SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

SRX Inter-VR communication problem

  • 1.  SRX Inter-VR communication problem

    Posted 03-23-2012 00:47

    Hi Experts

     

    I have simple scenario. I have inet.0 table and one custom VR. I leak the interface routes from custom VR in to inet.0 table. There is one subnet in inet.0 10.10.10.0/24. I also copy that subnet from inet.0 in to custom VR.

     

    - Now If i ping from the SRX itself using source IP of 10.10.10.1 (SRX interface IP in inet.0) to any interface IP in custom VR. It is working

     

    - But If I ping from the host (10.10.10.10 whose gateway is SRX in inet.0) to any interface IP in custom VR. Its not working. All the security policies between zones are in place. But from 10.10.10.10 I am able to ping the host in custom VR but not SRX interface IP in custom VR.

     

    Can any boday explain this?



  • 2.  RE: SRX Inter-VR communication problem

    Posted 03-23-2012 01:03

    Just one more thing, I am using the firewall filter to redirect all the traffic coming on 10.10.10.0/24 subnet interface of firewall in to custom-vr due to some other requirement. Here is my configuration

     

    set interfaces ge-0/0/0 unit 0 family inet filter input test
    set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24

    set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/24

    set security zones security-zone Trust host-inbound-traffic system-services all
    set security zones security-zone Trust interfaces ge-0/0/0.0
    set security zones security-zone IN host-inbound-traffic system-services all
    set security zones security-zone IN interfaces ge-0/0/1.0

    set security policies from-zone Trust to-zone IN policy pol-1 match source-address any
    set security policies from-zone Trust to-zone IN policy pol-1 match destination-address any
    set security policies from-zone Trust to-zone IN policy pol-1 match application any
    set security policies from-zone Trust to-zone IN policy pol-1 then permit

    set firewall family inet filter test term 1 from source-address 10.10.10.0/24
    set firewall family inet filter test term 1 then routing-instance IN
    set firewall family inet filter test term 2 then accept

    set routing-instances IN instance-type virtual-router
    set routing-instances IN interface ge-0/0/1.0
    set routing-instances IN routing-options static route 10.10.10.0/24 next-table inet.0

    set routing-options interface-routes rib-group inet int-routes
    set routing-options rib-groups int-routes import-rib IN.inet.0
    set routing-options rib-groups int-routes import-rib inet.0



  • 3.  RE: SRX Inter-VR communication problem

    Posted 03-23-2012 03:41

    If you need to check "way of traffic", then use "> show forwarding-table destination A.B.C.D" or "> show route forwarding-table"

     

    Here ... http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/command-summary/show-route-forwarding-table.html?searchid=1293459705678 ... is an explanation for next-hop status



  • 4.  RE: SRX Inter-VR communication problem

    Posted 03-23-2012 04:07

    Hi ,

     

     

    for inet.0 host to communicate with interface ip in VR (self traffic) , you need to add a route in inet.0 for that IP in VR

    for example , you need to add  a route in inet.0 ,like below

     

    set routing-options static route 2.2.2.0/24 next-table IN.inet.0 ( or you might add a default route  ..to be less specific )

     

    and before this you need to remove the set routing-instances IN routing-options static route 10.10.10.0/24 next-table inet.0 as this is not required when you use rib-group to redistribute interface-routes from inet.0

     

    also, please note that this config will work for ICMP only .. for TCP you need to use set security flow tcp-session no-syn-check ( beacuse of token mismatch, syn+ack will not match the SYN session and reply will get dropped) .

     

    Hope this helps 🙂

     

    Thanks

    Pradeep



  • 5.  RE: SRX Inter-VR communication problem

    Posted 03-25-2012 11:56

    Hi Pradeep

     

    Thanks for the reply. Actually if you note, I copied the route 2.2.2.0/24 from IN.inet.0 to inet.0 thorugh rib-groups and put the reverse route 10.10.10.0/24 in inet.0.

     

    I am wondering, both tables have reverse routes but I am not able to ping the self IP in IN.inet.0 from 10.10.10.0/24 subnet in inet.0 BUT I am able to ping from inet.0 table itself !! Also from 10.10.10.0/24 in inet.0 I am able to ping host in 2.2.2.0/24 subnet.

     

    Could you pleaese explain why I am not able ping?



  • 6.  RE: SRX Inter-VR communication problem

    Posted 03-25-2012 11:56

    Here is the debug output.

