SRX

I have two SRX 100 that i am tring to learn on. I have one that has a virtual router name router that has interface fe-0/0/5 and fe-0/0/6 in it. Port 3 connect to port 5 on the same SRX port 6 connect to port 3 on another SRX.

from SRX-A-1 i can ping the other SRXA-2 172.18.2.2, But from SRXA-2 I can't ping 172.18.1.2. I have tried every thing

Attched are the config

Attachment(s)

srxA-2-config.txt   2 KB 1 version

srxA-1-config.txt   3 KB 1 version

From a quick glance at the config, you don't seem to have any routes in your virtual-router definition. Also make sure all your interfaces are in security zones and policies are created to permit the traffic.

ps: once you have this working, you could use LT interfaces to connect two virtual routers running on the same SRX. That way you don't loose two physical ports.

I should not need routes in teh router vr becuase the are directly connected. I add policy and that did not help.

Here a copy of the routing table. and the policy 

What LT

Thank you for the Help

Ed

root@srxA-1# run show route 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.1.0/24        *[Direct/0] 22:35:57
                    > via fe-0/0/0.0
10.0.1.201/32      *[Local/0] 22:37:21
                      Local via fe-0/0/0.0
172.18.1.0/30      *[Direct/0] 22:37:17
                    > via fe-0/0/3.0
172.18.1.2/32      *[Local/0] 22:37:21
                      Local via fe-0/0/3.0
172.18.2.0/30      *[Static/5] 15:39:52
                      to table router.inet.0
192.168.1.1/32     *[Direct/0] 22:37:51
                    > via lo0.0

router.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.18.1.0/30      *[Direct/0] 22:37:18
                    > via fe-0/0/5.0
172.18.1.1/32      *[Local/0] 22:37:21
                      Local via fe-0/0/5.0
172.18.2.0/30      *[Direct/0] 20:53:03
                    > via fe-0/0/6.0
172.18.2.1/32      *[Local/0] 22:37:21
                      Local via fe-0/0/6.0

vr101.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.20.101.0/24    *[Direct/0] 20:53:02
                    > via fe-0/0/4.101
172.20.101.1/32    *[Local/0] 22:37:22
                      Local via fe-0/0/4.101
                                       
vr201.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
                                       
172.20.201.0/24    *[Direct/0] 20:53:02
                    > via fe-0/0/4.201 
172.20.201.1/32    *[Local/0] 22:37:22 
                      Local via fe-0/0/4.201

security {                             
    policies {                         
        from-zone free-route to-zone free-route {
            policy free-route {        
                match {                
                    source-address any;
                    destination-address any;
                    application any;   
                }                      
                then {                 
                    permit;            
                }                      
            }                          
        }                              
        from-zone free-route to-zone untrust {
            policy free-untrust {      
                match {                
                    source-address any;
                    destination-address any;
                    application any;   
                }                      
                then {                 
                    permit;            
                    log {              
                        session-init;  
                    }                  
                }                      
            }                          
        }                              
        from-zone untrust to-zone free-route {
            policy untrust-free {      
                match {                
                    source-address any;
                    destination-address any;
                    application any;   
                }                      
                then {                 
                    permit;            
                    log {              
                        session-init;  
                    }                  
                }                      
            }                          
        }                              
    }                                  

I figure it out. i need to do this  http://kb.juniper.net/InfoCenter/index?page=content&id=KB19855&actp=search&viewlocale=en_US&searchid=1307857209775&smlogin=true

policy-options {                       
    policy-statement import-from-default {
        term 1 {                       
            from instance master;      
            then accept;               
        }   

           routing-instances {                    
    router {                           
        instance-type virtual-router;  
        interface fe-0/0/5.0;          
        interface fe-0/0/6.0;          
        routing-options {              
            instance-import import-from-default;

Thank you 

What is LT interface         

I still need help that did not work.

Here is my route table from the SRXA-1 from the SRXA-2 I can't ping 172.18.1.2 any tell me why.

