Junos OS

I've got a number of SRX300's in my lab. I have found that I cannot get them to distribute a static default route to another SRX300. Routes for directly connected networks are being distributed. Any ideas?

Thanks

version 15.1X49-D45;
system {
    host-name ns-firewall;
...
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 24.aa.bb.153;
    }
    generate {
        route 0.0.0.0/0 discard;
    }
    router-id 10.128.1.5;
}
protocols {
    ospf {
        export [ export-connected export-default-route ];
        area 0.0.0.0 {
            interface ge-0/0/1.0 {
                authentication {
                    simple-password "zzzzzzzzzzzzzzzzzzzzz";
                }
            }
        }
    }
}
policy-options {
    policy-statement export-connected {
        term t1 {
            from {
                protocol direct;
                interface [ ge-0/0/0.0 ge-0/0/2.0 lo0.0 ];
            }
            then {
                metric 20;
                preference 60;
                external {
                    type 1;
                }
                accept;
            }
        }
        term reject {
            then reject;
        }
    }
    policy-statement export-default-route {
        term export-default-route-t1 {
            from {
                protocol static;
                route-filter 0.0.0.0/0 exact;
            }
            then accept;
        }
        term default {
            then reject;
        }
    }
}

me@ns-firewall> show route
inet.0: 12 destinations, 14 routes (12 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 20:01:04
                    > to 24.aa.bb.153 via ge-0/0/5.0
10.5.1.1/32        *[Local/0] 20:01:04
                      Reject
10.5.2.1/32        *[Local/0] 20:01:04
                      Reject
10.5.3.1/32        *[Local/0] 20:01:04
                      Reject
10.5.254.0/24      *[Direct/0] 20:01:04
                    > via lo0.0
10.5.254.1/32      *[Local/0] 20:01:04
                      Local via lo0.0
10.128.1.0/24      *[Direct/0] 20:01:04
                    > via ge-0/0/1.0
10.128.1.5/32      *[Local/0] 20:01:04
                      Local via ge-0/0/1.0
24.aa.bb.144/28   *[Direct/0] 20:01:04
                    > via ge-0/0/5.0
                    [Direct/0] 20:01:04
                    > via ge-0/0/5.0
24.aa.bb.157/32   *[Local/0] 20:01:04
                      Local via ge-0/0/5.0
24.aa.bb.158/32   *[Local/0] 20:01:04
                      Local via ge-0/0/5.0
224.0.0.5/32       *[OSPF/10] 20:01:04, metric 1
                      MultiRecv


me@ns-firewall> show ospf database

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Router   10.128.1.2       10.128.1.2       0x8000001a  2091  0x22 0xc915  36
Router  *10.128.1.5       10.128.1.5       0x80000019  2841  0x22 0xc511  36
Network *10.128.1.5       10.128.1.5       0x80000018  2091  0x22 0x4b98  32
    OSPF AS SCOPE link state database
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Extern  *10.5.1.0         10.128.1.5       0x80000019   591  0x22 0xc89d  36
Extern  *10.5.254.0       10.128.1.5       0x80000019  1341  0x22 0xde89  36

me@ns-firewall> test policy export-default-route 0.0.0.0/0

inet.0: 12 destinations, 14 routes (12 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 19:55:32
                    > to 24.aa.bb.153 via ge-0/0/5.0

Policy export-default-route: 1 prefix accepted, 11 prefix rejected



version 15.1X49-D45;
system {
    host-name osk-firewall;
...
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.0.1;
    }
    router-id 10.128.1.2;
}
protocols {
    ospf {
        export [ export-connected exportstatic1 ];
        area 0.0.0.0 {
            interface ge-0/0/1.0 {
                authentication {
                    simple-password "zzzzzzzzzzzzzzzzzzzz";
                }
            }
        }
    }
}
policy-options {
    policy-statement export-connected {
        term t1 {
            from {
                protocol direct;
                interface [ ge-0/0/0.0 ge-0/0/2.0 ];
            }
            then {
                metric 20;
                preference 60;
                external {
                    type 1;
                }
                accept;
            }
        }
        term reject {
            then reject;
        }
    }
    policy-statement exportstatic1 {
        term exportstatic1t1 {
            from {
                protocol static;
                route-filter 0.0.0.0/0 exact;
            }
            then accept;
        }
        term default {
            then reject;
        }
    }
}

me@osk-firewall> show route

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:07:00
                    > to 192.168.0.1 via ge-0/0/5.0
10.2.1.1/32        *[Local/0] 20:01:01
                      Reject
10.2.2.1/32        *[Local/0] 20:01:01
                      Reject
10.2.3.1/32        *[Local/0] 20:01:01
                      Reject
10.5.254.0/24      *[OSPF/150] 20:00:12, metric 21, tag 0
                    > to 10.128.1.5 via ge-0/0/1.0
10.128.1.0/24      *[Direct/0] 20:01:01
                    > via ge-0/0/1.0
10.128.1.2/32      *[Local/0] 20:01:01
                      Local via ge-0/0/1.0
192.168.0.0/24     *[Direct/0] 00:07:00
                    > via ge-0/0/5.0
192.168.0.254/32   *[Local/0] 20:01:01
                      Local via ge-0/0/5.0
224.0.0.5/32       *[OSPF/10] 20:01:01, metric 1
                      MultiRecv



me@osk-firewall> show ospf database

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Router  *10.128.1.2       10.128.1.2       0x8000001a  2551  0x22 0xc915  36
Router   10.128.1.5       10.128.1.5       0x8000001a   303  0x22 0xc312  36
Network  10.128.1.5       10.128.1.5       0x80000018  2553  0x22 0x4b98  32
    OSPF AS SCOPE link state database
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Extern   10.5.1.0         10.128.1.5       0x80000019  1053  0x22 0xc89d  36
Extern   10.5.254.0       10.128.1.5       0x80000019  1803  0x22 0xde89  36

me@osk-firewall> test policy exportstatic1 0.0.0.0/0

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:00:51
                    > to 192.168.0.1 via ge-0/0/5.0

Policy exportstatic1: 1 prefix accepted, 9 prefix rejected

Hello,

Please delete last reject term in "export-connected" policy.

HTH

Thx

Alex

Thanks aarseniev. That worked.

So because my default route pointed to a router on a directly connected network, the  export-connected policy  also applied. The route was rejected because it was not from  ge-0/0/0.0, ge-0/0/2.0, or. lo0.0.

Thanks again!

No worries.

---

@emeitner wrote:

 

So because my default route pointed to a router on a directly connected network, the  export-connected policy  also applied.

 

 

---

No. Your policy "export-connected" term t1 "from interface [ ge-0/0/0.0 ge-0/0/2.0 lo0.0 ]" does not match statics that resolve via interfaces ge-0/0/0.0 ge-0/0/2.0 lo0.0. 

---

@emeitner wrote:

The route was rejected because it was not from  ge-0/0/0.0, ge-0/0/2.0, or. lo0.0.

 

 

 

 

---

Incorrect. The 0/0 route was rejected because 1st "export-connected" policy in policy-chain contained unconditional term "reject" that rejected everything not matched by previous terms, and therefore hasn't left any chances for the 2nd policy to match something.

HTH

Thx

Alex

Got it. Thanks again!

Uh, let me correct that:

All routes that were NOT for directly connected networks(not passing export-connected term t1) were being rejected.