     

    root@AEADFWI-02M1-OXY# Mar 22 13:59:13 13:59:13.808278:CID-0:RT:<10.10.10.100/29312->2.2.2.1/256;1> matched filter test1:

    Mar 22 13:59:13 13:59:13.808289:CID-0:RT:packet [60] ipid = 5240, @423ea81c

    Mar 22 13:59:13 13:59:13.808327:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 13, common flag 0x0, mbuf 0x423ea600, rtbl_idx = 4

    Mar 22 13:59:13 13:59:13.808327:CID-0:RT: flow process pak fast ifl 68 in_ifp ge-0/0/0.0

    Mar 22 13:59:13 13:59:13.808359:CID-0:RT:  ge-0/0/0.0:10.10.10.100->2.2.2.1, icmp, (8/0)

    Mar 22 13:59:13 13:59:13.808359:CID-0:RT: find flow: table 0x4ff2b998, hash 39563(0xffff), sa 10.10.10.100, da 2.2.2.1, sp 29312, dp 256, proto 1, tok 9

    Mar 22 13:59:13 13:59:13.808412:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

    Mar 22 13:59:13 13:59:13.808412:CID-0:RT:  flow_first_create_session

    Mar 22 13:59:13 13:59:13.808412:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 2.2.2.1, sp 29312, dp 256

    Mar 22 13:59:13 13:59:13.808412:CID-0:RT:  chose interface ge-0/0/0.0 as incoming nat if.

    Mar 22 13:59:13 13:59:13.808412:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 2.2.2.1(256)

    Mar 22 13:59:13 13:59:13.808412:CID-0:RT:flow_first_routing: vr_id 4, call flow_route_lookup(): src_ip 10.10.10.100, x_dst_ip 2.2.2.1, in ifp ge-0/0/0.0, out ifp N/A sp 29312, dp 256, ip_proto 1, tos 0

    Mar 22 13:59:13 13:59:13.808538:CID-0:RT:Doing DESTINATION addr route-lookup

    Mar 22 13:59:13 13:59:13.808538:CID-0:RT:Failed to get real out-ifp for .local..4, dst:2.2.2.1, in vr_id: 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  routed (x_dst_ip 2.2.2.1) from Trust (ge-0/0/0.0 in 0) to .local..4, Next-hop: 2.2.2.1

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  policy search from zone Trust-> zone junos-self (0x0,0x72800100,0x100)

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  dip id = 0/0, 10.10.10.100/29312->10.10.10.100/29312 protocol 0

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  choose interface .local..4 as outgoing phy if

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:is_loop_pak: No loop: on ifp: .local..4, addr: 2.2.2.1, rtt_idx:4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:jsf sess interest check. regd plugins 19

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT: Allocating plugin info block for 19 plugin(s) from OL

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x2. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id 11, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id 17, svc_req 0x0. rc 2

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT: No JSF plugins enabled for session

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT: Releasing plugin info block for 19 plugin(s) to OL

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:flow_first_service_lookup(): natp(0x4e18de68): app_id, 0(0).

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  service lookup identified service 0.

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  flow_first_final_check: in <ge-0/0/0.0>, out <.local..4>

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:construct v4 vector for nsp2

    Mar 22 13:59:13 13:59:13.809040:CID-0:RT:  existing vector list 200-45d5d590.

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  Session (id:63120) created for first pak 200

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  flow_first_install_session======> 0x4e18de68

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT: nsp 0x4e18de68, nsp2 0x4e18dee8

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  make_nsp_ready_no_resolve()

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  route lookup: dest-ip 10.10.10.100 orig ifp ge-0/0/0.0 output_ifp ge-0/0/0.0 orig-zone 9 out-zone 9 vsd 0

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  route to 1.1.1.2

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:no need update ha

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:Installing c2s NP session wing

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:Installing s2c NP session wing

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  flow got session.

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  flow session id 63120

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT: vector bits 0x200 vector 0x45d5d590

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:mbuf 0x423ea600, exit nh 0xfffb0006

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:<2.2.2.1/256->10.10.10.100/29312;1> matched filter test2:

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:packet [60] ipid = 5240, @423ea81c

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 0, common flag 0x0, mbuf 0x423ea600, rtbl_idx = 0

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT: in_ifp <junos-self:.local..0>

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 5418fa58

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  .local..0:2.2.2.1->10.10.10.100, icmp, (0/0)

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT: find flow: table 0x4ff2b998, hash 1547(0xffff), sa 2.2.2.1, da 10.10.10.100, sp 256, dp 29312, proto 1, tok 2

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  flow_first_create_session

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.10.10.100, sp 256, dp 29312

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  chose interface .local..0 as incoming nat if.

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:flow_first_rule_dst_xlate: packet 2.2.2.1->10.10.10.100 nsp2 0.0.0.0->10.10.10.100.