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.1.0/24        *[Direct/0] 1d 03:23:09
                    > via fe-0/0/0.0
10.0.1.201/32      *[Local/0] 1d 03:24:33
                      Local via fe-0/0/0.0
172.18.1.0/30      *[Direct/0] 1d 03:24:29
                    > via fe-0/0/3.0
172.18.1.2/32      *[Local/0] 1d 03:24:33
                      Local via fe-0/0/3.0
172.18.2.0/30      *[Static/5] 20:27:04
                      to table router.inet.0
172.20.101.0/24    *[Direct/0] 01:49:08
                    > via fe-0/0/4.0
172.20.101.1/32    *[Local/0] 01:49:08
                      Local via fe-0/0/4.0
172.20.102.0/24    *[Static/5] 01:14:32
                      to table router.inet.0
192.168.1.1/32     *[Direct/0] 1d 03:25:03
                    > via lo0.0

router.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.18.1.0/30      *[Direct/0] 1d 03:24:29
                    > via fe-0/0/5.0
172.18.1.1/32      *[Local/0] 1d 03:24:32
                      Local via fe-0/0/5.0
172.18.2.0/30      *[Direct/0] 1d 01:40:14
                    > via fe-0/0/6.0
172.18.2.1/32      *[Local/0] 1d 03:24:32
                      Local via fe-0/0/6.0

Can someone explain why the next-table command did not work.

I could not ping 172.18.1.2 from srxA-2

Hi

I think it is related to how the reverse route is checked during session
setup on SRX. With several instances it gets kind of messy.
Try to view "sh sec flow session extensive" during you ping to get an idea of
what is wrong.

To make your setup working, I think that instead of your
"route 172.18.2.0/30 next-table router.inet.0" you should try configuring
the following:

set routing-options static route 172.18.2.0/30 next-hop 172.18.1.1

also I think you should remove instance-import.

Thank you very much for the help that work fine .

Ok Now I have this question why do the staitc route not show up in the router table

 fe-0/0/4 {
        unit 0 {
            family inet {
                address 172.20.10.1/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet {
                address 172.18.1.1/30;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet {
                address 172.18.2.1/30;
            }
        }                              
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.1.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 172.18.2.0/30 next-hop 172.18.1.1;
        route 172.20.20.0/24 next-hop 172.18.1.1;
    }
}
security {
    policies {
        from-zone free-route to-zone free-route {
            policy free-route {
                match {
                    source-address any;
                    destination-address any;
                    application any;   
                }
                then {
                    permit;
                }
            }
        }
        from-zone hr to-zone untrust {
            policy allow-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone untrust to-zone hr {
            policy allow-access {      
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        functional-zone management {
            interfaces {
                fe-0/0/0.0;
            }
            host-inbound-traffic {
                system-services {
                    ssh;
                }                      
            }
        }
        security-zone free-route {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
            }
            interfaces {
                fe-0/0/5.0;
                fe-0/0/6.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
            }
            interfaces {
                fe-0/0/3.0;            
            }
        }
        security-zone hr {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                fe-0/0/4.0;
            }
        }
    }
}
routing-instances {
    router {
        instance-type virtual-router;
        interface fe-0/0/5.0;
        interface fe-0/0/6.0;
        routing-options {
            static {
                route 172.20.10.0/24 next-hop 172.18.1.1;
                route 172.20.20.0/24 next-hop 172.18.2.1;

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.1.0/24        *[Direct/0] 2d 03:38:49
                    > via fe-0/0/0.0
10.0.1.201/32      *[Local/0] 2d 03:40:13
                      Local via fe-0/0/0.0
172.18.1.0/30      *[Direct/0] 2d 03:40:09
                    > via fe-0/0/3.0
172.18.1.2/32      *[Local/0] 2d 03:40:13
                      Local via fe-0/0/3.0
172.18.2.0/30      *[Static/5] 02:12:50
                    > to 172.18.1.1 via fe-0/0/3.0
172.20.10.0/24     *[Direct/0] 00:31:52
                    > via fe-0/0/4.0
172.20.10.1/32     *[Local/0] 00:31:52
                      Local via fe-0/0/4.0
172.20.20.0/24     *[Static/5] 00:21:02
                    > to 172.18.1.1 via fe-0/0/3.0
192.168.1.1/32     *[Direct/0] 2d 03:40:43
                    > via lo0.0
                                       
router.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.18.1.0/30      *[Direct/0] 2d 03:40:09
                    > via fe-0/0/5.0
172.18.1.1/32      *[Local/0] 2d 03:40:12
                      Local via fe-0/0/5.0
172.18.2.0/30      *[Direct/0] 2d 01:55:54
                    > via fe-0/0/6.0
172.18.2.1/32      *[Local/0] 2d 03:40:12
                      Local via fe-0/0/6.0

Your next-hop coincides with the interface ip, and it should be ip of the other side.

E.g. route 172.20.10.0/24 next-hop 172.18.1.1  -> should be 172.18.1.2

I want to thank you for all your help it works fine now.