what is causing this behavior?

user@host> show security flow session interface ge-0/0/10.0 Session ID. 29, Policy name:
to-infrastructure/4, Timeout: 1250, Valid Resource information : FTP ALG, 1, 0 In:
10.1.1.213/61892 –> 10.2.2.20/21;tcp, If: ge-0/0/8.0, Pkts: 25, Bytes: 1242 Out:
10.2.2.20/21 –> 10.1.1.213/61892;tcp, If: ge-0/0/10.0, Pkts: 18, Bytes: 1278 Total sessions:
1 user@host> show interfaces ge-0/0/10 | match zone Security: Zone: infrastructure
user@host> show interfaces ge-0/0/8 | match zone Security: Zone: finance user@host>
show configuration security policies from-zone infrastructure to-zone finance user@host>
show log flow-traceoptions Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU received an
event,type 112, common:3 Jun 13 14:44:01 14:44:01.059151:CID-0:RT:Rcv packet with rtbl
idx 0, cos 0 Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU processing spu_flushed_pak,
flag: 0x2, mbuf:0x423f6100 Jun 13 14:44:01
14:44:01.060343:CID-0:RT:10.2.2.20/20->10.1.1.213/64313;6> matched filter filter2: Jun 13
14:44:01 14:44:01.060473:CID-0:RT:packet [64] ipid = 1614, @423fd19c Jun 13 14:44:01
14:44:01.060473:CID-0:RT:—- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag
0x0, mbuf 0x423fcf80, rtbl_idx = 0 Jun 13 14:44:01 14:44:01.060473:CID-0:RT: flow
process pak fast ifl 71 in_ifp ge-0/0/10.0 Jun 13 14:44:01 14:44:01.060473:CID-0:RT:
ge-0/0/10.0:10.2.2.20/20->10.1.1.213/64313, tcp, flag 2 syn Jun 13 14:44:01
14:44:01.060473:CID-0:RT: find flow: table 0x49175b08, hash 34391(0xffff), sa 10.2.2.20,
da 10.1.1.213, sp 20, dp 64313, proto 6, tok 8 Jun 13 14:44:01 14:44:01.060473:CID-0:RT:
no session found, start first path. in_tunnel – 0, from_cp_flag – 0 Jun 13 14:44:01
14:44:01.060473:CID-0:RT: flow_first_create_session Jun 13 14:44:01
14:44:01.060473:CID-0:RT:-jsf : preset sess plugin info for session 31 Jun 13 14:44:01
14:44:01.060473:CID-0:RT: Allocating plugin info block for plugin(21) Jun 13 14:44:01
14:44:01.060473:CID-0:RT:[JSF] set ext handle 0x46389be8 for plugin 21 on session 31
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:asl_usp_get_l3_out_ifp_out_tunnel ASL IPV4
out_ifp = ge-0/0/8.0 for dst:10.1.1.213 in vr_id:0 Jun 13 14:44:01
14:44:01.060473:CID-0:RT:SPU invalid session id 00000000 Jun 13 14:44:01
14:44:01.060473:CID-0:RT: jsf drop pak pid 21, jbuf 0x4fcd7038, release hold 0, sess_id 0

Jun 13 14:44:01 14:44:01.060761:CID-0:RT: After jsf gate hit. sid 0xfb39, pid 0, cookie 0x1f,
jbuf 0x15. rc = 1 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:RM populated xlate info for
nsp2: 10.1.1.213/64313- >10.2.2.20/20out_ifp = ge-0/0/8.0, out_tunnel = 0x0 Jun 13
14:44:01 14:44:01.060761:CID-0:RT: flow_first_in_dst_nat: in 0/10.0>, out 0/8.0> dst_adr
10.1.1.213, sp 20, dp 64313 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_in_dst_nat: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_rule_dst_xlate: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_routing: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_policy_search: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_reverse_mip: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_src_xlate: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_get_out_ifp: bypassed by RM Jun 13 14:44:01
14:44:01.060761:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/8.0, addr: 10.1.1.213,
rtt_idx:0 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:[JSF]Normal interest check. regd
plugins 18, enabled impl mask 0x0 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int
check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01
14:44:01.060761:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4 Jun
13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask
0x0. rc 4 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0,
impl mask 0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 7,
svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check:
plugin id 8, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01
14:44:01.060975:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0, impl mask 0x0. rc 4 Jun
13 14:44:01 14:44:01.060975:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3 Jun 13
14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask
0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 21, svc_req
0x0, impl mask 0x0. rc 3 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id
22, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int
check: plugin id 25, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01
14:44:01.060975:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 2 Jun
13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask
0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled
for session = 4294967296, impli mask(0x0), post_nat cnt 31 svc req(0x0) Jun 13 14:44:01