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 2.2.2.1, x_dst_ip 10.10.10.100, in ifp .local..0, out ifp N/A sp 256, dp 29312, ip_proto 1, tos 0

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:Doing DESTINATION addr route-lookup

    Mar 22 13:59:13 13:59:13.809541:CID-0:RT:  routed (x_dst_ip 10.10.10.100) from junos-self (.local..0 in 0) to ge-0/0/0.0, Next-hop: 1.1.1.2

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  policy search from zone junos-self-> zone Trust (0x0,0x1007280,0x7280)

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  dip id = 0/0, 2.2.2.1/256->2.2.2.1/256 protocol 0

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 10.10.10.100, rtt_idx:0

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:jsf sess interest check. regd plugins 19

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT: Allocating plugin info block for 19 plugin(s) from OL

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x2. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id 11, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id 13, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id 14, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id 17, svc_req 0x0. rc 2

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:-jsf int check: plugin id 18, svc_req 0x0. rc 4

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT: No JSF plugins enabled for session

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT: Releasing plugin info block for 19 plugin(s) to OL

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:flow_first_service_lookup(): natp(0x4e18e030): app_id, 0(0).

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  service lookup identified service 0.

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:construct v4 vector for nsp2

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  existing vector list 200-45d5d590.

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  Session (id:63121) created for first pak 200

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  flow_first_install_session======> 0x4e18e030

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT: nsp 0x4e18e030, nsp2 0x4e18e0b0

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  make_nsp_ready_no_resolve()

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  route lookup: dest-ip 2.2.2.1 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  route to 2.2.2.1

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:Conflict session (63120) is VALID state

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:Valid Sessn conflict with current session

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  packet dropped, failed to install nsp2

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:failed to install nsp2

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:  flow find session returns error.

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT:flow_process_pkt_exception: Freeing lpak 3fcec988 associated with mbuf 0x423ea600

    Mar 22 13:59:13 13:59:13.810042:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)


    Mar 22 13:59:18 13:59:18.806480:CID-0:RT:<10.10.10.100/29313->2.2.2.1/256;1> matched filter test1:

    Mar 22 13:59:18 13:59:18.806480:CID-0:RT:packet [60] ipid = 5246, @423fc91c

    Mar 22 13:59:18 13:59:18.806480:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 13, common flag 0x0, mbuf 0x423fc700, rtbl_idx = 4

    Mar 22 13:59:18 13:59:18.806480:CID-0:RT: flow process pak fast ifl 68 in_ifp ge-0/0/0.0

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:  ge-0/0/0.0:10.10.10.100->2.2.2.1, icmp, (8/0)

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT: find flow: table 0x4ff2b998, hash 30203(0xffff), sa 10.10.10.100, da 2.2.2.1, sp 29313, dp 256, proto 1, tok 9

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:  flow_first_create_session

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 2.2.2.1, sp 29313, dp 256

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:  chose interface ge-0/0/0.0 as incoming nat if.

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 2.2.2.1(256)

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:flow_first_routing: vr_id 4, call flow_route_lookup(): src_ip 10.10.10.100, x_dst_ip 2.2.2.1, in ifp ge-0/0/0.0, out ifp N/A sp 29313, dp 256, ip_proto 1, tos 0

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:Doing DESTINATION addr route-lookup

    Mar 22 13:59:18 13:59:18.806694:CID-0:RT:Failed to get real out-ifp for .local..4, dst:2.2.2.1, in vr_id: 4

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:  routed (x_dst_ip 2.2.2.1) from Trust (ge-0/0/0.0 in 0) to .local..4, Next-hop: 2.2.2.1

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:  policy search from zone Trust-> zone junos-self (0x0,0x72810100,0x100)

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:  dip id = 0/0, 10.10.10.100/29313->10.10.10.100/29313 protocol 0

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:  choose interface .local..4 as outgoing phy if

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:is_loop_pak: No loop: on ifp: .local..4, addr: 2.2.2.1, rtt_idx:4

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:jsf sess interest check. regd plugins 19

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT: Allocating plugin info block for 19 plugin(s) from OL

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0. rc 4

    Mar 22 13:59:18 13:59:18.807199:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4

    Mar 22 13:59:18 13:59:18.807699:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4

    Mar 22 13:59:18 13:59:18.807699:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4

    Mar 22 13:59:18 13:59:18.807699:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x2. rc 4

    Mar 22 13:59:18 13:59:18.807699:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0. rc 4

    Mar 22 13:59:18 13:59:18.807699:CID-0:RT:-jsf int check: plugin id 11, svc_req 0x0. rc 4

    Mar 22 13:59:18 13:59:18.807699:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Mar 22 13:59:18 13:59:18.807699:C



  • 7.  RE: SRX Inter-VR communication problem

    Posted 03-25-2012 20:11

    Hi ,

     

    Here's the issue :

     

    First Ping Packet  10.10.10.100/29312->2.2.​2.1/256

    Ingress interface ge-0/0/0.0 . Destination Address - SRX VR interface.

