_v6: pmtu is recalculated 1500 Jan 25 13:45:36 13:45:35.1598961:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x4a22aa80): ret(0x00000000): vector(0x842e860). Jan 25 13:45:36 13:45:35.1598969:CID-0:RT:mbuf 0x4a22aa80, exit nh 0xc0010 Jan 25 13:45:36 13:45:35.1598973:CID-0:RT:flow_walk_vector_list_v6_afer_xlate(): pak_ptr(0xbf97d9d8.0x4a22aa80): ret(0x00000000): vector(0x842db10). Jan 25 13:45:36 13:45:35.1598980:CID-0:RT: **** pak processing end. Jan 25 13:45:36 13:45:35.1598982:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)