[j-nsp] " packet dropped, first pak not sync" error message ?

Leslie leslie at craigslist.org
Mon Dec 1 13:49:43 EST 2008 

Hi -

I am currently having a very strange issue.  I have a setup that is 
basically a core switch, with ospf enabled and connected to a 
netscreen-isg2000 running screenos 6.0.0r4 . So, I am on a host in the 
cluster, connected to the core switch.  I can ssh to the core switch's 
ip'ed interface that is connected to the netscreen without a problem, 
but if I try to ssh to the loopback, it connects for about 15-20 seconds 
and then disconnects.  I set a flow filter, and got some messages like 
the ones i have pasted below.  It appears that the issue is the 
netscreen dropping packets because of "not sync"  does anyone have any 
experience with issue like this? A quick search just found that the way 
to "solve" this issue is to disable syn flood protection, but I'd prefer 
to not use that hack.

Thanks in advance!
Leslie


***** 9491008.0: <Trust/ethernet1/3> packet received [92]******
   ipid = 17509(4465), @03b9c118
   packet passed sanity check.
   ethernet1/3:10.128.1.11/54737->10.131.255.1/22,6<Root>
   no session found
   flow_first_inline_vector: in <ethernet1/3>, out <N/A>
   chose interface ethernet1/3 as incoming nat if.
   flow_first_inline_vector: in <ethernet1/3>, out <N/A>
   search route to (ethernet1/3, 10.128.1.11->10.131.255.1) in vr 
trust-vr for vsd-0/flag-0/ifp-null
   [ Dest] 6033.route 10.131.255.1->10.128.127.2, to ethernet1/3
   routed (x_dst_ip 10.131.255.1) from ethernet1/3 (ethernet1/3 in 0) to 
ethernet1/3
   policy search from zone 2-> zone 2
  policy_flow_search  policy search nat_crt from zone 2-> zone 2
   RPC Mapping Table search returned 0 matched service(s) for (vsys 
Root, ip 10.131.255.1, port 22, proto 6)
   No SW RPC rule match, search HW rule
   Searching global policy.
   Permitted by policy 320002
   No src xlate   choose interface ethernet1/3 as outgoing phy if
   check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet1/3
   vsd 0 is active
   no loop on ifp ethernet1/3.
   session application type 22, name None, nas_id 0, timeout 28800sec
ALG vector is not attached
   service lookup identified service 0.
   flow_first_inline_vector: in <ethernet1/3>, out <ethernet1/3>

**** jump to packet:10.131.255.1->10.128.1.11
   no more encapping needed
   send out through normal path.
   flow_ip_send: 4493:10.131.255.1->10.128.1.11,6 => ethernet1/3(40) 
flag 0x0, vlan 0
   no l2info for packet.
   no route for packet
   search route to (null, 0.0.0.0->10.128.1.11) in vr trust-vr for 
vsd-0/flag-2000/ifp-ethernet1/3
   [ Dest] 6.route 10.128.1.11->10.128.1.11, to ethernet1/3
   route to 10.128.1.11
   arp entry found for 10.128.1.11 mac 001d6086f98a
   **** pak processing end.
   packet dropped, first pak not sync
**st: <Trust|ethernet1/3|Root|0> 3a14f40: 
0:10.128.1.11/d394->10.131.255.1/16,6,40
****** 9491063.0: <Trust/ethernet1/3> packet received [40]******
   ipid = 0(0000), @03a14f40
   packet passed sanity check.
   ethernet1/3:10.128.1.11/54164->10.131.255.1/22,6, 5004(rst)<Root>
   no session found
   flow_first_inline_vector: in <ethernet1/3>, out <N/A>
   chose interface ethernet1/3 as incoming nat if.
   flow_first_inline_vector: in <ethernet1/3>, out <N/A>
   search route to (ethernet1/3, 10.128.1.11->10.131.255.1) in vr 
trust-vr for vsd-0/flag-0/ifp-null
   [ Dest] 6033.route 10.131.255.1->10.128.127.2, to ethernet1/3
   routed (x_dst_ip 10.131.255.1) from ethernet1/3 (ethernet1/3 in 0) to 
ethernet1/3
   policy search from zone 2-> zone 2
  policy_flow_search  policy search nat_crt from zone 2-> zone 2
   RPC Mapping Table search returned 0 matched service(s) for (vsys 
Root, ip 10.131.255.1, port 22, proto 6)
   No SW RPC rule match, search HW rule
   Searching global policy.
   Permitted by policy 320002
   No src xlate   choose interface ethernet1/3 as outgoing phy if
   check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet1/3
   vsd 0 is active
   no loop on ifp ethernet1/3.
   session application type 22, name None, nas_id 0, timeout 28800sec
ALG vector is not attached
   service lookup identified service 0.
   flow_first_inline_vector: in <ethernet1/3>, out <ethernet1/3>
   packet dropped, first pak not sync

More information about the juniper-nsp mailing list