SRX

Hi,

   We are trying to depoly 2 isolated lync set up, on which we are using two juniper SRX100 firewall.

We are deploy one set up successfully with SRX 100. But when we try to load the same configuration (only VLANs are Changed) on 2nd firewall, set up is not working properly as expected. 

when I compare the two firewall web UI configuration.. I notice that Static routing and class of services (value alias and forwarding class) is not displaying any data or configuration.

In working SRX I am able to see this Static routing and Class of services configs.

 

Note: both the config file are same only VLAN ID is different.

Pls suggest how to troubleshoot.

I have attached the working and Non firewall configuration.

 

Things I have tried,

I reset the SRX.. and try to upload.

I used "load override terminal" for loading configuration.

I not receving any error while commiting.

I compare the both the files... Both are same... 

Pls let me know if need any more info.. I am hardly trying for 3 days... but still clue...

 

Thanks,

Rajarajan.D

I tried applying both the configs on the SRX Firefly VMs and I was able to commit both the configurations without any error. Have you got the same firmware versions on both the SRXs?

 

Just curious about the interfaces defined in the routing instances though.

 

"

w13edge {
instance-type virtual-router;
interface fe-0/0/3.32;
routing-options {
interface-routes {
rib-group inet w13edge-to-inet0;
}
}
}
w13int {
instance-type virtual-router;
interface fe-0/0/3.30;
interface fe-0/0/3.31;
routing-options {
static {
route 0.0.0.0/0 next-hop 15.1.15.15;
}
}"

 

The 30, 31 and 32 tags aren't defined anywhere, are they? Noticed this becuase they show up with errors when I applied the config on mine.

 

interface fe-0/0/3.32; ## 'ge-0/0/3.32' is not defined
interface fe-0/0/3.30; ## 'ge-0/0/3.30' is not defined
interface fe-0/0/3.31; ## 'ge-0/0/3.31' is not defined

Both SRX100 firewall are new ... and both have the same version

Model: srx100h
JUNOS Software Release [11.4R7.5]

 

yes we are not defing the w13 edge and w13 int and interfaces 30,31,32.

we are using the below routing instance,

 

routing-instances {
boredge {
instance-type virtual-router;
interface fe-0/0/1.785;
routing-options {
interface-routes {
rib-group inet boredge-to-inet0;
}
}
}
borint {
instance-type virtual-router;
interface fe-0/0/1.778;
interface fe-0/0/1.784;
routing-options {
static {
route 192.168.0.0/16 next-hop 192.168.10.1;
route 0.0.0.0/0 next-hop 172.25.33.1;
}
}
}
fededge {
instance-type virtual-router;
interface fe-0/0/3.789;
routing-options {
interface-routes {
rib-group inet fededge-to-inet0;
}
}
}
fedint {
instance-type virtual-router;
interface fe-0/0/3.787;
interface fe-0/0/3.788;
routing-options {
static {
route 0.0.0.0/0 next-hop 182.25.33.1;
}
}
}

 

But the server (VLAN785) present behind the firewall is not able to ping 192.168.10.1 (VLAN778) and vice versa...

But in working FW configuration... only VLAN are changed... and I am able to ping the server behind the firewall

Both config are same only VLAN are changed... But I seeing different behaviour with firewall.

I attached the topology of my set up as well... All details are metion there.

 

/Rajan

If your look at the topology.. we are using single FW to replicate the whole scenario (which does two FW function).. Now we are facing issue is like we are not able ping from edge server to other network or virtual router... we belive Fw is blocking this...

Pls suggest how to Troubleshoot it...

 

/Rajan

turn on security flow traceoptions, flag basic datapath, set fw match source server destination and vice versa. Do this on both SRX. Comapare working with non working after ping test.

 

set security flow traceoptions file PACKET-CAPTURE
set security flow traceoptions file size 1m
set security flow traceoptions file files 5
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter input source-prefix <>
set security flow traceoptions packet-filter input destination-prefix <>
set security flow traceoptions packet-filter input destination-port <>
set security flow traceoptions packet-filter egress source-prefix <>
set security flow traceoptions packet-filter egress destination-prefix <>
set security flow traceoptions packet-filter egress source-port <>
when done:
deactivate security flow traceoptions

source and destination port are optional, just narrows down to specific traffic such as icmp
 I could not get the option to set the logging level:(



>show log PACKET-CAPTURE

Issue is now resolved... we reset the device and upload the config again...

Okay. Mark your solution as accepted. I looked over the config line by line and it looked like it should have been working. I wish there was a way to save not just the config, but the system files and state as it exists, so Juniper could reproduce the issue and tell exactly what was the problem. Kind of like imaging the device. Okay, well done.