14:44:01.060975:CID-0:RT:[JSF]c2s order list: Jun 13 14:44:01 14:44:01.060975:CID-0:RT:
21 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]s2c order list: Jun 13 14:44:01
14:44:01.060975:CID-0:RT: 21 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: service lookup
identified service 79. Jun 13 14:44:01 14:44:01.060975:CID-0:RT: flow_first_final_check: in
0/10.0>, out 0/8.0> Jun 13 14:44:01
14:44:01.060975:CID-0:RT:flow_first_complete_session, pak_ptr: 0x48ae5ba0, nsp:
0x4c38e248, in_tunnel: 0x0 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:construct v4 vector
for nsp2 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 82-454e5c90. Jun
13 14:44:01 14:44:01.060975:CID-0:RT: Session (id:31) created for first pak 82 Jun 13
14:44:01 14:44:01.060975:CID-0:RT: flow_first_install_session======> 0x4c38e248 Jun
13 14:44:01 14:44:01.060975:CID-0:RT: nsp 0x4c38e248, nsp2 0x4c38e2c8 Jun 13
14:44:01 14:44:01.060975:CID-0:RT: make_nsp_ready_no_resolve() Jun 13 14:44:01
14:44:01.060975:CID-0:RT: route lookup: dest-ip 10.2.2.20 orig ifp ge-0/0/10.0 output_ifp
ge-0/0/10.0 orig-zone 8 out-zone 8 vsd 0 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: route
to 10.2.2.20 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Doing jsf sess create notify Jun 13
14:44:01 14:44:01.060975:CID-0:RT:flow_delete_gate: invoked for gate 0x4c077c24 [id
1000003] Jun 13 14:44:01 14:44:01.060975:CID-0:RT:gate_start_ageout: ageout started for
gate 0x4c077c24 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore. sess 31,
pid 21, dir 1, st_buf 0x0. Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore.
sess 31, pid 21, dir 2, st_buf 0x0. Jun 13 14:44:01 14:44:01.060975:CID-0:RT:All plugins
have ignored session :31 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list
2-454ecbd0. Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 2-454ecbd0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf create notify: plugin id 21. rc 3 Jun 13
14:44:01 14:44:01.060975:CID-0:RT:flow_do_jsf_notify_session_creation():
natp(0x4c38e248): 0 SHORT_CIRCUITED. 0x00000000. Jun 13 14:44:01
14:44:01.060975:CID-0:RT:no need update ha Jun 13 14:44:01
14:44:01.060975:CID-0:RT:Installing c2s NP session wing Jun 13 14:44:01
14:44:01.060975:CID-0:RT:Installing s2c NP session wing Jun 13 14:44:01
14:44:01.061475:CID-0:RT: flow got session. Jun 13 14:44:01 14:44:01.061475:CID-0:RT:
flow session id 31 Jun 13 14:44:01 14:44:01.061475:CID-0:RT: vector bits 0x2 vector
0x454ecbd0 Jun 13 14:44:01 14:44:01.061475:CID-0:RT: tcp flags 0x2, flag 0x2 Jun 13
14:44:01 14:44:01.061475:CID-0:RT: Got syn, 10.2.2.20(20)->10.1.1.213(64313), nspflag
0x1021, 0x20 Jun 13 14:44:01 14:44:01.061475:CID-0:RT:mbuf 0x423fcf80, exit nh

0xa0010 Jun 13 14:44:01 14:44:01.061475:CID-0:RT: —– flow_process_pkt rc 0x0 (fp rc 0)
While troubleshooting a device, you see that it is permitting packets for which it appears
there is no policy. Using the information in the exhibit, what is causing this behavior?