    The SRX creates a session for the same flow session id 63120  in VR table.

     

    Reverse Traffic : 2.2.2.1/256->10.10.10.10​0/29312

    For a reverse traffic the SRX expects it to hit a session that is already created.

    But in this case the return traffic does not match any previous sessions because the inet.0 table and VR table creates individual sessions and they donot refer each other.

    So the SRX tries to create a session for the reverse traffic in inet.0 table ,but it causes a session conflict and the SRX drops the packet.

     

    Hope this helps.
     
    Regards,
    Visitor
    --------------------------------------------------​--------------------------------------------------​---
    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

     

     

     



  • 8.  RE: SRX Inter-VR communication problem

    Posted 03-25-2012 23:42

    Hi Visitor

     

    Thanks for the reply. Actually what I know, When traffic comes from one VR to other VR, then session always created in first VR and reverse route lookup always happen in first VR. But I am feeling its not true for the traffic initiation from one VR to the interface IP in other VR.

     

    So could you please suggest what is the solution for this? It is by design that I cannot ping the VR interface IP from the other VR?

     

    Thanks



  • 9.  RE: SRX Inter-VR communication problem
    Best Answer

    Posted 03-26-2012 00:17

    Hi ,

     

    You are correct ,the session is created in the first VR. But in your case,the traffic never traverses via inet.0 ,it is forced to the VR table using the firewall filter.Hence the session is created in VR.

     

    I tested this and got this working. This is my setup :

     

    Host 10.10.20.1 ------ ge-0/0/1 SRX ge-0/0/4

     

    ge-0/0/1 ---> 10.10.20.2

    ge-0/0/4 ----> 100.100.100.11

     

    ge-0/0/4.0 is part of VR table named management.

     

    root> show configuration routing-instances management
    instance-type virtual-router;
    interface ge-0/0/4.0;
    routing-options {
        static {
            route 10.10.20.0/24 next-table inet.0;
        }
    }

     

     

    The route of the ge-0/0/4.0 is leaked in the inet.0 table using policy statements.

     

    root> show configuration policy-options policy-statement vrroutesleak
    term 1 {
        from {
            instance management;
            route-filter 100.100.100.0/24 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }

    root> show configuration routing-options
    instance-import vrroutesleak;

     

    Now when the packet is initiated from the host it is forwarded to inet.0 table then to VR .Thus a session is created in the inet.0 table.

     

    In your configuration ,you need to add another term in your firewall filter to let the traffic stay back in inet table for souce as host and destination as the VR ip.

     

    set firewall family inet filter test term permit from source-address 10.10.10.0/24
    set firewall family inet filter test term permit from destination-address 2.2.2.1/32

    set firewall family inet filter test term permit then accept

    set firewall family inet filter test term 1 from source-address 10.10.10.0/24
    set firewall family inet filter test term 1 then routing-instance IN
    set firewall family inet filter test term 2 then accept

     

     And then you can import the VR interface route in the inet.0 table.

     

     

    Hope this helps.
     
    Regards,
    Visitor
    --------------------------------------------------​--------------------------------------------------​---
    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

     



  • 10.  RE: SRX Inter-VR communication problem

    Posted 03-26-2012 01:36

    Simply Great ! 🙂



  • 11.  RE: SRX Inter-VR communication problem

    Posted 03-26-2012 03:26

    Just one last thing. If I ping from inet.0 instance to interface IP in VR then where would be session created in inet.0 or VR?



  • 12.  RE: SRX Inter-VR communication problem

    Posted 03-26-2012 10:06

    Hi ,

     

    Just wanted to confirm , you have mentioned that

     

    "I copied the route 2.2.2.0/24 from IN.inet.0 to inet.0 thorugh rib-groups and put the reverse route 10.10.10.0/24 in inet.0."

     

    but according to your configuration shown in the initial threads, 2.2.2.0/24 will not appear in inet.0 , could you please verifty the "show route " output ?  

     

    and that is the reason I have asked you to add the corresponding route entry .   and the accepted solution is doing the same thing (making the route available from VR to inet.0 ) but using routing policies instead of the static route.



  • 13.  RE: SRX Inter-VR communication problem

    Posted 03-26-2012 11:36

    Hi Pradeep

     

    Actually both tables have reverse routes for each other. My problem was that when traffic for interface IP (IN.inet.0) comes in inet.0 table then session would be created in inet.0 but due to firewall filter applied on the incoming interface in inet.0 reverse route lookup was happening in IN.inet.0 and offcourse session was created in inet.0 thats why packet was dropped.