SRX Services Gateway
Reply
Visitor
andreww
Posts: 4
Registered: ‎01-23-2010
0

SRX Management Interface (Chassic Cluster)

Hi, i'm hoping someone can assist me in a quick SRX query. Still quite new to these boxes.

 

Ok, I have a new Chassic Cluster which have the following interfaces

a) Reth1 (External public interface)

b) Reth2 (DMZ)

c) Reth3 (Internal)

 

Now by default to manage the cluster via the GUI etc you have to connect to the fxp0 interface. Now what I want to do is the ability to manage the Juniper from the internet. Now in ScreenOS you have the ability to add in the ManageIP when configuring the NSRP address. So my question is:

 

a) Can you use straightforward NAT to connect through reth1 to get to the Management interface (I don't think you can as the management interface is in a functional-zone) and you wouldn't be able to put a policy in place to allow this

b) Could I put another IP on reth1 which would be used for management and then add this into the following bit of the config

groups {
    node0 {
        system {
            host-name srxa
        }
        interfaces {
            reth1 {
                unit 0 {
                    family inet {
                        address x.x.x.x/28; (Public IP which would be used for management)

 

Any help would be appreciated

Trusted Contributor
supcourt
Posts: 47
Registered: ‎11-10-2009
0

Re: SRX Management Interface (Chassic Cluster)

how about:

 

set system services web-management https system-generated-certificate interface reth1.0

 

?

 

not so cool about the external management of the srx, but if you are cool with it...

 

 

Visitor
andreww
Posts: 4
Registered: ‎01-23-2010
0

Re: SRX Management Interface (Chassic Cluster)

Thanks for the reply. The main reason I need the SRX's managable from the internet is that we have an 'in the cloud' service provider that we send snmp etc to. If I just make the reth interface manageable I won't be able to tell which box i'm talking to as it's the JSRP address. I need the ability to tie an IP to a specific SRX just like you could do in an NSRP cluster. In that configuration you had the NSRP address but then each box had a Managable IP which was on the individual. This is what i'm trying to acheive.

Contributor
Sloefke
Posts: 29
Registered: ‎07-16-2008
0

Re: SRX Management Interface (Chassic Cluster)

[ Edited ]

NAT won't work it seems:

 

Jan 27 17:34:32 17:34:31.1319693:CID-1:RT:<172.17.0.254/2048->172.17.0.50/62913;1> matched filter test:

Jan 27 17:34:32 17:34:31.1319731:CID-1:RT:packet [128] ipid = 10734, @43d8d124

Jan 27 17:34:32 17:34:31.1319746:CID-1:RT:---- flow_process_pkt: (thd 7): flow_ctxt type 13, common flag 0x0, mbuf 0x43d8cf80

Jan 27 17:34:32 17:34:31.1319746:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.221

Jan 27 17:34:32 17:34:31.1319777:CID-1:RT:  reth0.221:172.17.0.254->172.17.0.50, icmp, (8/0)

Jan 27 17:34:32 17:34:31.1319801:CID-1:RT: find flow: table 0x627b0e98, hash 61972(0xffff), sa 172.17.0.254, da 172.17.0.50, sp 25200, dp 1024, proto 1, tok 448 

Jan 27 17:34:32 17:34:31.1319834:CID-1:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

Jan 27 17:34:32 17:34:31.1319849:CID-1:RT:  flow_first_create_session

Jan 27 17:34:32 17:34:31.1319849:CID-1:RT:  flow_first_in_dst_nat: in <reth0.221>, out <N/A> dst_adr 172.17.0.50, sp 25200, dp 1024

Jan 27 17:34:32 17:34:31.1319889:CID-1:RT:  chose interface reth0.221 as incoming nat if.

Jan 27 17:34:32 17:34:31.1319889:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 172.17.0.50(1024) to 10.0.111.23(1024), rule/pool id 1/1.

Jan 27 17:34:32 17:34:31.1319931:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 172.17.0.254, x_dst_ip 10.0.111.23, in ifp reth0.221, out ifp N/A sp 25200, dp 1024, ip_proto 1, tos 0

Jan 27 17:34:32 17:34:31.1319962:CID-1:RT:Doing DESTINATION addr route-lookup

Jan 27 17:34:32 17:34:31.1319971:CID-1:RT:Changing out-ifp from .local..0 to fxp0.0 for dst: 10.0.111.23 in vr_id:0

Jan 27 17:34:32 17:34:31.1320005:CID-1:RT:  routed (x_dst_ip 10.0.111.23) from WAN (reth0.221 in 1) to fxp0.0, Next-hop: 10.0.111.23

Jan 27 17:34:32 17:34:31.1320013:CID-1:RT:  packet dropped, out_ifp is null or in null-zone

Jan 27 17:34:32 17:34:31.1320013:CID-1:RT:Out-ifp fxp0.0 is null or in null zone
Jan 27 17:34:32 17:34:31.1320013:CID-1:RT:  flow find session returns error.

 I think your best shot would be to configure VPN access to your management VLAN, containing the fxp0 interfaces.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.