Junos
Junos

virtual router's default route over a GRE tunnel

‎05-15-2019 12:12 PM

Hi - 

I'm attempting to provide guest internet access to a remote site that only has a WAN connection back to the main office.   The main office has an internet connection that is currently used by guests.  The remote site has an EX4200 switch and the main office has an SRX550.  My thought was to:

 

- create a GRE tunnel from the remote site to the main site

- create a guest VLAN in the remote site

- create a virtual router in the remote site that is associated with the guest VLAN

- create a default route in that virtual router that forced everything in that vlan down the tunnel

- on the SRX at the main office, associate the GRE tunnel with our already existing guest zone

- create a route on the SRX to point back to the guest network over the GRE tunnel

 

I've been able to bring the tunnel up and ping the other end of the tunnel successfully.  I have a test computer at the remote site that has an interface in the guest vlan, and it can also ping the remote end of the tunnel.  Unfortunately it cannot ping any further.  

 

I'm new at this, so I'm hoping someone can help me figure out where I might be going wrong.  I appreciate the help.  Here is the important info:

 

Remote Switch:


chassis {
....
    fpc 0 {
        pic 0 {
            tunnel-port 0 {
                tunnel-services;
            }
        }
    }
}
....
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.22.12.2;
                destination 172.22.10.1;
            }
            family inet {
                address 192.168.111.2/30;
            }                           
        }
    }
....
    vlan {
....
        unit 2 {                        
            family inet {
                address 192.168.222.1/24;
            }
        }
    }
}
....
routing-instances {
    guestroute {
        interface gr-0/0/0.0;
        interface vlan.2;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop gr-0/0/0.0;
            }
        }
    }
}
....          
vlans {
....
    Test-Guest {
        description Test-Guest;
        vlan-id 222;
        l3-interface vlan.2;
    }

SRX at main site:

    zones {
        security-zone trust {
            interfaces {
                vlan.1;
....
            }
        }
        security-zone guest {
....
            interfaces {
....
                gr-0/0/0.0;
            }
        }
interfaces {
....
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.22.10.1;
                destination 172.22.12.2;
            }
            family inet {
                address 192.168.111.1/30;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 172.22.10.1/24;
            }
        }
....
routing-options {
static {
route 192.168.222.0/24 next-hop gr-0/0/0.0;
..... vlans { ... Core { description "Core"; vlan-id 10; l3-interface vlan.1; }

show route on remote switch:

guestroute.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:53:38
                    > via gr-0/0/0.0
192.168.111.0/30   *[Direct/0] 02:18:51
                    > via gr-0/0/0.0
192.168.111.2/32   *[Local/0] 02:18:51
                      Local via gr-0/0/0.0
192.168.222.0/24   *[Direct/0] 03:31:00
                    > via vlan.2
192.168.222.1/32   *[Local/0] 03:41:04
                      Local via vlan.2

Any recommendations on what I might be doing wrong?  Anything I can provide to help troubleshoot this?

 

Thanks,

 

Al

 

5 REPLIES 5
Junos

Re: virtual router's default route over a GRE tunnel

‎05-17-2019 02:36 AM

Good day,

 

Can you ping both ends of GRE tunnel? Did you allow GRE on SRX?

Junos

Re: virtual router's default route over a GRE tunnel

‎05-17-2019 07:06 AM

Hi,

I drew out a basic picture so I can speak to each part below:

 

 SRX can ping vlan IP on EX4200:

 

root@srx> ping 192.168.222.1 interface gr-0/0/0 count 1 
PING 192.168.222.1 (192.168.222.1): 56 data bytes
64 bytes from 192.168.222.1: icmp_seq=0 ttl=64 time=2.507 ms

--- 192.168.222.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.507/2.507/2.507/0.000 ms

 

The SRX cannot ping the remote PC:

 

 

root@srx> ping 192.168.222.222 interface gr-0/0/0 count 1  
PING 192.168.222.222 (192.168.222.222): 56 data bytes

--- 192.168.222.222 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

 

EX4200 can ping the remote end of the tunnel:

 

 

root@ex4200> ping 192.168.111.1 routing-instance guestroute count 1 
PING 192.168.111.1 (192.168.111.1): 56 data bytes
64 bytes from 192.168.111.1: icmp_seq=0 ttl=64 time=3.168 ms

--- 192.168.111.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.168/3.168/3.168/0.000 ms

 

EX4200 can ping to the internet:

 

 

root@ex4200> ping 8.8.8.8 routing-instance guestroute count 1          
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=9.325 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.325/9.325/9.325/0.000 ms

 

System (server) in main office can ping the remote side of the tunnel:

 

[user@mainoffice ~]$ ping 192.168.111.2 -c 1
PING 192.168.111.2 (192.168.111.2) 56(84) bytes of data.
64 bytes from 192.168.111.2: icmp_seq=1 ttl=63 time=3.08 ms

--- 192.168.111.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.088/3.088/3.088/0.000 ms

 

System (server) in main office can ping the vlan IP on the remote switch:

[user@mainoffice ~]$ ping 192.168.222.1 -c 1
PING 192.168.222.1 (192.168.222.1) 56(84) bytes of data.
64 bytes from 192.168.222.1: icmp_seq=1 ttl=63 time=2.60 ms
--- 192.168.222.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.601/2.601/2.601/0.000 ms

 

System (server) in main office cannot ping the remote PC:

[user@mainoffice ~]$ ping 192.168.222.222 -c 1
PING 192.168.222.222 (192.168.222.222) 56(84) bytes of data.
^C
--- 192.168.222.222 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

 

remote PC can ping the remote side of the tunnel:

[user@remotepc ~]$ ping 192.168.111.2 -c 1
PING 192.168.111.2 (192.168.111.2) 56(84) bytes of data.
64 bytes from 192.168.111.2: icmp_seq=1 ttl=63 time=1.25 ms

--- 192.168.111.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.245/1.245/1.245/0.000 ms

 

remote PC cannot ping the main office side of the tunnel:

[user@remotepc ~]$ ping 192.168.111.1 -c 1
PING 192.168.111.1 (192.168.111.1) 56(84) bytes of data.
^C
--- 192.168.111.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

 

I think that about sums up my ping experiences.

Thanks for looking at this with me.

Junos

Re: virtual router's default route over a GRE tunnel

‎06-06-2019 05:47 AM

Hi,

1) Change

next-hop gr-0/0/0.0

to next-hop <remote-ip-of-gre-tunnel>

 

2) Do you have correct routing settings on PC and Server?

3) Are you sure that the SRX doesn't drop GRE or packets after decapsulation?

4) Did you try these troubleshooting steps: https://kb.juniper.net/InfoCenter/index?page=content&id=KB16108

 

Junos

Re: virtual router's default route over a GRE tunnel

‎06-23-2019 02:36 PM

That picture was helpful, thanks.

 

Could you provide the output of 'show route' from both, the SRX and the EX ?

 

If possible, do not specify any address on the 'show route' command here when sharing an output.

 

Also, when the remote PC tries pinging the main office side of the tunnel, do you know if that makes it through the tunnel all the way to the SRX in the first place?

 

Can we enable a flow trace of sorts on the SRX and confirm this ?

 

Cheers

Pooja

Junos

Re: virtual router's default route over a GRE tunnel

‎06-23-2019 02:38 PM

Example #2 on here covers the steps necessary for flow traceoptions on the SRXs.

Refer https://kb.juniper.net/KB16108

 

Cheers

Pooja