SRX Services Gateway
Highlighted
SRX Services Gateway

IPv6 Static routing not working

‎04-25-2019 11:40 AM

I'm attempting to configure IPv6 and trying to setup a static route from my SRX to my firewall and I'm having trouble getting the routes to show up. 

 

I'm following the prodedure outlined in the link below so I'm aware of the fact that I need to use "set routing-options rib inet6.0 static route" instead of "set routing-options static route" for IPv6.  This is an SRX 550 running 12.3X48-D75.4.  What am I doing wrong?

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/policy-static-routing.html

 

set interfaces reth0 unit 50 description "--> Firewall-Outside: IP"
set interfaces reth0 unit 50 vlan-id 50
set interfaces reth0 unit 50 family inet6 address 2620:56:6000:b::fffe/64
set routing-options rib inet6.0 static route 2620:56:6000::/48 next-hop 2620:56:6000:b::250
set routing-options rib inet6.0 static route 2620:56:a000::/48 next-hop 2620:56:6000:b::250

lcroce@Border-SRX-A> show route protocol static

inet6.0: 66445 destinations, 66447 routes (8 active, 0 holddown, 66437 hidden)
Restart Complete

{primary:node0}
13 REPLIES 13
Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-25-2019 11:46 AM

Hi icroce,

 

Do you have IPv6 enabled? see: https://kb.juniper.net/InfoCenter/index?page=content&id=KB25697&actp=METADATA

 

 

 

 

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-25-2019 12:11 PM

Yes, I do.  I already have IPv6 connectivity with my ISP.  Sorry should have noted that in the first place.

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-25-2019 12:50 PM

can you show a couple of examples for routes shown with 'show route protocol static hidden extensive' - it should be noted why the route is hidden and not used in the active routing table.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

[ Edited ]
‎04-25-2019 01:30 PM

I get nothing.

lcroce@Border-SRX-A> show route protocol static hidden extensive

inet.0: 15 destinations, 16 routes (15 active, 0 holddown, 0 hidden)
Restart Complete

inet6.0: 66548 destinations, 66550 routes (8 active, 0 holddown, 66540 hidden)
Restart Complete

{primary:node0}

 EDIT: Also going to include the output from the command to show that I've got IPv6 enabled 

lcroce@Border-SRX-A> show security flow status
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

node1:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

{primary:node0}
Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-25-2019 04:57 PM

Hello lcroce

First of all packet-based mode with branch SRX cluster is not supported

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/security-chassis-cluster-...

Look for 

Packet-based processing

No

No

No

 

Looking at "show security flow status" output it looks that you are running device in packet mode. 

You need to change it flow mode. once you change the flow mode, the output should look like this.

 

Check the flow module status for IPv6 traffic by using the show security flow status command:

 root@> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

 

Inet6 can be in flow or packet mode but packet mode should be only supported in single node not in the chassis cluster. 

 

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-26-2019 06:14 AM

This has never once been mentioned to me by JTAC in the 5 or so years that this device has been in place and this config was recommended to us by our Juniper SE.  I have a hard time believing that we would be recommended a unsupported config.

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-26-2019 10:13 AM

Hi,

 

Quick Check :-

Looking at the ipv6 config you pasted I do not see "vlan-tagging" knob.

Please confirm and if not in place add the following and confirm if you can see the v6 routes.

 

set interfaces reth0 vlan-tagging

 Junos should not ideally allow you to commit without this knob, but its better to check and confirm. Since I was able to configure your ipv6 config and see static route in the table while mode set to packet mode.

 

Regards,

 

Rahul

Regards,
Rahul
Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-26-2019 11:45 AM

Yes, the config is there.  I just failed to paste it in the first time.

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-30-2019 01:37 PM

Sorry for the double post but I know why I'm not getting anything in the routing table.  For some reason, the SRX thinks the IP I applied to the interface is a duplicate.  This doesn't make sense to me because this is a brand new IPv6 range assigned to me by ARIN.  Any thoughts on how to track down why it thinks it's a duplicate?

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-30-2019 07:36 PM

Hi,

 

Output of the show route can help isolate.

 

show route 2620:56:6000:b::fffe

show route 2620:56:6000:b::fffe table inet6.0

show route protocol direct

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎04-30-2019 08:14 PM

If you think the address is unique, try by disabling duplicate address detection (DAD) on that interface:

set ge-x/x/x unit y family inet6 dad-disable

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: IPv6 Static routing not working

‎05-01-2019 05:51 AM

Thanks and I already did disable DAD which made the routes show up.  Now the question is why did DAD trigger when I'm sure it's a unique IP.

Highlighted
SRX Services Gateway
Solution
Accepted by topic author lcroce
‎05-02-2019 01:49 PM

Re: IPv6 Static routing not working

‎05-02-2019 01:49 PM

And the mystery is solved.  Apparently my backup node in the cluster is seeing the primary node with the IP and that is what is triggering DAD which prevents my static routes from showing up.  When I disable the interfaces in the reth on the backup node and reset DAD, the IP is assigned and DAD isn't triggered.  I've got a case open with JTAC to determine if this is a bug in JunOS.