user@host> show security flow session interface ge-0/0/10.0 Session ID. 29, Policy name:
to-infrastructure/4, Timeout: 1250, Valid Resource information : FTP ALG, 1, 0 In:
10.1.1.213/61892 –> 10.2.2.20/21;tcp, If: ge-0/0/8.0, Pkts: 25, Bytes: 1242 Out:
10.2.2.20/21 –> 10.1.1.213/61892;tcp, If: ge-0/0/10.0, Pkts: 18, Bytes: 1278 Total sessions:
1 user@host> show interfaces ge-0/0/10 | match zone Security: Zone: infrastructure
user@host> show interfaces ge-0/0/8 | match zone Security: Zone: finance user@host>
show configuration security policies from-zone infrastructure to-zone finance user@host>
show log flow-traceoptions Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU received an
event,type 112, common:3 Jun 13 14:44:01 14:44:01.059151:CID-0:RT:Rcv packet with rtbl
idx 0, cos 0 Jun 13 14:44:01 14:44:01.059151:CID-0:RT:SPU processing spu_flushed_pak,
flag: 0x2, mbuf:0x423f6100 Jun 13 14:44:01
14:44:01.060343:CID-0:RT:10.2.2.20/20->10.1.1.213/64313;6> matched filter filter2: Jun 13
14:44:01 14:44:01.060473:CID-0:RT:packet [64] ipid = 1614, @423fd19c Jun 13 14:44:01
14:44:01.060473:CID-0:RT:—- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag
0x0, mbuf 0x423fcf80, rtbl_idx = 0 Jun 13 14:44:01 14:44:01.060473:CID-0:RT: flow
process pak fast ifl 71 in_ifp ge-0/0/10.0 Jun 13 14:44:01 14:44:01.060473:CID-0:RT:
ge-0/0/10.0:10.2.2.20/20->10.1.1.213/64313, tcp, flag 2 syn Jun 13 14:44:01
14:44:01.060473:CID-0:RT: find flow: table 0x49175b08, hash 34391(0xffff), sa 10.2.2.20,
da 10.1.1.213, sp 20, dp 64313, proto 6, tok 8 Jun 13 14:44:01 14:44:01.060473:CID-0:RT:
no session found, start first path. in_tunnel – 0, from_cp_flag – 0 Jun 13 14:44:01
14:44:01.060473:CID-0:RT: flow_first_create_session Jun 13 14:44:01
14:44:01.060473:CID-0:RT:-jsf : preset sess plugin info for session 31 Jun 13 14:44:01
14:44:01.060473:CID-0:RT: Allocating plugin info block for plugin(21) Jun 13 14:44:01
14:44:01.060473:CID-0:RT:[JSF] set ext handle 0x46389be8 for plugin 21 on session 31
Jun 13 14:44:01 14:44:01.060473:CID-0:RT:asl_usp_get_l3_out_ifp_out_tunnel ASL IPV4
out_ifp = ge-0/0/8.0 for dst:10.1.1.213 in vr_id:0 Jun 13 14:44:01
14:44:01.060473:CID-0:RT:SPU invalid session id 00000000 Jun 13 14:44:01
14:44:01.060473:CID-0:RT: jsf drop pak pid 21, jbuf 0x4fcd7038, release hold 0, sess_id 0

Jun 13 14:44:01 14:44:01.060761:CID-0:RT: After jsf gate hit. sid 0xfb39, pid 0, cookie 0x1f,
jbuf 0x15. rc = 1 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:RM populated xlate info for
nsp2: 10.1.1.213/64313- >10.2.2.20/20out_ifp = ge-0/0/8.0, out_tunnel = 0x0 Jun 13
14:44:01 14:44:01.060761:CID-0:RT: flow_first_in_dst_nat: in 0/10.0>, out 0/8.0> dst_adr
10.1.1.213, sp 20, dp 64313 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_in_dst_nat: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_rule_dst_xlate: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_routing: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_policy_search: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_reverse_mip: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_src_xlate: bypassed by RM Jun 13 14:44:01 14:44:01.060761:CID-0:RT:
flow_first_get_out_ifp: bypassed by RM Jun 13 14:44:01
14:44:01.060761:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/8.0, addr: 10.1.1.213,
rtt_idx:0 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:[JSF]Normal interest check. regd
plugins 18, enabled impl mask 0x0 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int
check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01
14:44:01.060761:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4 Jun
13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask
0x0. rc 4 Jun 13 14:44:01 14:44:01.060761:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0,
impl mask 0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 7,
svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check:
plugin id 8, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01
14:44:01.060975:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0, impl mask 0x0. rc 4 Jun
13 14:44:01 14:44:01.060975:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3 Jun 13
14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask
0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 21, svc_req
0x0, impl mask 0x0. rc 3 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id
22, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int
check: plugin id 25, svc_req 0x0, impl mask 0x0. rc 4 Jun 13 14:44:01
14:44:01.060975:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 2 Jun
13 14:44:01 14:44:01.060975:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask
0x0. rc 4 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled
for session = 4294967296, impli mask(0x0), post_nat cnt 31 svc req(0x0) Jun 13 14:44:01

