SRX

Hi,

Maybe this problem has already been taken up somewhere. But I can't find it..  😃

I'm trying to set up a GRE tunnel.

At one of the ends the tunnel is in av routing-instance, type virtual-router.

I have looked at this:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24592&cat=os&actp=LIST

My set up is that tunnel dst is in inet.0.

looks kinda like this:

gr-0/0/0.0(SRX)fe-0/0/7.0 (DHCP)    <----[INTERNET]---->    ge-0/0/0.0(J-router)gr-0/0/0.30

    |                                                                                                                                                |

    |------------------------------------------------------------------------------------------------------------|

config on SRX side:

set interfaces fe-0/0/7 description UPLINK
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-attempt 6
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-interval 10

set interfaces gr-0/0/0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 tunnel source xx.xx.xx.100
set interfaces gr-0/0/0 unit 0 tunnel destination yy.yy.yy.17
set interfaces gr-0/0/0 unit 0 tunnel path-mtu-discovery
set interfaces gr-0/0/0 unit 0 family inet address yy.yy.yy.54/30

set security zones security-zone tunnel tcp-rst
set security zones security-zone tunnel host-inbound-traffic system-services all
set security zones security-zone tunnel host-inbound-traffic protocols all
set security zones security-zone tunnel interfaces gr-0/0/0.0

set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface gr-0/0/0.0
set routing-instances R1 routing-options static route 0.0.0.0/0 next-hop gr-0/0/0.0

When the GRE tunnel is not in routing-inst on SRX side the tunnel works.

Am I missing something?

According to link I provided I am not.

I have a flow trace matching on GRE packet running.

It gives errors like:

pak_for_self: No handler function found for proto:47, dst-port:1, drop pkt

packet dropped, packet dropped: for self but not interested.

Thanks in advance...

//Andreas Wall

Try:

user@srx#set interfaces gr-0/0/0 unit 0 tunnel routing-instance destination R1

but the destination end-point is in inet.0

I already tried that.

what am I missing?

Do I need some sort of policy?

Do you have a static route to yy.yy.yy.17 in the default routing instance?

not a static route but the default route in inet.0 is pointing towards my default gateway.

The dst net is reachable through there.

Shouldn't that be enough?

I tried setting a static route for the dst endpoint and it didn't help.

The GRE tunnel seems to be working in one direction.

Packets from SRX -> J-router gets through.

Packets from J-router -> SRX gets dropped at SRX for some reason.

At J-router i can run 'show security flow session protocol gre' and see the tunnel.

But on the SRX side it shows nothing.

So I guess the session ever gets installed on SRX side...?

Im not sure what is going on but Protocol 47 is GRE.

"packet dropped: for self but not interested":  You are sending traffic to an ip on the device self, but on the destination port is no service/answer or access is prohibited possible.

Yes, but I'm not sure what I'm supposed to enable in the config.

According to the Juniper guide on how to set up a GRE iface in a RI I'm good to go.

How would the flow look in my setup?

can you post the relevant parts of the SRX config?

ie --

zone configuration

policy configuration

what Interface on the SRX is the GRE tunnel from the J-series terminating on?  make sure that interface has GRE as an allowed service or protocol in the Zone config.

If it is terminating on a loopback you also need to make sure security policy allows it -- ie if the loopback is in the 'trust' zone, but the internet-facing interface is in the untrust zone, I think you would need a policy like "from untrust to trust, src=j-series, dst=srx-ip-terminating-gre, application gre, then permit"

The GRE tunnel works, but when I place the gr-0/0/0.0 in the routing-instance it stops working.

The configuration is the same, except for placing the iface in the routing-inst.

Packets from the SRX is getting thourgh on the J-router side.

But vice versa it hits the fan.  😃

Is it necissary to bypass flow mode for this setup?

I tried to go to packet-mode for GRE packets but I'm not sure I got it right.

Where should I place the firewall-rule for packet-mode? Uplink iface or on lo0 iface?

Hi,

Just in case , you haven't come across this KB25229 ,"The tunnel interface is shown as down when the GRE interface is configured as part of the virtual router" should help you !

from your post, I understand that your scenario matches scenario#1 of this KB -

Scenario 1- The GRE interface is part of VR; but the route to the tunnel remote end point is pointed via the inet table:

The only difference I see is in the routing instance static routes.. currently you have a default route with next-hop as gr-0/0/0 in the routing instance R1, 

Could you please modify this to :

set routing-instances R1 routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances R1 routing-options static route x.x.x.x/x next-hop gr-0/0/0.0

where x.x.x.x/x is the network behind J-series box. 

Hope this helps !

Hi All,

I was interested in the problem so decided to replicate it in my lab. I'm using 12.1R2.

The results are interesting. I configure GRE tunnel (it works)

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 10.1.0.1;
            destination 10.1.0.2;
        }
        family inet {
            address 10.10.0.1/24;
        }
    }
}

,and then just move gr-0/0/0.0 to the routing instance. According to KB24592, it should just work, but no, the tunnel is down and in the logs I have

Jul 23 13:20:18  jsrxB-1 fwdd[1115]: IFP error> ../../../../../../../src/pfe/usp/control/applications/interface/ifp.c@2143:(errno=1000) create nsp tunnel failed 1
Jul 23 13:20:18  jsrxB-1 fwdd[1115]: IFP error> ../../../../../../../src/pfe/usp/control/applications/interface/ifp.c@2938:(errno=1000) tunnel session add(gr-0/0/0) failed

also, "show sec flow session tunnel" is empty on this side. Then I add a route to the other end of the tunnel in the routing instance,

set routing-instances vr routing-options static route 10.1.0.2/32 next-table inet.0

and guess what, it starts working!

lab@jsrxB-1# run show security flow session tunnel 
Session ID: 218, Policy name: N/A, Timeout: N/A, Valid
  In: 10.1.0.2/1 --> 10.1.0.1/1;gre, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Total sessions: 1

[edit]
lab@jsrxB-1# run ping 10.10.0.2 routing-instance vr source 10.10.0.1               
PING 10.10.0.2 (10.10.0.2): 56 data bytes
64 bytes from 10.10.0.2: icmp_seq=0 ttl=64 time=3.129 ms
64 bytes from 10.10.0.2: icmp_seq=1 ttl=64 time=2.930 ms

When I delete that static route, everything is still working fine. However, after "restart forwarding", GRE is down again. So this route seems to be required for initial setup of a tunnel session. A bug or a feature? 🙂

OMG! IT WORKS!

Thank you so very much.  😃

Sorry to bump such an old thread, but I have had exactly the same issue on SRX240 and this has solved it, but I don't lke solutions that I don't understand. Would anyone be kind enough to shed some light on why this is needed?

Surely if an interface is in the same /30 block the routing instance should know to use that interface for communication?

Thanks

Andrew.

GRE tunnels on SRXs is still buggy thing 

Model: srx650

JUNOS Software Release [12.1X47-D10.4]