SRX

Hi,

There is no doubt that I'm a newbie with Junos and the SRX sphere. That's why I used the J-Web wizard for the initial configuration. The aim is to model the productive environment in a sub-lan before it goes to the datacenter. We have a fairly simple set-up. Two zones: Internet (Untrust) and Internal (Trust).

Before connecting any clients in the Internal zone, I wanted to have  a check of the Dynamic VPN connectivity by accessing the SRX through the VPN. Although the Pulse Client was connected and most of the settings looked correct, the Win client wouldn't be routed to the SRX.

I started looking throught the Dynamic VPN troubleshooting articles, until I decided to keep a client connected on the SRX vlan0 interface. That was the magic action! Once a client was connected to one of the SRX interfaces, then the VPN Client would immediately connect to the SRX J-Web, CLI etc.

I have attached a PPT Diagram of the network topology. Unless the Server I is connected as client to the SRX (blue dashed line) the red dashed line of the VPN client can't access the SRX gateway as a trusted "Internal" resource.

Could you please let me know if I miss something very obvious?

Thanks you and regards

A.V.

Attachment(s)

SRX240_Newbie_1.pptx   66 KB 1 version

Your connectivity to 192.168.171.1 is not dependend on if 192.168.171.10 is connected or not. If 192.168.171.1 is up, you should be able to connect if the configuration permits it. Can you post your configuration?

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Sure. Here is my config, done with J-Web wizard and a couple of manual entries. I also thought that the SRX240 should be reachable on 191.168.171.1.1 without any clients connected on the vlan0 (or now vlan1).

_______________

## Last changed: 2015-03-22 06:34:34 GMT+1

version 12.1X44-D45.2;

system {

    host-name Olysrx240;

    time-zone GMT+1;

    root-authentication {

        encrypted-password "$1";

    }

    name-server {

        208.67.222.222;

        208.67.220.220;

    }

    name-resolution {

        no-resolve-on-input;

    }

    login {

        user R {

            uid 2000;

            class operator;

            authentication {

                encrypted-password "$.";

            }

        }

        user v {

            uid 2001;

            class super-user;

            authentication {

                encrypted-password "$1";

            }

        }

    }

    services {

        ssh;

        telnet;

        web-management {

            http {

                interface vlan.1;

            }

            https {

                system-generated-certificate;

                interface [ ge-0/0/0.0 vlan.1 ];

            }

            session {

                idle-timeout 60;

            }

        }

        dhcp {

            pool 192.168.171.0/24 {

                address-range low 192.168.171.10 high 192.168.171.100;

                router {

                    192.168.171.1;

                }

            }

        }

    }

    syslog {

        archive size 100k files 3;

        user * {

            any emergency;

        }

        file messages {

            any critical;

            authorization info;

        }

        file interactive-commands {

            interactive-commands error;

        }

    }

    max-configurations-on-flash 5;

    max-configuration-rollbacks 5;

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ntp {

        server us.ntp.pool.org;

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 192.168.178.111/24;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    ge-0/0/2 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    ge-0/0/3 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    ge-0/0/4 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    ge-0/0/5 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    ge-0/0/6 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    ge-0/0/7 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan1;

                }

            }

        }

    }

    vlan {

        unit 1 {

            family inet {

                address 192.168.171.1/24;

            }

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.178.1;

    }

}

protocols {

    stp;

}

security {

    key-protection;

    ike {

        policy ike_policy_startup_rvpn {

            mode aggressive;

            proposal-set standard;

            pre-shared-key ascii-text "$9$946dCORcyKMX-1RrvWXws";

        }

        gateway gw_startup_rvpn {

            ike-policy ike_policy_startup_rvpn;

            dynamic {

                hostname SRX-GW;

                connections-limit 50;

                ike-user-type group-ike-id;

            }

            external-interface ge-0/0/0.0;

            xauth access-profile remote_access_profile;

        }

    }

    ipsec {

        policy ipsec_pol_startup_rvpn {

            perfect-forward-secrecy {

                keys group2;

            }

            proposal-set standard;

