SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos
Accepted Solution

[SRX-210] GRE tunnel in routing-instance

Hi,

 

Maybe this problem has already been taken up somewhere. But I can't find it..  =)

 

I'm trying to set up a GRE tunnel.

At one of the ends the tunnel is in av routing-instance, type virtual-router.

I have looked at this:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24592&cat=os&actp=LIST

My set up is that tunnel dst is in inet.0.

 

looks kinda like this:

gr-0/0/0.0(SRX)fe-0/0/7.0 (DHCP)    <----[INTERNET]---->    ge-0/0/0.0(J-router)gr-0/0/0.30

    |                                                                                                                                                |

    |------------------------------------------------------------------------------------------------------------|

 

config on SRX side:

 

set interfaces fe-0/0/7 description UPLINK
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-attempt 6
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-interval 10

set interfaces gr-0/0/0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 tunnel source xx.xx.xx.100
set interfaces gr-0/0/0 unit 0 tunnel destination yy.yy.yy.17
set interfaces gr-0/0/0 unit 0 tunnel path-mtu-discovery
set interfaces gr-0/0/0 unit 0 family inet address yy.yy.yy.54/30

 

set security zones security-zone tunnel tcp-rst
set security zones security-zone tunnel host-inbound-traffic system-services all
set security zones security-zone tunnel host-inbound-traffic protocols all
set security zones security-zone tunnel interfaces gr-0/0/0.0

 

set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface gr-0/0/0.0
set routing-instances R1 routing-options static route 0.0.0.0/0 next-hop gr-0/0/0.0

 

 

When the GRE tunnel is not in routing-inst on SRX side the tunnel works.

Am I missing something?

According to link I provided I am not.

 

I have a flow trace matching on GRE packet running.

It gives errors like:

pak_for_self: No handler function found for proto:47, dst-port:1, drop pkt

packet dropped, packet dropped: for self but not interested.

 

 

Thanks in advance...

 

//Andreas Wall

 

 

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010

Re: [SRX-210] GRE tunnel in routing-instance

Try:

 

user@srx#set interfaces gr-0/0/0 unit 0 tunnel routing-instance destination R1

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

but the destination end-point is in inet.0

I already tried that.

 

 

Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

what am I missing?

Do I need some sort of policy?

 

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

Do you have a static route to yy.yy.yy.17 in the default routing instance?

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

not a static route but the default route in inet.0 is pointing towards my default gateway.

The dst net is reachable through there.

Shouldn't that be enough?

I tried setting a static route for the dst endpoint and it didn't help.

 

Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

The GRE tunnel seems to be working in one direction.

Packets from SRX -> J-router gets through.

Packets from J-router -> SRX gets dropped at SRX for some reason.

 

At J-router i can run 'show security flow session protocol gre' and see the tunnel.

But on the SRX side it shows nothing.

So I guess the session ever gets installed on SRX side...?

 

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

Im not sure what is going on but Protocol 47 is GRE.

 

"packet dropped: for self but not interested":  You are sending traffic to an ip on the device self, but on the destination port is no service/answer or access is prohibited possible.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

Yes, but I'm not sure what I'm supposed to enable in the config.

According to the Juniper guide on how to set up a GRE iface in a RI I'm good to go.

How would the flow look in my setup?

 

 

Recognized Expert
Posts: 285
Registered: ‎04-03-2009
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

can you post the relevant parts of the SRX config?

 

ie --

 

zone configuration

policy configuration

 

 

what Interface on the SRX is the GRE tunnel from the J-series terminating on?  make sure that interface has GRE as an allowed service or protocol in the Zone config.

 

If it is terminating on a loopback you also need to make sure security policy allows it -- ie if the loopback is in the 'trust' zone, but the internet-facing interface is in the untrust zone, I think you would need a policy like "from untrust to trust, src=j-series, dst=srx-ip-terminating-gre, application gre, then permit"

Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

[ Edited ]

The GRE tunnel works, but when I place the gr-0/0/0.0 in the routing-instance it stops working.

The configuration is the same, except for placing the iface in the routing-inst.

