SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  using SRX210 with Dovado Tiny, ssh

    Posted 05-29-2013 22:56

    Hi all,

     

    I am trying to configure a 3/4G backup link on my SRX using an Optus(Australia) 4G USB modem, connected to a Dovado Tiny, bridged, to an interface on my SRX.

     

    SRX(ge-o/0/1)<----->Dovado(bridged)<----->4G usb Modem

     

    I have so far:

    Set the interface to dhcp

     

    interface-range dovado {
    member ge-0/0/1;
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    dhcp;
    }

     

    I have a few zones configured on the SRX but have configured one for the 4G connection

     

    security-zone 4g {
    host-inbound-traffic {
    system-services {
    ssh;
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.0;
    }

     

    Now when I do a show system services dhcp client,  I get

    Logical Interface name ge-0/0/1.0
    Hardware address 5c:5e:ab:e6:b1:41
    Client status bound
    Address obtained 119.225.185.128
    Update server disabled
    Lease obtained at 2013-05-30 05:47:22 UTC
    Lease expires at 2013-05-30 05:52:22 UTC

    DHCP options:
    Code: 1, Type: ip-address, Value: 255.255.255.0
    Name: router, Value: [ 119.225.185.1 ]
    Name: name-server, Value: [ 198.142.0.51, 61.88.88.88 ]
    Name: server-identifier, Value: 119.225.185.1

     

    This is a dynamic Ip address which I get from the ISP, and since the dovado modem is bridged, this gets on interface ge-0/0/1.  

    The aim of all this is for me to be able to ssh in through the public ip address(ISP) to the SRX and make changes to the routes when the DSL link goes down.  I will be using freedns to know the pubic IP address as this will change(I am still not sure whether dynamic dns works with freedns.afraid.org, but thats another story).

     

    Even though I have specified in the security zones to allow ssh, I am not able to.  I cannot even ping the IP address assigned by the ISP or the gateway.

     

    What am I missing?

     

    Thanks for any help



  • 2.  RE: using SRX210 with Dovado Tiny, ssh

    Posted 05-30-2013 05:01

    Hi Riazjo,

     

    The issue will be that when you SSH to the SRX on the 3/4G link, the SRX will try to return traffic to you via the current best default route, which will inevitably be your ADSL link.  This asymmetric routing will then be dropped as your host will not be expecting traffic returned from the IP of the ADSL connection.

     

    To add to your issues, the built-in dyn-dns on the SRX will only work with dyndns.org or ddo.jp

     

    On the bright side though, if your ADSL link goes down (pp0) the default route will automatically fail-over to the less preferred, but now active DHCP-learnt route that your 3G Bridge handed out.  If you move your 3/4G interface back into the same zone as pp0 is in, then you won't have to re-configure anything when this fail-over occurs.

     

    As for the Dyn-DNS, I had a quick look at afraid.org's service and it is all HTTP-based, which means you're in luck and should be able to hack out an op script using curl to update your IP really easily.

     

    Check out: http://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/general/junos-script-automation-libslax-curl-extension-library.html for more information.



  • 3.  RE: using SRX210 with Dovado Tiny, ssh

    Posted 06-03-2013 22:40

    Hi Ben(dfex),


    Thanks for your help.

     

    For freedns.afraid.org, I am planning to use the script from http://forums.juniper.net/t5/Junos-Automation-Scripting/Script-for-DDNS/td-p/56004, as I am there is no built-in dynamic dns on 12.1R5.5.  I have not got it working yet.

     

    Is the way to make the fall-over automatic set by Static Route Preferences and Qualified Next Hops, as described in http://www.juniper.net/techpubs/en_US/junos12.1/topics/topic-map/policy-static-route-selection.html ?

     

    My ADSL link is part of a WAN managed my the ISP.

     

    My 4g is from another ISP.

     

    at the moment I am still not able to ping the ip address on the 4g which is assigned to the srx ge-0/0/1 interface.

     

    Cheers

     



  • 4.  RE: using SRX210 with Dovado Tiny, ssh
    Best Answer

    Posted 06-04-2013 17:05

    Hi Riazjo,

     

    There  should be no need to change anything for fail-over - the route preference for Static routes (for your ADSL service) is 10 by default, and the DHCP-assigned interface will be of type External-Access which has a preference of 12 by default.

     

    If the pp0.0 interface (assuming PPPoEoA) or at1/0/0.0 interface (assuming PPPoA) ever goes down, the static route will drop out of your table, and the DHCP-issued one will become preferred.

     

    As long as both ge-0/0/1 and your pp0.0/at-1/0/0.0 interfaces are in the same zone, everything will continue as normal.

     

    Try unplugging the DSL and see if you can send traffic over the 4G.  Maybe your 4G bridge is blocking inbound connection attempts.