14:44:01.060975:CID-0:RT:[JSF]c2s order list: Jun 13 14:44:01 14:44:01.060975:CID-0:RT:
21 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:[JSF]s2c order list: Jun 13 14:44:01
14:44:01.060975:CID-0:RT: 21 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: service lookup
identified service 79. Jun 13 14:44:01 14:44:01.060975:CID-0:RT: flow_first_final_check: in
0/10.0>, out 0/8.0> Jun 13 14:44:01
14:44:01.060975:CID-0:RT:flow_first_complete_session, pak_ptr: 0x48ae5ba0, nsp:
0x4c38e248, in_tunnel: 0x0 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:construct v4 vector
for nsp2 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 82-454e5c90. Jun
13 14:44:01 14:44:01.060975:CID-0:RT: Session (id:31) created for first pak 82 Jun 13
14:44:01 14:44:01.060975:CID-0:RT: flow_first_install_session======> 0x4c38e248 Jun
13 14:44:01 14:44:01.060975:CID-0:RT: nsp 0x4c38e248, nsp2 0x4c38e2c8 Jun 13
14:44:01 14:44:01.060975:CID-0:RT: make_nsp_ready_no_resolve() Jun 13 14:44:01
14:44:01.060975:CID-0:RT: route lookup: dest-ip 10.2.2.20 orig ifp ge-0/0/10.0 output_ifp
ge-0/0/10.0 orig-zone 8 out-zone 8 vsd 0 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: route
to 10.2.2.20 Jun 13 14:44:01 14:44:01.060975:CID-0:RT:Doing jsf sess create notify Jun 13
14:44:01 14:44:01.060975:CID-0:RT:flow_delete_gate: invoked for gate 0x4c077c24 [id
1000003] Jun 13 14:44:01 14:44:01.060975:CID-0:RT:gate_start_ageout: ageout started for
gate 0x4c077c24 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore. sess 31,
pid 21, dir 1, st_buf 0x0. Jun 13 14:44:01 14:44:01.060975:CID-0:RT: jsf sess id ignore.
sess 31, pid 21, dir 2, st_buf 0x0. Jun 13 14:44:01 14:44:01.060975:CID-0:RT:All plugins
have ignored session :31 Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list
2-454ecbd0. Jun 13 14:44:01 14:44:01.060975:CID-0:RT: existing vector list 2-454ecbd0.
Jun 13 14:44:01 14:44:01.060975:CID-0:RT:-jsf create notify: plugin id 21. rc 3 Jun 13
14:44:01 14:44:01.060975:CID-0:RT:flow_do_jsf_notify_session_creation():
natp(0x4c38e248): 0 SHORT_CIRCUITED. 0x00000000. Jun 13 14:44:01
14:44:01.060975:CID-0:RT:no need update ha Jun 13 14:44:01
14:44:01.060975:CID-0:RT:Installing c2s NP session wing Jun 13 14:44:01
14:44:01.060975:CID-0:RT:Installing s2c NP session wing Jun 13 14:44:01
14:44:01.061475:CID-0:RT: flow got session. Jun 13 14:44:01 14:44:01.061475:CID-0:RT:
flow session id 31 Jun 13 14:44:01 14:44:01.061475:CID-0:RT: vector bits 0x2 vector
0x454ecbd0 Jun 13 14:44:01 14:44:01.061475:CID-0:RT: tcp flags 0x2, flag 0x2 Jun 13
14:44:01 14:44:01.061475:CID-0:RT: Got syn, 10.2.2.20(20)->10.1.1.213(64313), nspflag
0x1021, 0x20 Jun 13 14:44:01 14:44:01.061475:CID-0:RT:mbuf 0x423fcf80, exit nh

0xa0010 Jun 13 14:44:01 14:44:01.061475:CID-0:RT: —– flow_process_pkt rc 0x0 (fp rc 0)
While troubleshooting a device, you see that it is permitting packets for which it appears
there is no policy. Using the information in the exhibit, what is causing this behavior?

A.
It is permitted due to a global policy.

B.
It is permitted due to a default permit policy.

C.
It is permitted due to a stale policy.

D.
It is permitted due to an ALG.



Leave a Reply 0

Your email address will not be published. Required fields are marked *