SRX

Hello,

We have chassis cluster of 2 SRX 1400 (12.3X48-D75.4) and 2 logical systems (we have 2 different clients).

One of the clients wants to have access to the cluster only in read only mode. So we need to create a user with ro rights but only for one of the logical systems, which we did:

set system login class user-a_adm logical-system CUST-A
set system login class user-a_adm permissions all

set system login user user-a uid 2006
set system login user user-a class user-a_adm
set system login user user-a authentication encrypted-password "$1$wpX43wh/$72Z.mCxGrv/WPNtC3zlpA0"

And we have a linux box (the junos space cli) in the same network as the management interfaces (fxp0) of the firewalls. If we try to login from there to the IP of the management interface of the firewall, it WORKS like a charm. Everything is perfect.

But, if we try to to login into a reth interface it does't work. Even if I permit all or only ssh:

set security zones security-zone DMZ01-AP interfaces reth1.2139 host-inbound-traffic system-services ping
set security zones security-zone DMZ01-AP interfaces reth1.2139 host-inbound-traffic system-services ssh

Ping works, but we cannot ssh into the device.

Did anyone had such problems/scenario? If yes, any advice how to do it?

If I allow "host-inbound-traffic system-services all" it still does'n works.

Thank you.

I hope the interface reth1.2139 is part of logical system CUST-A. As per the given configuration, the security zone is defined in root logical system. You have to define security zone inside logical system CUST-A and assign interface to it and then allow host-inbound traffic like given below. 

set logical-systems CUST-A security zones security-zone DMZ01-AP interfaces reth1.2139 host-inbound-traffic system-services ssh

Hello Nellikka,

Thank you for the reply.

But, yes, the host-inbound traffic is configured for the security zone at the logical system for the customer, and not in the root logical system.

The behavior is very strange (from my point of view). I mean when the host-inbound traffic is not configured at all for the interface, then no traffic is allowed to the device trough this interface, which is normal. When I allow ping, then ping to the interface work, but when I allow ssh, it doesn't work.
I think there may be a config needed between logical systems, but I am not sure.

If the interface is part of logical system and host inbound traffic is allowed, it should work. There is no additional configuration is required. Please check whether you have any firewall filter applied at loopback interface or the reth interface

Hi,

there are no additional firewall filter on the firewall.

And I am trying to reach the firewall from another device which is directly connected to the firewall.

😞

Might be an obvious thing, but do you have system services ssh configured? 

Regards,

- Also, do you have any policy from zone x to zone junos-host?

- Are you trying to ssh into the directly connected interface or to another interface (e.g. loopback)? Sounds like you are trying the directly connected interface, but if you are trying to reach a different interface, even in the same zone, policy is required. 

Regads,

You can also try something like this, and see if you can figure it out was preventing ssh connections to be established.  

[edit security flow traceoptions]
lab@vSRX-1# show | display set relative
set file ssh-inbound
set flag basic-datapath
set packet-filter SSH destination-port ssh

lab@vSRX-1> show log ssh-inbound

Hello,

"Might be an obvious thing, but do you have system services ssh configured?"

-- yes, SSH is enabled on the device. I can reach the device trough the management interface, fxp0, but my problem is that I cannot reach the device trough a revenue port, I mean a reth interface which is bount to a logical system. An there I need to allow only the host inbount traffic for ssh.

"Also, do you have any policy from zone x to zone junos-host?"

-- no, I don't. I have a similar setup in for another customer, but there are no logical systems, and the same I have to allow only the host-inbound traffic fro ssh, and it works.

"Are you trying to ssh into the directly connected interface or to another interface (e.g. loopback)? Sounds like you are trying the directly connected interface, but if you are trying to reach a different interface, even in the same zone, policy is required. "

-- I am trying to reach a directly connected interface, not the looback interface, or ohter interface.

Yes, it's a good idea to use the traceoption feature.

I also think that what I am trying to do is not possible. I mean I had a similay problem when I integrated the Log Collector for the devices. And the config had to be done at the root lovel and the traffic had to be done trough a revenue port.

Linke I said, I am able to login to the device directly into the logical system, but only trough the fxp0 interface, which is configured at the root level and is not bound to any logical system. The device is a SRX 1400, an the version is 12.3X48-D75.4, and I think I need to create a new interface at the root level and then enable routing between the logical system and the master logical system.

At least that's what I think. I didn't found anything else that could help me.

But, thank you.

Hi Marius-craiu,

I tested your scenario in srx5800 and it worked for me without any issue. Could you answer below queries?

>  is the management PC directly connected to SRX (same subnet) or it is in a remote subnet?

> Are you able to ping PC from logical system?

> Are you getting any prompt/message while trying ssh from PC?

> Try to do packet capture "monitor traffic interface reth1.2139 no-resolve" and then initiate ssh 

Hello,

>  is the management PC directly connected to SRX (same subnet) or it is in a remote subnet?

-- it is on a remore subnet

> Are you able to ping PC from logical system?

-- yes

> Are you getting any prompt/message while trying ssh from PC?

--no, just: Trying....

> Try to do packet capture "monitor traffic interface reth1.2139 no-resolve" and then initiate ssh

--I did. SSH traffic is not showing. I think is not permited by default, even If I allow it.

I think I found the solution, the problem is that I don't know to implement it.

The problem is that this SRX 1400 is not allowing SSH connection to an interface which is bount to a logical system.

I have to create a interface at the master logical system and then route between logical system and routing  instances.

I don't know how to do that, but I am reading now on the juniper website about routing.

Anyway. Thank you very much guys for the help.

I will mark this as a solution. I will post the answer after I've learned how to implement that.

Thank you.

Hello,

Just for info.

I found that You cannot ssh into an interface which belongs to  a logical system. You have to ssh to an interface that belongs to the master logical system (the default one, like if you don't have any logical system at all) and the it will redirect you (based on the right of the user that you have configured) into the specific logical system.

So that's it. It is diferent from a device to another and from a software version to another.

Anyway. Thank you for taking the time.