SRX Services Gateway
Highlighted
SRX Services Gateway

Client loosing connectivity to SRX intermittently

‎08-04-2017 06:41 AM

Hi,

We have a very strange problem where a set of workstation are loosing intra-zone and internet connectivity. The w/station works flawless then suddenly looses it connection, it can no longer ping the reth interface and cross into the other zone but still have connectivity to the workstation within the same zone.  The fact that it works, i think that the security, NAT and routing are configured correctly.  

 

Here is the kicker, although it can no longer connect into a different zone and cannot ping the reth interface, the workstation can browse to the SRX webUI using the reth interface IP address. What also confuses me is if i change the IP address of the workstation, the connection goes good again.  This is only happen when the w/station is connected on a network with SRX.  

 

Any idea about the error below/? Could this be related to our cluster setup? me think that when the cluster flap, the mac address confuses the switch.  Anyone encountered this problem before?

 

Thanks in advance? 

 

Aug  4 15:36:26 15:36:26.703516:CID-1:THREAD_ID-05:RT:flow_ipv4_rt_lkup success 10.10.0.40, iifl 0x48, oifl 0x4

 

Aug  4 15:36:26 15:36:26.703518:CID-1:THREAD_ID-05:RT:  route lookup: dest-ip 10.10.0.40 orig ifp reth0.0 output_ifp fxp0.0 orig-zone 6 out-zone 1 vsd 1

 

Aug  4 15:36:26 15:36:26.703519:CID-1:THREAD_ID-05:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch

 

Aug  4 15:36:26 15:36:26.703520:CID-1:THREAD_ID-05:RT:  route to 10.10.0.40

 

Aug  4 15:36:26 15:36:26.773142:CID-1:THREAD_ID-10:RT:  route lookup failed: dest-ip 10.10.0.40 orig ifp reth0.0 output_ifp fxp0.0 fto 0xfe8242e0 orig-zone 6 out-zone 1 vsd 1

 

Aug  4 15:36:26 15:36:26.773143:CID-1:THREAD_ID-10:RT:  readjust timeout to 6 s

 

Aug  4 15:36:26 15:36:26.773143:CID-1:THREAD_ID-10:RT:ha_ifp: reth7.0

 

Aug  4 15:36:26 15:36:26.773144:CID-1:THREAD_ID-10:RT:  packet dropped,   pak dropped since re-route failed

 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Client loosing connectivity to SRX intermittently

‎08-04-2017 07:58 AM

Does it happen only after cluster failover?

What is the platform and Junos version?

Can you post cluster and interfaces configuration?

Can you check arp table on the host and compare SRX mac address during/after problem is resolved?

 

Regards, Wojtek

Highlighted
SRX Services Gateway

Re: Client loosing connectivity to SRX intermittently

‎08-04-2017 07:10 PM

Does it happen only after cluster failover?

A. This is what i suspect.  I physically turned off Node0 (primary) and the node1 become active (at least what show cluster status said) , then the host lost the connection but can still browse to the SRX WebUI.  Restarted  Node0 and after a long wait, the host started working again  

 

What is the platform and Junos version?

A. 15.1 R5.5 D90.7

 

Can you post cluster and interfaces configuration?

A.

 

version 15.1X49-D90.7;
groups {
node0 {
system {
host-name MTMFW01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.0.10/24;
}
}
node1 {
system {
host-name MTMFW02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.0.9/24;
}
}
apply-groups "${node}";

********************************

chassis {
cluster {
reth-count 8;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
}

 

 

**************

interfaces {
xe-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
xe-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
xe-0/0/2 {
gigether-options {
redundant-parent reth2;
}
}
xe-0/0/3 {
gigether-options {
redundant-parent reth3;
}
}
xe-0/0/4 {
gigether-options {
redundant-parent reth4;
}
}
xe-0/0/5 {
gigether-options {
redundant-parent reth5;
}
}
xe-0/0/6 {
gigether-options {
redundant-parent reth6;
}
}
xe-0/0/7 {
gigether-options {
redundant-parent reth7;
}
}
xe-7/0/0 {
gigether-options {
redundant-parent reth0;
}
}
xe-7/0/1 {
gigether-options {
redundant-parent reth1;
}
}
xe-7/0/2 {
gigether-options {
redundant-parent reth2;
}
}
xe-7/0/3 {
gigether-options {
redundant-parent reth3;
}
}
xe-7/0/4 {
gigether-options {
redundant-parent reth4;
}
}
xe-7/0/5 {
gigether-options {
redundant-parent reth5;
}
}
xe-7/0/6 {
gigether-options {
redundant-parent reth6;
}
}
xe-7/0/7 {
gigether-options {
redundant-parent reth7;
}
}
reth0 {
description ADMIN-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.10.0.1/24;
}
}
}
reth1 {
description WLAN-ZONE;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
vlan-id 20;
family inet {
address 10.20.0.1/24;
}
}
unit 1 {
vlan-id 21;
family inet {
address 10.21.0.1/24;
}
}
unit 2 {
vlan-id 22;
family inet {
address 10.22.0.1/24;
}
}
unit 3 {
vlan-id 23;
family inet {
address 10.23.0.1/24;
}
}
}
reth2 {
description LEARNING-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.30.0.1/24;
}
}
}
reth3 {
description CCTV-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.40.0.1/24;
}
}
}
reth4 {
description TELEPHONE-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.50.0.1/24;
}
}
}
reth7 {
description UNTRUST-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.36.245/24;
}
}

 

 

Can you check arp table on the host and compare SRX mac address during/after problem is resolved?

A. i will get this when i go back to the site.  I had a looked on the host ARP cache when i was troubleshooting it and the MAC-address was the same.

 

What really made me nuts is that if i change the IP address the host starts working again, this could be related to firewall blocking the IP address for some reason?

 

Thanks Wojtek for taking time to help me. 

Highlighted
SRX Services Gateway

Re: Client loosing connectivity to SRX intermittently

‎08-07-2017 09:37 PM

I think I might have found the problem.  The problem only appeared on a host that I use to connect to both reth0 and fxp0.  When i checked the ARP on the SRX, the host MAC address have two entries, one from reth0 and the other is learned from fxp0.  When i unplugged the fxp0 and cleared the ARP cache, the problem disappeared (so far so good). 

 

I have configured the fxp0 with an IP address that is on the same subnet as the reth0. I also connected the fxp port on the same VLAN on the switch which i believe is fine as long as you don't connect to both interfaces.

 

Any opinion or comment on my setup?  This will be a problem for the Junos Space Security Director as i will be using the fxp ports.

 

Thanks

Highlighted
SRX Services Gateway

Re: Client loosing connectivity to SRX intermittently

‎08-08-2017 08:55 AM

Using the same subnet in two different interfaces is not a good idea.

You can find explanation of one of the problems it causes here https://kb.juniper.net/InfoCenter/index?page=content&id=KB24928

Regards, Wojtek

Feedback