Ethernet Switching
Ethernet Switching

Issues connecting two different vlans through SRX

‎10-22-2019 03:55 PM

Hello community

 

Could you help me with an issue with the connectivity between two vlans connected through an SRX? I am connecting two differente vlans (90 and 190) through an SRX, the vlan 90 is connected to a asterisk server and the vlan 190 is connected to IP phones. Voice vlan is configured in the switch where the IP phones are connected. For testing pourposes the policies enabled for this services are allowing all traffic in both directions, also host inbound traffic is enable for all services. Phones are registerd for a while and after a period of time all phones are disconnected and also connectivity is lost, consider that locally only inside vlan 90 connectivity continues.

 

the configuration applied is:

policy PL_VOIP_TO_PHONE {
    match {
        source-address ADD_VOIP_SERVER;
        destination-address ADD_LAN_VOIP;
        application any;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}


policy PL_VOIP_COMGSP {
    match {
        source-address ADD_LAN_VOIP;
        destination-address ADD_VOIP_SERVER;
        application any;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}

security-zone SZ_LAN_COMGSP {
    interfaces {
        ae1.110 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    dhcp;
                }
            }
        }
        ae1.190 {
            host-inbound-traffic {
                system-services {
                    all;
                    ping;
                    dhcp;
                    traceroute;
                    ntp;
                    ftp;
                    tftp;
                    http;
                    https;
                }                       
            }
        }
    }
    application-tracking;
}

security-zone SZ_SERVICIOS_INTERNOS {
    interfaces {
        ae0.105 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
            }
        }
        ae0.90 {
            host-inbound-traffic {
                system-services {
                    all;                
                    ping;
                    traceroute;
                    dhcp;
                    ntp;
                    ftp;
                    tftp;
                }
            }
        }
    }
    application-tracking;

 

Best regards

 

Karlink

 

2 REPLIES 2
Ethernet Switching

Re: Issues connecting two different vlans through SRX

[ Edited ]
‎10-22-2019 11:14 PM

Hello,

 


@karlink_genius wrote:

I am connecting two differente vlans (90 and 190) through an SRX, the vlan 90 is connected to a asterisk server and the vlan 190 is connected to IP phones. Voice vlan is configured in the switch where the IP phones are connected. For testing pourposes the policies enabled for this services are allowing all traffic in both directions, also host inbound traffic is enable for all services. Phones are registerd for a while and after a period of time all phones are disconnected and also connectivity is lost, consider that locally only inside vlan 90 connectivity continues.

 

 

 


 

Looks like Your phones do not send keepalives/KA, or their KA interval is too large and if You haven't changed the SRX default session timeouts  (1800 sec for TCP and 60 sec for UDP last time I checked) then these phones' sessions in SRX expire and are silenlty deleted.

You have 3 options here:

1/ tune SRX default timeouts - not recommended

2/ create an application definition for these phones matching on ports and include custom inactivity-timeout into that definition, then match on this application in the security policies.

3/ enable KA or tune KA interval in Your phones

HTH

Thx

Alex

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: Issues connecting two different vlans through SRX

‎10-23-2019 07:05 AM

Hi Alex:

 

Thanks for your answer, I will test your recommendations. Do you think your explanation is also the root cause of the problem of losing even connectivity betwee server and phones

 

Best regards

Karlink