SRX Services Gateway
SRX Services Gateway

Configuration is not properly committing in SRX100 firewall

‎03-24-2014 05:52 AM

Hi,

   We are trying to depoly 2 isolated lync set up, on which we are using two juniper SRX100 firewall.

We are deploy one set up successfully with SRX 100. But when we try to load the same configuration (only VLANs are Changed) on 2nd firewall, set up is not working properly as expected. 

when I compare the two firewall web UI configuration.. I notice that Static routing and class of services (value alias and forwarding class) is not displaying any data or configuration.

In working SRX I am able to see this Static routing and Class of services configs.

 

Note: both the config file are same only VLAN ID is different.

Pls suggest how to troubleshoot.

I have attached the working and Non firewall configuration.

 

Things I have tried,

I reset the SRX.. and try to upload.

I used "load override terminal" for loading configuration.

I not receving any error while commiting.

I compare the both the files... Both are same... 

Pls let me know if need any more info.. I am hardly trying for 3 days... but still clue...

 

Thanks,

Rajarajan.D

Attachments

6 REPLIES 6
SRX Services Gateway

Re: Configuration is not properly committing in SRX100 firewall

‎03-24-2014 08:47 PM

I tried applying both the configs on the SRX Firefly VMs and I was able to commit both the configurations without any error. Have you got the same firmware versions on both the SRXs?

 

Just curious about the interfaces defined in the routing instances though.

 

"

w13edge {
instance-type virtual-router;
interface fe-0/0/3.32;
routing-options {
interface-routes {
rib-group inet w13edge-to-inet0;
}
}
}
w13int {
instance-type virtual-router;
interface fe-0/0/3.30;
interface fe-0/0/3.31;
routing-options {
static {
route 0.0.0.0/0 next-hop 15.1.15.15;
}
}"

 

The 30, 31 and 32 tags aren't defined anywhere, are they? Noticed this becuase they show up with errors when I applied the config on mine.

 

interface fe-0/0/3.32; ## 'ge-0/0/3.32' is not defined
interface fe-0/0/3.30; ## 'ge-0/0/3.30' is not defined
interface fe-0/0/3.31; ## 'ge-0/0/3.31' is not defined

SRX Services Gateway
Solution
Accepted by topic author rajarajandayalan@gmail.com
‎08-26-2015 01:27 AM

Re: Configuration is not properly committing in SRX100 firewall

‎03-25-2014 12:09 AM

Both SRX100 firewall are new ... and both have the same version

Model: srx100h
JUNOS Software Release [11.4R7.5]

 

yes we are not defing the w13 edge and w13 int and interfaces 30,31,32.

we are using the below routing instance,

 

routing-instances {
boredge {
instance-type virtual-router;
interface fe-0/0/1.785;
routing-options {
interface-routes {
rib-group inet boredge-to-inet0;
}
}
}
borint {
instance-type virtual-router;
interface fe-0/0/1.778;
interface fe-0/0/1.784;
routing-options {
static {
route 192.168.0.0/16 next-hop 192.168.10.1;
route 0.0.0.0/0 next-hop 172.25.33.1;
}
}
}
fededge {
instance-type virtual-router;
interface fe-0/0/3.789;
routing-options {
interface-routes {
rib-group inet fededge-to-inet0;
}
}
}
fedint {
instance-type virtual-router;
interface fe-0/0/3.787;
interface fe-0/0/3.788;
routing-options {
static {
route 0.0.0.0/0 next-hop 182.25.33.1;
}
}
}

 

But the server (VLAN785) present behind the firewall is not able to ping 192.168.10.1 (VLAN778) and vice versa...

But in working FW configuration... only VLAN are changed... and I am able to ping the server behind the firewall

Both config are same only VLAN are changed... But I seeing different behaviour with firewall.

I attached the topology of my set up as well... All details are metion there.

 

/Rajan

Attachments

SRX Services Gateway

Re: Configuration is not properly committing in SRX100 firewall

‎03-25-2014 12:23 AM

If your look at the topology.. we are using single FW to replicate the whole scenario (which does two FW function).. Now we are facing issue is like we are not able ping from edge server to other network or virtual router... we belive Fw is blocking this...

Pls suggest how to Troubleshoot it...

 

/Rajan

SRX Services Gateway

Re: Configuration is not properly committing in SRX100 firewall

‎03-25-2014 01:12 AM

turn on security flow traceoptions, flag basic datapath, set fw match source server destination and vice versa. Do this on both SRX. Comapare working with non working after ping test.

 

set security flow traceoptions file PACKET-CAPTURE
set security flow traceoptions file size 1m
set security flow traceoptions file files 5
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter input source-prefix <>
set security flow traceoptions packet-filter input destination-prefix <>
set security flow traceoptions packet-filter input destination-port <>
set security flow traceoptions packet-filter egress source-prefix <>
set security flow traceoptions packet-filter egress destination-prefix <>
set security flow traceoptions packet-filter egress source-port <>
when done:
deactivate security flow traceoptions

source and destination port are optional, just narrows down to specific traffic such as icmp
 I could not get the option to set the logging levelSmiley Sad



>show log PACKET-CAPTURE

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: Configuration is not properly committing in SRX100 firewall

‎03-26-2014 05:25 AM

Issue is now resolved... we reset the device and upload the config again...

SRX Services Gateway

Re: Configuration is not properly committing in SRX100 firewall

‎03-26-2014 11:01 AM
Okay. Mark your solution as accepted. I looked over the config line by line and it looked like it should have been working. I wish there was a way to save not just the config, but the system files and state as it exists, so Juniper could reproduce the issue and tell exactly what was the problem. Kind of like imaging the device. Okay, well done.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]