Re: traffic only flows in one direction through routed based VPN between srx and paloalto

please ignore my previous post about tracepotions, this is what I get when I do security flow traceoptions.

Oct 18 00:02:19 00:02:19.844570:CID-0:RTacket [60] ipid = 52936, @0x40899a3e

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x40899800, rtbl_idx = 0

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: in_ifp <vpn:st0.0>

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x431f25c8

Oct 18 00:02:19 00:02:19.844570:CID-0:RTkt out of tunnel.Proceed normally

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: st0.0:172.16.3.52->172.30.10.4, icmp, (8/0)

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: find flow: table 0x42689418, hash 16596(0xffff), sa 172.16.3.52, da 172.30.10.4, sp 34370, dp 1, proto 1, tok 8

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: no session found, start first path. in_tunnel - 0x445656d8, from_cp_flag - 0

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: flow_first_create_session

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 172.30.10.4, sp 34370, dp 1

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: chose interface st0.0 as incoming nat if.

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.30.10.4(1)

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.3.52, x_dst_ip 172.30.10.4, in ifp st0.0, out ifp N/A sp 34370, dp 1, ip_proto 1, tos 0

Oct 18 00:02:19 00:02:19.844570:CID-0:RToing DESTINATION addr route-lookup

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: routed (x_dst_ip 172.30.10.4) from vpn (st0.0 in 0) to vlan.0, Next-hop: 172.30.10.4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_policy_search: policy search from zone vpn-> zone lan (0x0,0x86420001,0x1)

Oct 18 00:02:20 00:02:19.844570:CID-0:RTolicy lkup: vsys 0 zone(8:vpn) -> zone(6:lan) scope:0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: 172.16.3.52/2048 -> 172.30.10.4/50968 proto 1

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: permitted by policy vpn-lan(6)

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: packet passed, Permitted by policy.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: dip id = 0/0, 172.16.3.52/34370->172.16.3.52/34370 protocol 0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: choose interface vlan.0 as outgoing phy if

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.0, addr: 172.30.10.4, rtt_idx:0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf : Alloc sess plugin info for session 2412

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:[JSF]Normal interest check. regd plugins 13, enabled impl mask 0x0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 138986356, impli mask(0x0), post_nat cnt 2412 svc req(0x0)

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf : no plugin interested for session 2412, free sess plugin info

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_service_lookup(): natp(0x44671b28): app_id, 0(0).

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: service lookup identified service 0.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow_first_final_check: in <st0.0>, out <vlan.0>

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4270a328, nsp: 0x44671b28, in_tunnel: 0x445656d8

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:construct v4 vector for nsp2

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: existing vector list 0x204-0x41f5e650.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: Session (id:2412) created for first pak 204

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow_first_install_session======> 0x44671b28

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: nsp 0x44671b28, nsp2 0x44671ba8

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: make_nsp_ready_no_resolve()

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: route lookup: dest-ip 172.16.3.52 orig ifp st0.0 output_ifp st0.0 orig-zone 8 out-zone 8 vsd 0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: route to 172.16.3.52

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:no need update ha

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:Installing s2c NP session wing

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow got session.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow session id 2412

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: vector bits 0x204 vector 0x41f5e650

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: encap vector

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: no more encapping needed

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:mbuf 0x40899800, exit nh 0x100010

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x4270a328 associated with mbuf 0x40899800

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:<172.16.3.52/34371->172.30.10.4/1;1> matched filter test:

Oct 18 00:02:24 00:02:24.842993:CID-0:RTacket [60] ipid = 52937, @0x4089233e

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x40892100, rtbl_idx = 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: in_ifp <vpn:st0.0>

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x431f25c8

Oct 18 00:02:24 00:02:24.842993:CID-0:RTkt out of tunnel.Proceed normally

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: st0.0:172.16.3.52->172.30.10.4, icmp, (8/0)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: find flow: table 0x42689418, hash 61220(0xffff), sa 172.16.3.52, da 172.30.10.4, sp 34371, dp 1, proto 1, tok 8

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: no session found, start first path. in_tunnel - 0x445656d8, from_cp_flag - 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_create_session

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 172.30.10.4, sp 34371, dp 1

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: chose interface st0.0 as incoming nat if.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.30.10.4(1)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.3.52, x_dst_ip 172.30.10.4, in ifp st0.0, out ifp N/A sp 34371, dp 1, ip_proto 1, tos 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RToing DESTINATION addr route-lookup

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: routed (x_dst_ip 172.30.10.4) from vpn (st0.0 in 0) to vlan.0, Next-hop: 172.30.10.4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_policy_search: policy search from zone vpn-> zone lan (0x0,0x86430001,0x1)

Oct 18 00:02:24 00:02:24.842993:CID-0:RTolicy lkup: vsys 0 zone(8:vpn) -> zone(6:lan) scope:0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: 172.16.3.52/2048 -> 172.30.10.4/50967 proto 1

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: permitted by policy vpn-lan(6)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: packet passed, Permitted by policy.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: dip id = 0/0, 172.16.3.52/34371->172.16.3.52/34371 protocol 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: choose interface vlan.0 as outgoing phy if

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.0, addr: 172.30.10.4, rtt_idx:0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf : Alloc sess plugin info for session 2418

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:[JSF]Normal interest check. regd plugins 13, enabled impl mask 0x0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 138986356, impli mask(0x0), post_nat cnt 2418 svc req(0x0)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf : no plugin interested for session 2418, free sess plugin info

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_service_lookup(): natp(0x446725d8): app_id, 0(0).

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: service lookup identified service 0.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_final_check: in <st0.0>, out <vlan.0>

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4270a328, nsp: 0x446725d8, in_tunnel: 0x445656d8

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:construct v4 vector for nsp2

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: existing vector list 0x204-0x41f5e650.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: Session (id:2418) created for first pak 204

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_install_session======> 0x446725d8

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: nsp 0x446725d8, nsp2 0x44672658

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: make_nsp_ready_no_resolve()

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: route lookup: dest-ip 172.16.3.52 orig ifp st0.0 output_ifp st0.0 orig-zone 8 out-zone 8 vsd 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: route to 172.16.3.52

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:no need update ha

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:Installing s2c NP session wing

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow got session.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow session id 2418

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: vector bits 0x204 vector 0x41f5e650

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: encap vector

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: no more encapping needed

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:mbuf 0x40892100, exit nh 0x100010

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x4270a328 associated with mbuf 0x40892100

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)