SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IPv6 static route not working

    Posted 04-20-2018 07:55

    My org has an SRX1400 running 12.1x48-D30. My ISP has started offering IPv6 and has given us a static address for the gateway, a subnet for our internal devices, and the other info needed to connect.

    I can give our WAN and LAN interfaces the proper IPv6 address. However I cannot get a static IPv6 route set up.

    I can give the gateway the correct command, # set routing-options rib inet6.0 static route ::/0 next-hop 2610:20:900c:4003::4, and commit it no problem. The configuration, # show routing-options, shows the new info. But the route never shows up when I run show route.

    I can ping the next hop from both the gateway and my servers. I cannot ping any IPv6 destination, such as ipv6.google.com, from the gateway or my servers, though the IP address does resolve. So why doesn't the route show up?

     

    At this time the only things I haven't done are reboot the gateway, which technically shouldn't be necessary, or upgrade it to 12.3, needs to be done but also shouldn't be necessary.

    Any ideas?



  • 2.  RE: IPv6 static route not working

    Posted 04-20-2018 16:38

    Confirm that ipv6 flow mode is enable on the device

    show security flow status

    The routes will be in the inet6 table.  Do you see them if you specify this.

     

    show route table inet6.0

     

    For transit traffic you will need security policies in place. you can verify sessions using show security flow

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/verification/ipv6-flow-session-displaying.html

     



  • 3.  RE: IPv6 static route not working

    Posted 04-23-2018 08:27

    It looks like IPv6 flow mode is enabled:

    admin@fw> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

    When looking at the route table I see the routes that have been discovered but still do not see the static route:

    admin@fw> show route table inet6.0 

inet6.0: 9 destinations, 12 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:48a8:5ffd:ffff::/64
                   *[Direct/0] 17w0d 16:41:49
                    > via ge-0/0/11.0
2001:48a8:5ffd:ffff::2/128
                   *[Local/0] 78w6d 01:15:19
                      Local via ge-0/0/11.0
2610:20:900c:4003::5/128
                   *[Direct/0] 56w6d 16:02:41
                    > via ge-0/0/9.0
                    [Local/0] 78w5d 21:40:01
                      Local via ge-0/0/9.0
2610:20:900d:4010::/64
                   *[Direct/0] 78w6d 01:15:22
                    > via xe-2/0/1.5
2610:20:900d:4010::254/128
                   *[Local/0] 78w6d 01:15:42
                      Local via xe-2/0/1.5
fe80::/64          *[Direct/0] 78w6d 01:15:22
                    > via xe-2/0/1.5
                    [Direct/0] 56w6d 16:02:41
                    > via ge-0/0/9.0
                    [Direct/0] 17w0d 16:41:49
                    > via ge-0/0/11.0
fe80::cee1:7f00:55d:8445/128
                   *[Local/0] 78w6d 01:15:42
                      Local via xe-2/0/1.5
fe80::cee1:7fff:fe5d:805d/128
                   *[Local/0] 78w5d 21:40:01
                      Local via ge-0/0/9.0
fe80::cee1:7fff:fe5d:805f/128
                   *[Local/0] 78w6d 01:15:19
                      Local via ge-0/0/11.0

    I do have IPv6 security policies in place for incoming and outgoing traffic. Specifically anything can go out and pings and website traffic can come in.



  • 4.  RE: IPv6 static route not working
    Best Answer

    Posted 04-24-2018 03:00

    I think you have interface ge-0/0/9 misconfigured.  It looks like this should be a routed link where you can access the next hop for your default ipv6 route

     

    set routing-options rib inet6.0 static route ::/0 next-hop 2610:20:900c:4003::4

     

    But the routing table only has this as a /128.  To reach the next hop this has to be at least a /127 to see the next hop

     

    2610:20:900c:4003::5/128
                   *[Direct/0] 56w6d 16:02:41
                    > via ge-0/0/9.0
                    [Local/0] 78w5d 21:40:01
                      Local via ge-0/0/9.0

    Without the next hop reachable the route will not install.

     



  • 5.  RE: IPv6 static route not working

    Posted 04-24-2018 08:03

    So changing the configuration for ge-0/0/9 from /128 to /127 did it. Once that was committed the static route showed up.

    This change makes a lot of sense when thinking about the subnets but not knowing IPv6 very well I definitally missed it, though I didn't set it up in the first place.

    Thanks for the assist spuluka.



  • 6.  RE: IPv6 static route not working

    Posted 04-24-2018 16:53

    Glad you have it working now.