SRX Services Gateway
Highlighted
SRX Services Gateway

How to login directly into a logical system using a reth interface into SRX

a week ago

Hello,

We have chassis cluster of 2 SRX 1400 (12.3X48-D75.4) and 2 logical systems (we have 2 different clients).

One of the clients wants to have access to the cluster only in read only mode. So we need to create a user with ro rights but only for one of the logical systems, which we did:

 

set system login class user-a_adm logical-system CUST-A
set system login class user-a_adm permissions all

set system login user user-a uid 2006
set system login user user-a class user-a_adm
set system login user user-a authentication encrypted-password "$1$wpX43wh/$72Z.mCxGrv/WPNtC3zlpA0"

 

And we have a linux box (the junos space cli) in the same network as the management interfaces (fxp0) of the firewalls. If we try to login from there to the IP of the management interface of the firewall, it WORKS like a charm. Everything is perfect.

But, if we try to to login into a reth interface it does't work. Even if I permit all or only ssh:

 

set security zones security-zone DMZ01-AP interfaces reth1.2139 host-inbound-traffic system-services ping
set security zones security-zone DMZ01-AP interfaces reth1.2139 host-inbound-traffic system-services ssh

 

Ping works, but we cannot ssh into the device.

 

Did anyone had such problems/scenario? If yes, any advice how to do it?

If I allow "host-inbound-traffic system-services all" it still does'n works.

Thank you.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
SRX Services Gateway
Solution
Accepted by topic author marius-craiu
8 hours ago

Re: How to login directly into a logical system using a reth interface into SRX

8 hours ago

Hello,

 

>  is the management PC directly connected to SRX (same subnet) or it is in a remote subnet?

-- it is on a remore subnet

 

> Are you able to ping PC from logical system?

-- yes

 

> Are you getting any prompt/message while trying ssh from PC?

--no, just: Trying....

 

> Try to do packet capture "monitor traffic interface reth1.2139 no-resolve" and then initiate ssh

--I did. SSH traffic is not showing. I think is not permited by default, even If I allow it.

 

I think I found the solution, the problem is that I don't know to implement it.

The problem is that this SRX 1400 is not allowing SSH connection to an interface which is bount to a logical system.

I have to create a interface at the master logical system and then route between logical system and routing  instances.

I don't know how to do that, but I am reading now on the juniper website about routing.

 

Anyway. Thank you very much guys for the help.

I will mark this as a solution. I will post the answer after I've learned how to implement that.

Thank you.

10 REPLIES 10
SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

[ Edited ]
a week ago

I hope the interface reth1.2139 is part of logical system CUST-A. As per the given configuration, the security zone is defined in root logical system. You have to define security zone inside logical system CUST-A and assign interface to it and then allow host-inbound traffic like given below. 

set logical-systems CUST-A security zones security-zone DMZ01-AP interfaces reth1.2139 host-inbound-traffic system-services ssh

 

 

 

Thanks,
Nellikka
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

a week ago

Hello Nellikka,

Thank you for the reply.

But, yes, the host-inbound traffic is configured for the security zone at the logical system for the customer, and not in the root logical system.

The behavior is very strange (from my point of view). I mean when the host-inbound traffic is not configured at all for the interface, then no traffic is allowed to the device trough this interface, which is normal. When I allow ping, then ping to the interface work, but when I allow ssh, it doesn't work.
I think there may be a config needed between logical systems, but I am not sure.

 

 

SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

a week ago

If the interface is part of logical system and host inbound traffic is allowed, it should work. There is no additional configuration is required. Please check whether you have any firewall filter applied at loopback interface or the reth interface

 

Thanks,
Nellikka
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

a week ago

Hi,

there are no additional firewall filter on the firewall.

And I am trying to reach the firewall from another device which is directly connected to the firewall.

Smiley Sad

SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

Friday

Might be an obvious thing, but do you have system services ssh configured? 

Regards,

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

Friday

- Also, do you have any policy from zone x to zone junos-host?

- Are you trying to ssh into the directly connected interface or to another interface (e.g. loopback)? Sounds like you are trying the directly connected interface, but if you are trying to reach a different interface, even in the same zone, policy is required. 

Regads,

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

Friday

You can also try something like this, and see if you can figure it out was preventing ssh connections to be established.  


[edit security flow traceoptions]
lab@vSRX-1# show | display set relative
set file ssh-inbound
set flag basic-datapath
set packet-filter SSH destination-port ssh


lab@vSRX-1> show log ssh-inbound

 

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

Sunday

Hello,

"Might be an obvious thing, but do you have system services ssh configured?"

-- yes, SSH is enabled on the device. I can reach the device trough the management interface, fxp0, but my problem is that I cannot reach the device trough a revenue port, I mean a reth interface which is bount to a logical system. An there I need to allow only the host inbount traffic for ssh.

 

"Also, do you have any policy from zone x to zone junos-host?"

-- no, I don't. I have a similar setup in for another customer, but there are no logical systems, and the same I have to allow only the host-inbound traffic fro ssh, and it works.

 

"Are you trying to ssh into the directly connected interface or to another interface (e.g. loopback)? Sounds like you are trying the directly connected interface, but if you are trying to reach a different interface, even in the same zone, policy is required. "

-- I am trying to reach a directly connected interface, not the looback interface, or ohter interface.

 

Yes, it's a good idea to use the traceoption feature.

I also think that what I am trying to do is not possible. I mean I had a similay problem when I integrated the Log Collector for the devices. And the config had to be done at the root lovel and the traffic had to be done trough a revenue port.

Linke I said, I am able to login to the device directly into the logical system, but only trough the fxp0 interface, which is configured at the root level and is not bound to any logical system. The device is a SRX 1400, an the version is 12.3X48-D75.4, and I think I need to create a new interface at the root level and then enable routing between the logical system and the master logical system.

At least that's what I think. I didn't found anything else that could help me.

 

But, thank you.

 

 

SRX Services Gateway

Re: How to login directly into a logical system using a reth interface into SRX

Sunday

Hi Marius-craiu,

I tested your scenario in srx5800 and it worked for me without any issue. Could you answer below queries?

>  is the management PC directly connected to SRX (same subnet) or it is in a remote subnet?

> Are you able to ping PC from logical system?

> Are you getting any prompt/message while trying ssh from PC?

> Try to do packet capture "monitor traffic interface reth1.2139 no-resolve" and then initiate ssh 

 

Thanks,
Nellikka
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway
Solution
Accepted by topic author marius-craiu
8 hours ago

Re: How to login directly into a logical system using a reth interface into SRX

8 hours ago

Hello,

 

>  is the management PC directly connected to SRX (same subnet) or it is in a remote subnet?

-- it is on a remore subnet

 

> Are you able to ping PC from logical system?

-- yes

 

> Are you getting any prompt/message while trying ssh from PC?

--no, just: Trying....

 

> Try to do packet capture "monitor traffic interface reth1.2139 no-resolve" and then initiate ssh

--I did. SSH traffic is not showing. I think is not permited by default, even If I allow it.

 

I think I found the solution, the problem is that I don't know to implement it.

The problem is that this SRX 1400 is not allowing SSH connection to an interface which is bount to a logical system.

I have to create a interface at the master logical system and then route between logical system and routing  instances.

I don't know how to do that, but I am reading now on the juniper website about routing.

 

Anyway. Thank you very much guys for the help.

I will mark this as a solution. I will post the answer after I've learned how to implement that.

Thank you.