Routing

last person joined: 21 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

SRX240 VR issue

  • 1.  SRX240 VR issue

    Posted 09-18-2014 14:07

    Hello all,

     

    I'm having an issue with a virtual router and I think BGP might be interfering with the route but I'm not sure.  I did not originally set up the SRX240 so much of this programming was already in place.  I have only basic knowledge on how BGP works.  It was my understanding that static routes have a higher priority metric so I'm not sure how this isn't working unless I missed something simple.

     

    We have two ISPs.  I have ISP1 plugged into ge-0/0/0 with a WAN address along with ge-0/0/1 & ge-0/0/2 plugged into our redundant firewalls using our main block of /26 public IP addresses.  We recently added ISP2 plugged into ge-0/0/4 with a WAN address and ge-0/0/5 & ge-0/0/6 going to our redundant firewalls and a block of /26 addresses from them.

     

    ISP1 uses BGP back to the provider for its routes.  ISP2 uses a standard default route.  I created a VR for ISP2 and set the ISP's default gateway.

     

    When I plug my laptop into ge-0/0/5 with a public IP address from our /26 block I am able to ping interface ge-0/0/4 but I'm not able to reach ISP2's default gateway or anything beyond that.  Below are some programming excerpts from the Juniper.  If additional info is needed please let me know.  Thank you.

     

    routing-instances {
        isp2 {
            instance-type virtual-router;
            interface ge-0/0/4.0;
            interface vlan.1001;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 216.25.x.x;
                }
            }
        }
    }

     

    Interfaces ge-0/0/5 & ge-0/0/6 are in vlan 1001 that has an IP address from the /26 block

     

    vlan {
            unit 1001 {
                description isp2-to-fw;
                family inet {
                    address 216.138.x.x/xx;
                }
            }
        }

     

    vlans {
        isp2-to-fw {
            description isp2-to-fw;
            vlan-id 1001;
            l3-interface vlan.1001;
        }
    }

     

    Here are the BGP/routing-options programming but again I didn't program this and have basic knowledge about it:

     

    protocols {
        bgp {
            group external-peers {
                type external;
                local-address 4.30.x.x;
                export bgp-transit-export;
                peer-as 33xx;
                local-as 10xx;
                neighbor 4.30.x.x;
            }
        }
        stp;
    }
    policy-options {
        prefix-list manager-ip {
            4.30.x.x/xx;
        }
        policy-statement bgp-transit-export {
            term 1 {
                from {
                    protocol direct;
                    route-filter 4.34.x.x/xx exact;
                }
                then accept;
            }
        }
    }

     

    routing-options {
        interface-routes {
            family inet {
                export {
                    point-to-point;
                    lan;
                }
            }
        }
        router-id 192.168.1.2;
        autonomous-system 10xx;
        multicast {
            interface ge-0/0/0 {
                maximum-bandwidth;
            }
        }
    }



  • 2.  RE: SRX240 VR issue

    Posted 09-19-2014 08:21

    I don't think you mentioned firewall policies, is there a policy in place to allow the traffic incoming from vlan.1001 to transit out ge-0/0/4.0? 



  • 3.  RE: SRX240 VR issue

    Posted 09-19-2014 09:55

    Here is what I pulled from the SRX:

     

    security {
        policies {
            default-policy {
                permit-all;
            }
        }
        zones {
            security-zone isp1-lan {
                interfaces {
                    vlan.1000 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone isp1-wan {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone isp2-lan {
                interfaces {
                    vlan.1001 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone isp2-wan {
                interfaces {
                    ge-0/0/4.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }


    firewall {
        policer isp1 {
            logical-interface-policer;
            if-exceeding {
                bandwidth-limit 50m;
                burst-size-limit 15625000;
            }
            then discard;
        }
        filter inbound-deny {
            term ssh-allow {
                from {
                    source-prefix-list {
                        manager-ip;
                    }
                    destination-port ssh;
                }
                then accept;
            }
        }
    }



  • 4.  RE: SRX240 VR issue

    Posted 09-19-2014 10:13

    Well I'll presume the default permit-all covers the firewall angle of things.  Can you ping the isp2 gateway from the isp2 routing instance on the SRX?



  • 5.  RE: SRX240 VR issue

    Posted 09-19-2014 10:45

    Yeah this whole config probably needs to be cleaned up.

     

    Yes I can ping the isp2 gateway from the isp2 interface.  When I try to use ge-0/0/5 or ge-0/0/6 it says "no route to host".

     

    user@ustx04edge-r1> ping 216.25.xx.1 interface ge-0/0/4
    PING 216.25.xx.1 (216.25.xx.1): 56 data bytes
    64 bytes from 216.25.xx.1: icmp_seq=0 ttl=255 time=3.209 ms
    64 bytes from 216.25.xx.1: icmp_seq=1 ttl=255 time=3.401 ms
    64 bytes from 216.25.xx.1: icmp_seq=2 ttl=255 time=3.130 ms
    64 bytes from 216.25.xx.1: icmp_seq=3 ttl=255 time=3.391 ms

    Here is the route table for those interfaces.

