SRX Services Gateway
Reply
Contributor
ike2
Posts: 27
Registered: ‎05-08-2011
0

SRX route issues

This is very random and this box is in a lab.  Behind the SRX is a L3 EX4200 that has a routed link to another Cisco switch with a few simulated networks, say 10.50.1.1/24 and 10.50.224.1/20  .  I can ping both of these from the EX4200, they show up in the routing table.

 

                    > to 10.1.0.34 via ge-0/0/1.0

10.50.1.0/24       *[OSPF/150] 00:25:12, metric 20, tag 0

                    > to 10.1.0.34 via ge-0/0/1.0

10.50.4.0/24       *[OSPF/150] 00:00:08, metric 20, tag 0

                    > to 10.1.0.34 via ge-0/0/1.0

10.50.224.0/20     *[OSPF/150] 00:21:44, metric 20, tag 0

                    > to 10.1.0.34 via ge-0/0/1.0

10.50.240.0/20     *[OSPF/150] 00:13:28, metric 20, tag 0

 

Now from the SRX, these networks are seen on the trusted side and also appear in the routing table.

 



10.50.1.0/24       *[OSPF/150] 00:30:28, metric 20, tag 0

                    > to 10.1.0.18 via ae0.100

10.50.4.0/24       *[OSPF/150] 00:05:24, metric 20, tag 0

                    > to 10.1.0.18 via ae0.100

10.50.224.0/20     *[OSPF/150] 00:27:00, metric 20, tag 0

                    > to 10.1.0.18 via ae0.100

10.50.240.0/20     *[OSPF/150] 00:18:44, metric 20, tag 0

                    > to 10.1.0.18 via ae0.100

 

What troubleshooting steps can I use to determine why I cannot reach 10.50.224.1 but I can reach 10.50.1.1.  The Cisco L3 switch has a default route to the EX4200 and the EX4200 has a default route to the SRX.    I am very green with this SRX and this forum has been a huge help, thanks in advance.

Distinguished Expert
dfex
Posts: 710
Registered: ‎04-17-2008

Re: SRX route issues

When you say you can't reach them - are you pinging from the SRX, or from something on the untrust side of the SRX?

 

If it is the latter, the first thing you should check is your security policy(ies).

 

If you let the ping run continuously, then run "show security flow session destination-prefix 10.50.224.1" on the SRX, you will see which, if any, policy the traffic is matching, and which interface the traffic is being delivered to.

 

 

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
ddeviny
Posts: 7
Registered: ‎03-31-2010
0

Re: SRX route issues

You can also set up filters to match and count the traffic ingress and egress in the proper interfaces.
Contributor
ike2
Posts: 27
Registered: ‎05-08-2011
0

Re: SRX route issues

I was sourcing traffic from the SRX directly, ex: telnet to a L3 switch (EX4200) southbound from the SRX.  When I switched over to the AE style interfaces with vlan tagging that stopped working and the networks were directly connected.  However I could telnet from the SRX to a L3 switch that was two hops away and it worked fine.

 

Another quick question is how do you clear an older possible hung up NAT translation?  I am not saying I may have something hung but the equivalent of clearing a connection table entry etc.  I removed a static NAT and I was still able to make a Northbound connection through the SRX and be seen as the same IP.

 

An example of my untrust--->trust security policy, keep in mind this is lab only.  I have a scenario where I have a certain of IP's that I nat through and provide public IP's to the other internal firewalls so I created an address-set and set those public blocks  to be proxy arp'd also on the outside interface.

 



policy nonat-fw-rules {

    match {

        source-address any;

        destination-address nonat-zones;

        application any;

    }

    then {

        permit;

    }

}

Distinguished Expert
dfex
Posts: 710
Registered: ‎04-17-2008

Re: SRX route issues

If you're sourcing traffic from the SRX, then it won't matter what your security policy is - locally sourced traffic doesn't pass through the policy engine.

 

To clear existing sessions:

 

clear security flow session <filter conditions>

 

If you need further help, please provide some configuration output from both the SRX and the EX.

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Contributor
ike2
Posts: 27
Registered: ‎05-08-2011
0

Re: SRX route issues

Thanks.  Some of the randomness was from the way I had my proxy arp settings on the outside interface.  I have some network blocks that I have to NAT through without any translation so I am arpin'g for particular block sets.  I am going to adjust my FW config and just proxy arp for the entire range of subnets and not break it down into individual class C networks, etc.

 

Good to know locally sourced traffic is exempt, I wasn't 100% sure.   

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.