        }

        vpn startup_rvpn {

            ike {

                gateway gw_startup_rvpn;

                ipsec-policy ipsec_pol_startup_rvpn;

            }

        }

    }

    dynamic-vpn {

        access-profile remote_access_profile;

        clients {

            startup_rvpn_group {

                remote-protected-resources {

                    0.0.0.0/0;

                }

                ipsec-vpn startup_rvpn;

                user {

                    v;

                }

            }

        }

    }

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    timeout 20;

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set nsw_srcnat {

                from zone Internal;

                to zone Internet;

                rule nsw-src-interface {

                    match {

                        source-address 0.0.0.0/0;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone Internet to-zone Internal {

            policy policy_startup_rvpn_Internal {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit {

                        tunnel {

                            ipsec-vpn startup_rvpn;

                        }

                    }

                }

            }

        }

        from-zone Internal to-zone Internet {

            policy All_Internal_Internet {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

    }

    zones {

        security-zone Internal {

            interfaces {

                vlan.1 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            dhcp;

                            http;

                            https;

                            ssh;

                            telnet;

                        }

                    }

                }

            }

        }

        security-zone Internet {

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            https;

                            ike;

                        }

                    }

                }

            }

        }

    }

}

access {

    profile remote_access_profile {

        client v {

            firewall-user {

                password "$9J";

            }

        }

        address-assignment {

            pool startup_rvpn_add_pool;

        }

    }

    address-assignment {

        pool startup_rvpn_add_pool {

            family inet {

                network 192.168.191.0/24;

                range startup-rvpn-range {

                    low 192.168.191.101;

                    high 192.168.191.254;

                }

            }

        }

    }

    firewall-authentication {

        web-authentication {

            default-profile remote_access_profile;

        }

    }

}

vlans {

    vlan1 {

        vlan-id 3;

        l3-interface vlan.1;

    }

}

The vlan.1 interface is a routed vlan interface. It's only up when there's at least one port up in the vlan vlan1. When the interface is down there's no route to the connected network. Might that be the problem?

By the way, I know the gui isn't helping but this:

vlans {

    vlan1 {

        vlan-id 3;

        l3-interface vlan.1;

Is a good source for trouble. I would prefer the vlan id for a vlan called vlan1 to be 1, not 3...... And if the vlan-is is 3 I certainly want the l3 interface to be vlan.3 not vlan.1!

---

@Screenie wrote:

The vlan.1 interface is a routed vlan interface. It's only up when there's at least one port up in the vlan vlan1. When the interface is down there's no route to the connected network. Might that be the problem?

 

---

Hello Screenie,

Yes, I understand that the interface vlan.1  is up only when there is an active port. When the the interface is down there's no route to the connected network. Is there a static route missing? I tried to add a route for the 192.168.191.0/24 range to the SRX address that is 192.168.171.1.

Actually the SRX address is "advertised" in only two points of the configuration:

    dhcp {

            pool 192.168.171.0/24 {

                address-range low 192.168.171.10 high 192.168.171.100;

                router {

                    192.168.171.1;

and

  vlan {

        unit 1 {

            family inet {

                address 192.168.171.1/24;

What is to me difficult to undertand is what kind of VPN connection do I get when the vlan interface is down. The PULSE client connexts successfully, but where to? Why it can't ping the SRX at 192.168.171.1?

Could this be firewall (policy rule) or route related?

Thank you and best regards

A.V.

Hi Junewbie,

Config looks fine. Are you able to ping 191.168.171.1.1 from SRX itself when the server is not connected to vlan.1?

Thanks,

Suraj

Hello Suraj,

It looks like it is more complicated than I thought.

In the meantime, between my post and your answer, I extended the vlan interface to ge ports 4,5,6 and 7. I thought it would be stupid to have a productive SRX with only three usable ports. I did this again with the configuration wizard. If I'm not mistaken now vlan0 is vlan1, featuring as well this strange naming convention spoted by Screenie.

vlans {

    vlan1 {

        vlan-id 3;

        l3-interface vlan.1;

    }

The problem now is that the SRX has another important issue. Whenever the Win 2008 R2 client starts Pulse to establish the VPN connection, Win 2008 R2 (the 192.168.178.140 one) disappears from the "Internet" untrust zone. (No response to Ping). This didn't happen when I edited my first post. It looks like all traffic of the Win 2008 R2 is tunneled through SRX in a non-split VPN scenario. I don't think I changed anything in between, unless something escaped my memory.

