Junos OS

We have afew SRX3600's which have been installed recently.  My issue is that from my remote laptop i'm unable to SSH to the FXP0.0 interface. 

 

I can ping the FXP0.0 interface from my remote laptop, just can't SSH.

 

I can SSH to FXP0 from a directly connected hosting switch in the same subnet.

 

So it seems traffic from other subnets is not allowed to SSH tot he device. Do i need to add the FXP0 interface into a security zone for this to work?

No, you do not need to add fxp0 into a security zone. It is for out-of-band management so no security processing is done.

 

Couple things to check.

 

1. Did you enable ssh as a system service?

root@srx# set system services ssh

 

2. Do you have any firewall filters applied to either fxp0 or lo0? If so then try removing those.

 

3. Assuming you have ssh enabled and no firewall filters, also try different SSH clients as it could be SSH settings. Also can run monitor traffic for fxp0 to see if you are even seeing the ssh traffic or not coming in.

 

-Richard

Yes, SSH is enabled.  As i said i can SSH to it from a device which is directly connected to it.

No firewall filters exist on the devices at all

 

When i run monitor traffic i can see my SSH traffic comming from my laptop.

 

This is a cluster of srx3600 firealls running 10.4r1.9

Install a default route or a backup-router.

There is a default route - the firewalls run OSPF and they have both received the default route that OSPF has injected.

 

As i said i can ping the fxp0 interface from my remote laptop, just can't SSH or HTTPS to it remotley.

Post the configuration.

Config file attached below

Include a backup-router in your groups node1 stanza.

I thought fxp interfaces didn't need to  be added into security zones since they are out out band?

As part of a good design I would also create a loopback interface lo0 and set that as your router-id for OSPF and BGP.

Again, you do not need to add fxp0 to any security zone as it is basically direct connection to RE and does not go through flow processing. As such you also cannot route from a revenue port (reth or physical XE or GE interface) to fxp0 interface. Fxp0 can only ever be accessed via fxp0 interface and the fxp0 network. However, routing still needs to be configured so that appropriate fxp0 destined traffic should egress to gateway on fxp0 interface. So you will need to have a static route with fxp0 gateway next-hop router configured for this to work. This assumes you are accessing primary node for Rg0. If also accessing fxp0 on secondary node you will need to also configure backup-router statement (under system hierarchy) as well as secondary node does not run routing process and hence cannot do route lookup. There are plenty of forum postings and KB articles at http://kb.juniper.net which shows how to configure backup-router statement.

-Richard

Thanks

 

So if i  entered the command below under node1 in groups.

 

backup-router 10.150.7.1 destination 10.0.0.0/8

 

Would that fix my issue, without causing any adverse affects

 

Edit - should the backup router command be put under both nodes?  In case of fail-over?

---

 

Hi there,

My answers:

1/ if there are more specific routes in inet.0, the management traffic will follow these routes. You can and should put several most specific destinations under backup-router, for instance:

 

 

set groups node1 system backup-router 10.150.7.1
set groups node1 system backup-router destination 10.170.27.46/32 # NTP server
set groups node1 system backup-router destination 10.180.77.1/32 # syslog server
set groups node1 system backup-router destination 10.210.177.0/28 # DNS servers subnet

-- and so on

 

 

And yes please put "backup-router" in both node0 and node1 groups. This is needed not only for failover but in case RPD does not start at all on Your SRX, which sometimes happens because of software bugs.

Rgds

Alex