SRX Services Gateway
SRX Services Gateway

Illogical Behavior in Logical System SRX 1500 Can't Manage My TOR Switch Without First Accessing the SRX

‎04-02-2018 02:49 PM

Noob, Trying to Make His Way in the World

 

I have a clustered Juniper SRX 1500 seperated into 2 logical systems. Each logical system has its own router, firewall rules and security policy. I have a Dell/Force10 switch handling layer 2 for my network which is situated, logically, above my cluster (meaning that all internal routing is done on the FW).  I am having some difficulty accessing my switch independent of having to ssh into the firewall and then ssh’ing  into the swicth.   I can’t seem to access it from my management network, despite having setup routing, policies and everything else. I have tried various configurations, all to no avail. I want to be able to access my switch at 10.21.9.100/24 while sitting on the 129.9.103.1/27 network. I have some extra interfaces available on the FW, so I don’t mind using them to manage the switch. I am able to ping my switch from the firewall and vice-versa, but I am not able to ssh or ping my switch from my PC on the 129.9.103.1/27 network. In the configuration below, I have specified interfaces ge-0/0/0.0 and ge-4/0/0.0 as the interfaces that I would like to carry the switch management traffic.  I am out of ideas at this point and I would appreciate some pointers. I’ve pasted the relevant portions of my config below

logical-systems {

    LSYS1SOMECOFW {

        interfaces {

            ge-0/0/0 {

                unit 0 {

                    family inet {

                        address 10.21.9.1/24;

                    }

                }

            }

            lt-0/0/0 {

                unit 5 {

                    description Logical_Tunnel_For_SOMECO;

                    encapsulation ethernet;

                    peer-unit 3;

                    family inet {

                        address 10.99.1.5/24;

                    }

                }

            }

            ge-0/0/4 {

                unit 0 {

                    description PARENT-CO_FW2_MGMT;

                    family inet {

                        address 10.21.8.100/24;

                    }

                }

            }

            ge-4/0/0 {

                unit 0 {

                                   description SW 2 MGMT;

                    family inet {

                        address 10.21.9.2/24;

                    }

                }

            }

            ge-4/0/4 {

                unit 0 {

                    description PARENT-CO_FW1_MGMT;

                    family inet {

                        address 10.21.8.101/24;

                    }

                }

            }

            reth0 {

                unit 0 {

                    description SOMECO_Backside;

                    vlan-id 7;

                    family inet {

                        address 129.9.103.1/27;

                    }

                }

                unit 2 {

                    description SOMECO_Chassis_MGMT;

                   vlan-id 2;

                    family inet {

                        address 10.21.2.1/24;

                    }

                }

                unit 5 {

                    description SOMECO-SOMECO-2_Network_MGMT;

                    vlan-id 5;

                    family inet {

                        address 10.21.5.1/24;

                    }

                }

                unit 6 {

                    description SOMECO-SOMECO-2_Terminal_Concentrator;

                    vlan-id 6;

                    family inet {

                        address 10.21.6.1/24;

                    }

                }

                unit 8 {

                    vlan-id 8;

                    family inet {

                        address 10.21.8.1/24;

                    }

                }

                unit 10 {

                    description SOMECO_ESXi_MGMT;

                    vlan-id 10;

                    family inet {

                        address 10.21.10.1/24;

                    }

                }

                unit 46 {

                    description SOMECO_Netapp;

                    vlan-id 46;

                    family inet {

                        address 129.9.103.65/27;

                    }

                }

              unit 54 {

                    description SOMECO_DMZ_PROD;

                    vlan-id 54;

                    family inet {

                        address 129.9.103.129/28;

                    }

                }

                unit 90 {

                    description SOMECO_Non_PROD_DMZ;

                    vlan-id 90;

                    family inet {

                        address 129.9.103.145/28;

                    }

                }

                unit 97 {

                    description SOMECO_Prod_DMZ_MGMT;

                    vlan-id 97;

                    family inet {

                        address 129.9.103.161/28;

                    }

                }

                unit 98 {

                    description DMZ_Non_Prod_Mgmt;

                    vlan-id 98;

                    family inet {

                        address 129.9.103.177/28;

                    }

                }

                unit 3233 {

                    description SOMECO_Non_Production_MGMT;

                    vlan-id 3233;

                    family inet {

                        address 129.9.103.225/27;