Regarding your question. about pinging 191.168.171.1 from SRX: There is always a "server" or GE client connected to the vlan0 (or 1). Otherwise I have no means to ping to the SRX. I haven't tried the console connection, lacking a Serial to USB adapter.

The new behavior makes me feel quite uncomfortable. Issues like that can turn a system from productive to off-line. Therefore I think that I should make my hands really "dirty", reset the SRX and program it from the CLI.

Would you have any advice / guidelines?

Thank you for your help sofar.

Br

A.V.

Hi A.V,

What exactly you mean by "192.168.178.140 disappears ".  What I would suggest is to do a compare before you do commit any changes.

Hi Suraj,

I actually mean that "disappears from the "Internet" untrust zone. (No response to Ping). This didn't happen when I edited my first post. It looks like all traffic of the Win 2008 R2 is tunneled through SRX in a non-split VPN scenario. I don't think I changed anything in between, unless something escaped my memory."

I don't think I changed something with regard to the Dynamic VPN configuration. I only extended to have the interfaces #4 to #7 as members of the vlan that should be accessed with the VPN.

Br

A.V.

Hi again,

I have an answer of the "Unsplit" VPN problem where the remote-accessed Win 2008 R2 server is masked from the "Internet"-Untrust LAN:

1. Configuration that doesn't hide the Pulse client (Win 2008 R2 server):

    dynamic-vpn {

        access-profile remote_access_profile;

        clients {

            startup_rvpn_group {

                remote-protected-resources {

                    192.168.171.0/24;

                }

                ipsec-vpn startup_rvpn;

                user {

                    v;

                }

            }

        }

    }

Configuration that does hide the Pulse client:

    dynamic-vpn {

        access-profile remote_access_profile;

        clients {

            startup_rvpn_group {

                remote-protected-resources {

                    0.0.0.0/0;

                }

                ipsec-vpn startup_rvpn;

                user {

                    v;

                }

            }

        }

    }

_________________

Please note that the entry remote-protected "192.168.171.0/24" was added manually by myself after deleting the default 0.0.0.0/0 entry. The 0.0.0.0/0 entry means "any" to my understanding. I fail to understand though how this range destroys the connectivity (routing) of the client in the "Internet"/Untrust zone.

My view right now is that the J-Web wizard should be avoided at all costs. The GUI dialogues although handy, do not solve the fundamental needs of a small user-group.

A.V.

P.S. The issue with the inactive vlan remains. No access to 192.168.171.1 when the vlan is not active with "servers".

P.S.2 With the J-Web configuration wizard, it is not possible to compare the configs before commiting the changes.

Hi Junewbie,

PFA, it may help you to use compare option on J-web.

This looks bit complicated issue unless we are missing some basic things. I would recommend you opening a JTAC case for further investigation.

or you can run a flow-traceoptions as in below KB and see where the packet drop is happening when the servers are not connected on vlan interface (vlan interface is up)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Use source as VPN Client IP (Private IP assigned by SRX) and Destination as Vlan interface IP.

Hi Suraj,

I noticed the compare function of J-Web. However with Junos 12 it is possible to rerun the configuration wizard. This is conditionnal and depends on not having changed manually settings that are incompatible with the wizard itself; for example, some manual settings in the interfaces. However if the wizard loads the latest config (remote-protected resources edited manually are allowed) there is no Compare possibility before commiting the changes. The wizard overwrites the manual entries and creates a remote-protected resources "any" 0.0.0.0/0 meaning that all traffic should go through the VPN.

Beside this, I managed to connect through the console. I had a look in the file you suggest, but it didn't help me much. I will do this again and I will upload the matches in an attachment here.

Your help is greately appreciated.