     

    0.0.0.0/0          *[Static/5] 1d 03:51:31
                        > to 216.25.xx.1 via ge-0/0/4.0 (this is what I can't ping from 0/0/5 or 0/0/6)
    216.25.xx.0/xx   *[Direct/0] 1d 03:51:31
                        > via ge-0/0/4.0
    216.25.xx.2/xx   *[Local/0] 1d 03:51:31
                          Local via ge-0/0/4.0
    216.138.xx.0/xx *[Direct/0] 1d 03:22:42
                        > via vlan.1001
    216.138.xx.xx/xx *[Local/0] 1d 03:29:29
                          Local via vlan.1001



  • 6.  RE: SRX240 VR issue

    Posted 09-19-2014 11:03

    What happens when you try to ping from the SRX, but source it from the vlan.1001 interface?  Is that what you are donig when you mention the "no route to host"...can you explain that more, where/when are you seeing that no route to host message?



  • 7.  RE: SRX240 VR issue

    Posted 09-19-2014 11:06

    Sorry.  When I use the following command is when I see "no route to host" but I think that will always show it regardless since the interface is not inet.

     

    > ping 216.25.xx.1 interface ge-0/0/5

     

    When I run this command it just sits there and doesn't display anything:

     

    > ping 216.25.xx.1 interface vlan.1001



  • 8.  RE: SRX240 VR issue

    Posted 09-19-2014 11:39

    Try something like this:

     

    ping routing-instance isp2 source <ip of vlan.1001 interface>

     

    Try it without the 'source' part too.



  • 9.  RE: SRX240 VR issue

    Posted 09-19-2014 11:48

    user@ustx04edge-r1> ping routing-instance isp2 source 216.138.xx.xx 216.138.xx.xx
    PING 216.138.xx.xx (216.138.xx.xx): 56 data bytes
    64 bytes from 216.138.xx.xx: icmp_seq=0 ttl=64 time=0.987 ms
    64 bytes from 216.138.xx.xx: icmp_seq=1 ttl=64 time=0.262 ms
    64 bytes from 216.138.xx.xx: icmp_seq=2 ttl=64 time=0.252 ms
    64 bytes from 216.138.xx.xx: icmp_seq=3 ttl=64 time=0.281 ms

     

    user@ustx04edge-r1> ping routing-instance isp2 216.138.xx.xx
    PING 216.138.xx.xx (216.138.xx.xx): 56 data bytes
    64 bytes from 216.138.xx.xx: icmp_seq=0 ttl=64 time=6.259 ms
    64 bytes from 216.138.xx.xx: icmp_seq=1 ttl=64 time=0.322 ms
    64 bytes from 216.138.xx.xx: icmp_seq=2 ttl=64 time=0.260 ms
    64 bytes from 216.138.xx.xx: icmp_seq=3 ttl=64 time=0.635 ms



  • 10.  RE: SRX240 VR issue

    Posted 09-19-2014 12:22

    Just so I'm not confused:

     

    216.25.x.x  -> your transit to isp2

     

    216.138.x.x/26 -> network that isp2 'gives' to you

     

    Can you ping the 216.25.x.x IP that is on the isp2 side FROM vlan.1001?  Should look something like this:

     

    ping routing-instance isp2 source 216.138.xx.xx 216.25.x.x

     

    and try:

     

    ping routing-instance isp2 216.25.x.x

     

    or just some INET IP:

     

    ping routing-instance isp2 8.8.8.8

     

    Basically testing ping from the VR to the destiantion of the static default route that you created for isp2 instance.



  • 11.  RE: SRX240 VR issue

    Posted 09-19-2014 12:54

    216.25.x.x  -> your transit to isp2

    Yes

     

    216.138.x.x/26 -> network that isp2 'gives' to you

    Yes this is our /26 block

     

    Can you ping the 216.25.x.x IP that is on the isp2 side FROM vlan.1001?  Should look something like this:

     

    ping routing-instance isp2 source 216.138.xx.xx 216.25.x.x

    Yes but not if I try and ping 216.25.xx.1 (the ISP's gateway)

    It also does not work if I put "interface vlan.1001" in place of 216.138.xx.xx when pinging the ISP gateway

     

    and try:

     

    ping routing-instance isp2 216.25.x.x

    Yes and it does work if I try the ISP's gateway as well

     

    or just some INET IP:

     

    ping routing-instance isp2 8.8.8.8

    This does work.

     

    So it seems there is something in the transition from vlan.1001 to the routing-instance isp2.  Our other circuit is set up exactly like this and it works just fine.



  • 12.  RE: SRX240 VR issue
    Best Answer

    Posted 09-19-2014 13:08

    With this ISP you aren't running BGP, but a static route.  This is looking to me like perhaps the ISP hasn't put the proper static route(s) in their side, and their router doesn't know how to get to the /26 that they assigned to you.  Because when you source from the /26 and try to ping their gateway it doesn't work, but if you just ping "normally" from the instance you can ping, that will be sourced from your side of the 216.25.x.x  transit and will be direct route on the ISP router so it has to know how to get there. 

    That's what it appears to me at this pont, I don't see anything wrong with the firewall/routing in the isp2 instance.  Make sense as a possiblity?



  • 13.  RE: SRX240 VR issue

    Posted 09-19-2014 13:20

    I was just starting to think that.  I put in a ticket with the provider to make sure they have this set up properly.  I was racking my brain because it looked to be set up the right way but I'm glad you brought that up.  I'll let you know what they say.  Thank you for your time on this.



  • 14.  RE: SRX240 VR issue

    Posted 09-20-2014 07:14

    B2, that's what it was.  The ISP did not have the /26 block routed through but it is fixed now and all is working as intended.  Again thanks for the help with this and I hope you have a great weekend.



  • 15.  RE: SRX240 VR issue

    Posted 09-20-2014 10:23

    Glad to hear things got fixed, you have a good weekend as well.  Cheers