                    }

                }

                unit 3330 {

                    description SOMECO_APP/DB_Production;

                  vlan-id 3330;

                    family inet {

                        address 129.9.103.33/27;

                    }

                }

                unit 3331 {

                    description SOMECO_Production_MGMT;

                    vlan-id 3331;

                    family inet {

                        address 129.9.103.193/27;

                    }

                }

                unit 3332 {

                    description SOMECO_APP/DB_Non-Production;

                    vlan-id 3332;

                    family inet {

                        address 129.9.103.97/27;

                    }

                }

            }

        }

        routing-instances {

            LSYS1SOMECOFW_vr {

                instance-type virtual-router;

              interface ge-0/0/0.0;

                interface lt-0/0/0.5;

                interface ge-0/0/4.0;

                interface ge-4/0/0.0;

                interface ge-4/0/4.0;

                interface reth0.0;

                interface reth0.2;

                interface reth0.5;

                interface reth0.6;

                interface reth0.8;

                interface reth0.10;

                interface reth0.46;

                interface reth0.54;

                interface reth0.90;

                interface reth0.97;

                interface reth0.98;

                interface reth0.3233;

                interface reth0.3330;

                interface reth0.3331;

                interface reth0.3332;

                routing-options {

                    static {

                        route 0.0.0.0/0 next-hop 10.99.1.1;

                        route 129.9.104.0/24 next-hop 10.99.1.4;

                    }

                }

            }

        }

from-zone Trust_ SOMECO to-zone Trust_ SOMECO {

                    policy Trust-Trust_ SOMECO {

                        description "Any-to-Any rule";

                        match {

                            source-address any;

                            destination-address any;

                            application any;

                        }

                        then {

                            permit {

                                application-services {

                                    idp;

 

 

zones {

                security-zone Trust_LSYS1_SOMECOFW {

                    screen Untrust-screen;

                    host-inbound-traffic {

                        system-services {

                            all;

                            https;

                        }

                        protocols {

                            all;

                        }

                    }

                    interfaces {

                        reth0.0;

                        reth0.3330;

                        reth0.46;

                        reth0.3332;

                        reth0.3331;

                        reth0.3233;

                        reth0.2;

                        reth0.5;

                        reth0.10;

                        reth0.6;

                      reth0.97;

                        reth0.54;

                        reth0.98;

                        reth0.90;

                        reth0.8;

                        ge-0/0/4.0;

                        ge-4/0/4.0;

                        ge-0/0/0.0;

                        ge-4/0/0.0;

3 REPLIES 3
SRX Services Gateway

Re: Illogical Behavior in Logical System SRX 1500 Can't Manage My TOR Switch Without First Accessing the SRX

‎04-02-2018 03:31 PM
  • Set up traceoptions:

     

    set security flow traceoptions file TOR-traffic

    set security flow traceoptions file files 10

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter REQ source-prefix <your-pc-ip>

    set security flow traceoptions packet-filter REQ destination-prefix <switch-ip>

    set security flow traceoptions packet-filter REP source-prefix <switch-ip>

    set security flow traceoptions packet-filter REP destination-prefix <your-pc-ip>

     

    Ping your switch with couple pings.

    Than check you TOR-traffic file. It will give you clear explanation what is going on.

     

    Good KB about how to do it

    https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

     

    If you unable to “decipher” results post it hear. I’ll check it

     

     

    Regards

    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     

SRX Services Gateway
Solution
Accepted by topic author Aric
‎04-03-2018 04:24 PM

Re: Illogical Behavior in Logical System SRX 1500 Can't Manage My TOR Switch Without First Accessing the SRX

[ Edited ]
‎04-02-2018 06:08 PM
And does your switch have 10.21.9.1 set as its default gateway? Also, you have two interfaces in 10.21.9.0/24, which will break arp among other things:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24928&actp=METADATA
SRX Services Gateway

Re: Illogical Behavior in Logical System SRX 1500 Can't Manage My TOR Switch Without First Accessing the SRX

‎04-02-2018 06:38 PM

Hmmm. No, the default gateway is not set, as a matter of fact. It Continues to baffle me how simple the solution can be sometimes.

I've tried everything else under the sun at this point except looking at the gateway for the switch.

I'll let you know.

 

Cheers!