Best regards

A.V.

Hi again,

These are the logs:

Mar 31 03:16:58 03:16:58.461634:CID-0:RT:<192.168.191.103/52->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:16:58 03:16:58.461634:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:16:58 03:16:58.461634:CID-0:RT: find flow: table 0x510e1138, hash 2170(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 52, dp 1, proto 1, tok 7
Mar 31 03:16:58 03:16:58.461634:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 52, dp 1, ip_proto 1, tos 0
Mar 31 03:17:03 03:17:02.972257:CID-0:RT:<192.168.191.103/53->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:17:03 03:17:02.972257:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:17:03 03:17:02.972257:CID-0:RT: find flow: table 0x510e1138, hash 10602(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 53, dp 1, proto 1, tok 7
Mar 31 03:17:03 03:17:02.972257:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 53, dp 1, ip_proto 1, tos 0
Mar 31 03:17:08 03:17:07.971671:CID-0:RT:<192.168.191.103/54->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:17:08 03:17:07.971751:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:17:08 03:17:07.971819:CID-0:RT: find flow: table 0x510e1138, hash 20634(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 54, dp 1, proto 1, tok 7
Mar 31 03:17:08 03:17:07.971954:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 54, dp 1, ip_proto 1, tos 0
Mar 31 03:17:13 03:17:12.980389:CID-0:RT:<192.168.191.103/55->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:17:13 03:17:12.980521:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:17:13 03:17:12.980540:CID-0:RT: find flow: table 0x510e1138, hash 29066(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 55, dp 1, proto 1, tok 7
Mar 31 03:17:13 03:17:12.980650:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 55, dp 1, ip_proto 1, tos 0

v@OlySRX240> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:46
> to 192.168.178.1 via ge-0/0/0.0
192.168.171.1/32 *[Local/0] 01:03:31
Reject
192.168.178.0/24 *[Direct/0] 00:00:46
> via ge-0/0/0.0
192.168.178.111/32 *[Local/0] 01:03:20
Local via ge-0/0/0.0

Any ideas?

As per show route output the 171.1 is in reject status, most possible reason for this is address conflict. Also, the trace logs are incomplete. Can you post the complete traces along with below outputs.

You may also try disabling STP and and check.

root@srx> show interfaces terse | no-more
root@srx> show route 192.168.171.1
root@srx> show route 192.168.191.103
root@srx> show configuration | no-more

Looks like the interface is down.

Can you run > show interfaces terse to see if the interface is showing as up up and not up down

Regards,
C_R
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

---

@Junewbie wrote:

Hi again,

 

These are the logs:

 

Mar 31 03:16:58 03:16:58.461634:CID-0:RT:<192.168.191.103/52->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:16:58 03:16:58.461634:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:16:58 03:16:58.461634:CID-0:RT: find flow: table 0x510e1138, hash 2170(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 52, dp 1, proto 1, tok 7
Mar 31 03:16:58 03:16:58.461634:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 52, dp 1, ip_proto 1, tos 0
Mar 31 03:17:03 03:17:02.972257:CID-0:RT:<192.168.191.103/53->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:17:03 03:17:02.972257:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:17:03 03:17:02.972257:CID-0:RT: find flow: table 0x510e1138, hash 10602(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 53, dp 1, proto 1, tok 7
Mar 31 03:17:03 03:17:02.972257:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 53, dp 1, ip_proto 1, tos 0
Mar 31 03:17:08 03:17:07.971671:CID-0:RT:<192.168.191.103/54->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:17:08 03:17:07.971751:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:17:08 03:17:07.971819:CID-0:RT: find flow: table 0x510e1138, hash 20634(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 54, dp 1, proto 1, tok 7
Mar 31 03:17:08 03:17:07.971954:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 54, dp 1, ip_proto 1, tos 0
Mar 31 03:17:13 03:17:12.980389:CID-0:RT:<192.168.191.103/55->192.168.171.1/1;1> matched filter filter1:
Mar 31 03:17:13 03:17:12.980521:CID-0:RT: ge-0/0/0.0:192.168.191.103->192.168.171.1, icmp, (8/0)
Mar 31 03:17:13 03:17:12.980540:CID-0:RT: find flow: table 0x510e1138, hash 29066(0xffff), sa 192.168.191.103, da 192.168.171.1, sp 55, dp 1, proto 1, tok 7
Mar 31 03:17:13 03:17:12.980650:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.191.103, x_dst_ip 192.168.171.1, in ifp ge-0/0/0.0, out ifp N/A sp 55, dp 1, ip_proto 1, tos 0

