SRX

I'm attempting to configure IPv6 and trying to setup a static route from my SRX to my firewall and I'm having trouble getting the routes to show up. 

I'm following the prodedure outlined in the link below so I'm aware of the fact that I need to use "set routing-options rib inet6.0 static route" instead of "set routing-options static route" for IPv6.  This is an SRX 550 running 12.3X48-D75.4.  What am I doing wrong?

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/policy-static-routing.html

set interfaces reth0 unit 50 description "--> Firewall-Outside: IP"
set interfaces reth0 unit 50 vlan-id 50
set interfaces reth0 unit 50 family inet6 address 2620:56:6000:b::fffe/64
set routing-options rib inet6.0 static route 2620:56:6000::/48 next-hop 2620:56:6000:b::250
set routing-options rib inet6.0 static route 2620:56:a000::/48 next-hop 2620:56:6000:b::250

lcroce@Border-SRX-A> show route protocol static

inet6.0: 66445 destinations, 66447 routes (8 active, 0 holddown, 66437 hidden)
Restart Complete

{primary:node0}

Hi icroce,

Do you have IPv6 enabled? see: https://kb.juniper.net/InfoCenter/index?page=content&id=KB25697&actp=METADATA

Yes, I do.  I already have IPv6 connectivity with my ISP.  Sorry should have noted that in the first place.

can you show a couple of examples for routes shown with 'show route protocol static hidden extensive' - it should be noted why the route is hidden and not used in the active routing table.

I get nothing.

lcroce@Border-SRX-A> show route protocol static hidden extensive

inet.0: 15 destinations, 16 routes (15 active, 0 holddown, 0 hidden)
Restart Complete

inet6.0: 66548 destinations, 66550 routes (8 active, 0 holddown, 66540 hidden)
Restart Complete

{primary:node0}

 EDIT: Also going to include the output from the command to show that I've got IPv6 enabled 

lcroce@Border-SRX-A> show security flow status
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

node1:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

{primary:node0}

Hello lcroce

First of all packet-based mode with branch SRX cluster is not supported

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/security-chassis-cluster-...

Look for 

Looking at "show security flow status" output it looks that you are running device in packet mode. 

You need to change it flow mode. once you change the flow mode, the output should look like this.

Check the flow module status for IPv6 traffic by using the show security flow status command:

 root@> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

Inet6 can be in flow or packet mode but packet mode should be only supported in single node not in the chassis cluster. 

This has never once been mentioned to me by JTAC in the 5 or so years that this device has been in place and this config was recommended to us by our Juniper SE.  I have a hard time believing that we would be recommended a unsupported config.

Hi,

Quick Check :-

Looking at the ipv6 config you pasted I do not see "vlan-tagging" knob.

Please confirm and if not in place add the following and confirm if you can see the v6 routes.

set interfaces reth0 vlan-tagging

 Junos should not ideally allow you to commit without this knob, but its better to check and confirm. Since I was able to configure your ipv6 config and see static route in the table while mode set to packet mode.

Regards,

Rahul

Yes, the config is there.  I just failed to paste it in the first time.

Sorry for the double post but I know why I'm not getting anything in the routing table.  For some reason, the SRX thinks the IP I applied to the interface is a duplicate.  This doesn't make sense to me because this is a brand new IPv6 range assigned to me by ARIN.  Any thoughts on how to track down why it thinks it's a duplicate?

Hi,

Output of the show route can help isolate.

show route 2620:56:6000:b::fffe

show route 2620:56:6000:b::fffe table inet6.0

show route protocol direct

Regards,

Vikas

If you think the address is unique, try by disabling duplicate address detection (DAD) on that interface:

set ge-x/x/x unit y family inet6 dad-disable

Thanks and I already did disable DAD which made the routes show up.  Now the question is why did DAD trigger when I'm sure it's a unique IP.

And the mystery is solved.  Apparently my backup node in the cluster is seeing the primary node with the IP and that is what is triggering DAD which prevents my static routes from showing up.  When I disable the interfaces in the reth on the backup node and reset DAD, the IP is assigned and DAD isn't triggered.  I've got a case open with JTAC to determine if this is a bug in JunOS.