Packets from the SRX is getting thourgh on the J-router side.

But vice versa it hits the fan.  =)

 

Is it necissary to bypass flow mode for this setup?

I tried to go to packet-mode for GRE packets but I'm not sure I got it right.

Where should I place the firewall-rule for packet-mode? Uplink iface or on lo0 iface?

 

Trusted Expert
Posts: 257
Registered: ‎02-13-2012

Re: [SRX-210] GRE tunnel in routing-instance

Hi,

 

Just in case , you haven't come across this KB25229 ,"The tunnel interface is shown as down when the GRE interface is configured as part of the virtual router" should help you !

 

from your post, I understand that your scenario matches scenario#1 of this KB -

 

Scenario 1- The GRE interface is part of VR; but the route to the tunnel remote end point is pointed via the inet table:

 

The only difference I see is in the routing instance static routes.. currently you have a default route with next-hop as gr-0/0/0 in the routing instance R1, 

 

Could you please modify this to :

 

set routing-instances R1 routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances R1 routing-options static route x.x.x.x/x next-hop gr-0/0/0.0

where x.x.x.x/x is the network behind J-series box. 

 

Hope this helps !

Regards,
Pradeep
Distinguished Expert
Distinguished Expert
Posts: 894
Registered: ‎10-09-2008

Re: [SRX-210] GRE tunnel in routing-instance

Hi All,

 

I was interested in the problem so decided to replicate it in my lab. I'm using 12.1R2.

 

The results are interesting. I configure GRE tunnel (it works)

 

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 10.1.0.1;
            destination 10.1.0.2;
        }
        family inet {
            address 10.10.0.1/24;
        }
    }
}

 

,and then just move gr-0/0/0.0 to the routing instance. According to KB24592, it should just work, but no, the tunnel is down and in the logs I have

 

Jul 23 13:20:18  jsrxB-1 fwdd[1115]: IFP error> ../../../../../../../src/pfe/usp/control/applications/interface/ifp.c@2143:(errno=1000) create nsp tunnel failed 1
Jul 23 13:20:18  jsrxB-1 fwdd[1115]: IFP error> ../../../../../../../src/pfe/usp/control/applications/interface/ifp.c@2938:(errno=1000) tunnel session add(gr-0/0/0) failed

 

also, "show sec flow session tunnel" is empty on this side. Then I add a route to the other end of the tunnel in the routing instance,

 

set routing-instances vr routing-options static route 10.1.0.2/32 next-table inet.0

 

and guess what, it starts working!

 

lab@jsrxB-1# run show security flow session tunnel 
Session ID: 218, Policy name: N/A, Timeout: N/A, Valid
  In: 10.1.0.2/1 --> 10.1.0.1/1;gre, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Total sessions: 1

[edit]
lab@jsrxB-1# run ping 10.10.0.2 routing-instance vr source 10.10.0.1               
PING 10.10.0.2 (10.10.0.2): 56 data bytes
64 bytes from 10.10.0.2: icmp_seq=0 ttl=64 time=3.129 ms
64 bytes from 10.10.0.2: icmp_seq=1 ttl=64 time=2.930 ms

 

When I delete that static route, everything is still working fine. However, after "restart forwarding", GRE is down again. So this route seems to be required for initial setup of a tunnel session. A bug or a feature? Smiley Happy

 

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
Posts: 8
Registered: ‎07-18-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

OMG! IT WORKS!

Thank you so very much.  =)

 

 

Contributor
Posts: 122
Registered: ‎05-22-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

Sorry to bump such an old thread, but I have had exactly the same issue on SRX240 and this has solved it, but I don't lke solutions that I don't understand. Would anyone be kind enough to shed some light on why this is needed?

 

Surely if an interface is in the same /30 block the routing instance should know to use that interface for communication?

 

Thanks

 

Andrew.

Visitor
Posts: 6
Registered: ‎02-22-2012
0 Kudos

Re: [SRX-210] GRE tunnel in routing-instance

GRE tunnels on SRXs is still buggy thing 

 

 

Model: srx650

JUNOS Software Release [12.1X47-D10.4]