 

v@OlySRX240> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:46
> to 192.168.178.1 via ge-0/0/0.0
192.168.171.1/32 *[Local/0] 01:03:31
Reject
192.168.178.0/24 *[Direct/0] 00:00:46
> via ge-0/0/0.0
192.168.178.111/32 *[Local/0] 01:03:20
Local via ge-0/0/0.0

 

 

Any ideas?

---

Hi,

Thank you for your kind support. I will need to study with much attention the way Junos routes packets, policy priorities etc.

Actually the solution can be found here:

https://forum.ivorde.com/junos-11-4-srx-flow-mode-traffic-destined-for-loopback-lo0-interface-t14231.html

A separate zone for the Chassis, along with a new policy to allow traffic from the Internal (Trust) zone to the Chassis

I just adapted the above to my configuration and added the loopback IP of interface lo.0 to the remote-protected-resources table.

Now the SRX-Chassis is reachable at the loopback address 192.168.131.1, even when there are no clients connected to the vlan.1 interface.

To my understanding the following J-Web-Wizard driven part of the configuration was the culprit:

zones {

        security-zone Internal {

            interfaces {

                vlan.1 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            dhcp;

                            http;

                            https;

                            ssh;

                            telnet;

                        }

                    }

                }

            }

        }

The fact that vlan.1 was inactive, due to missing connected clients, left the Internal (Trust) zone without any use. Adding the dedicated Chassis zone as a trust zone, did the trick in my case. I think that being able to access the Chassis independently of connected clients is very important for remote management.

Last but not least, I do not understand that much how the DHCP service, for which the Internal router addess is 192.168.171.1 doesn't advertise this internally; further reading will hopefully answer my question.

I really appreciated your input. It was part of the solution I found above.

Best regards

A.V.

Glad to hear that. But it was not mentioned anywhere that you were trying to access loopback, I blve everyone was under the impression you were trying to access the vlan.1 interface.

Even the flowtrace applied was for vlan.1 interface

Cheers,

Suraj

---

@rsuraj wrote:

Glad to hear that. But it was not mentioned anywhere that you were trying to access loopback, I blve everyone was under the impression you were trying to access the vlan.1 interface.

Even the flowtrace applied was for vlan.1 interface

 

Cheers,

Suraj

---

Hello Suraj,

Well, I'm from a non Network-IT Engineering background. I do have experience with port-forwarding, SSH/SSL own tunnels, IPSEC VPN of Mac Server and basic routing. From my point of view this sequence of actions would make sense for a newbie:

1. Test the default configuration

2. Run the Wizard to see if it matches the basic needs

3. Test the VPN without any clients (ie the "Server") attached

4. Check if the SRX is reachable even when no vlan is active

Apparently the loopback is a logical interface, I thought it would be generally reachable through the DHCP service (Router 192.168.171.1).

It never crossed my mind that this IP would be inactive in case of inactive vlan. According to the info you kindly shared here, it was 100% sure that the vlan.1 interface wouldn't go live unless at least one client ("Server") would be connected there-to. As soon as this was clear to me, I needed to see what alternatives I had to get to the SRX through the VPN.

To my naive undestanding the IP 192.168.171.1 was not an IP that belongs to the vlan.1. It was the internal IP of the SRX. The logs generated concerned exactly this IP, according to the troubleshooting instructions.

I even thought it would be possible to access 192.168.171.1 by means of a static route; but now I understand that I couldn't access something that doesn't exist.

Best regards

A.V.

Hi A.V,

I can understand. Thanks for the note 🙂

Cheers,

Suraj