SRX

Hi,

Not sure if any one can help. 

We're in the process of configuring a new SRX 340 but have hit an issue whereby  can connect to an irb interface via a VLAN access port on the SRX, it works for a few minutes ie we can get internet  and then we get cut off. Cannot figure out why. It seems to allow us ping the irb interface and we can also ping external IP addresses however we cannot connect to websites, get DNS resolution etc.

We've been using irb.3 as a test interface (no filters applied - we thought these were the issue at first) via access ports configured on ge-0/0/1.0 and ge-0/0/2.0

ge-0/0/0 is connected to our internal network whilst we test hence its private IP address.

Hoping its something obvious in the config.

Thanks,

## Last changed: 2018-01-12 15:56:43 GMT
version 15.1X49-D120.3;
system {
    host-name wz-lh-fw;
    time-zone GMT;
    root-authentication {
        encrypted-password "$5$BR4/d0Ea$CN08qUFy2bRC6vx/w5T/CZ0QJ7FM2Gxdw7La3uM4iBC";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user admin {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$5$urejcMru$vn3DLO0PkdBkF3pNIARDAgwiaRh4svvrHnZxTpzUTvB";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        dhcp-local-server {
            group t101-dhcp {
                interface irb.1;
            }
            group t102-dhcp {
                interface irb.2;
            }
            group t103-dhcp {
                interface irb.3;
            }
            group t104-dhcp {
                interface irb.4;
            }
            group t105-dhcp {
                interface irb.5;
            }
            requested-ip-interface-match;
        }
        web-management {
            https {
                system-generated-certificate;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file event-log {
            any any;
            archive files 1;
            structured-data;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
security {
    log {
        mode event;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool generic-ext-ip {
                address {
                    192.168.240.177/32;
                }
            }
            rule-set generic-src-nat {
                from zone [ zone-t101 zone-t102 zone-t103 zone-t104 zone-t105 ];
                to zone internet;
                rule generic-src-nat {
                    match {
                        source-address 10.1.3.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    192.168.240.177/32;
                }
            }
        }
    }
    policies {
        from-zone zone-t101 to-zone internet {
            policy t101-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone zone-t102 to-zone internet {
            policy t102-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone zone-t103 to-zone internet {
            policy t103-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone zone-t104 to-zone internet {
            policy t104-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone zone-t105 to-zone internet {
            policy t105-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone internet {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone zone-t101 {
            interfaces {
                irb.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone zone-t102 {
            interfaces {
                irb.2 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone zone-t103 {
            interfaces {
                irb.3 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone zone-t104 {
            interfaces {
                irb.4 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone zone-t105 {
            interfaces {
                irb.5 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.240.176/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-t103;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-t103;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ vlan-t101 vlan-t102 vlan-t103 vlan-t104 vlan-t105 ];
                }
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    irb {
        per-unit-scheduler;
        unit 1 {
            family inet {
                filter {
                    input std-bw-limit-out;
                    output std-bw-limit-in;
                }
                address 10.1.1.1/24;
            }
        }
        unit 2 {
            family inet {
                filter {
                    input std-bw-limit-out;
                    output std-bw-limit-in;
                }
                address 10.1.2.1/24;
            }
        }
        unit 3 {
            family inet {
                address 10.1.3.1/24;
            }
        }
        unit 4 {
            family inet {
                filter {
                    input t104-bw-limit-out;
                    output t104-bw-limit-in;
                }
                address 10.1.4.1/24;
            }
        }
        unit 5 {
            family inet {
                filter {
                    input std-bw-limit-out;
                    output std-bw-limit-in;
                }
                address 10.1.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.240.1;
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
}
class-of-service {
    forwarding-classes {
        queue 4 rl-30m;
    }
    interfaces {
        irb {
            unit 3 {
                scheduler-map cos-map;
            }
        }
    }
    scheduler-maps {
        cos-map {
            forwarding-class rl-30m scheduler rl-30m-scheduler;
        }
    }
    schedulers {
        rl-30m-scheduler {
            transmit-rate {
                30m;
                exact;
            }
            priority low;
        }
    }
}
firewall {
    family inet {
        filter std-bw-limit-out {
            term 1 {
                from {
                    destination-port dhcp;
                }
                then accept;
            }
            term 0 {
                from {
                    source-address {
                        10.1.1.0/24;
                        10.1.2.0/24;
                        10.1.3.0/24;
                        10.1.5.0/24;
                    }
                }
                then {
                    policer policer-30mb-out;
                    accept;
                }
            }
        }
        filter std-bw-limit-in {
            term 0 {
                from {
                    destination-address {
                        10.1.1.0/24;
                        10.1.2.0/24;
                        10.1.3.0/24;
                        10.1.5.0/24;
                    }
                }
                then {
                    policer policer-30mb-in;
                    accept;
                }
            }
        }
        filter t104-bw-limit-out {
            term 1 {
                from {
                    destination-port dhcp;
                }
                then accept;
            }
            term 0 {
                from {
                    source-address {
                        10.1.4.0/24;
                    }
                }
                then {
                    policer policer-10mb-t104-out;
                    accept;
                }
            }
        }
        filter t104-bw-limit-in {
            term 0 {
                from {
                    destination-address {
                        10.1.4.0/24;
                    }
                }
                then {
                    policer policer-10mb-t104-in;
                    accept;
                }
            }
        }
        filter rl-30m-traffic {
            term default {
                then {
                    forwarding-class rl-30m;
                    accept;
                }
            }
        }
    }
    policer policer-30mb-in {
        if-exceeding {
            bandwidth-limit 30m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer policer-30mb-out {
        if-exceeding {
            bandwidth-limit 30m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer policer-10mb-t104-in {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer policer-10mb-t104-out {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer policer-10mb-t201-in {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer policer-10mb-t201-out {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 625k;
        }
        then discard;
    }
}
access {
    address-assignment {
        pool t101-dhcp-pool {
            family inet {
                network 10.1.1.0/24;
                range t101-dhcp-range {
                    low 10.1.1.10;
                    high 10.1.1.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.1.1;
                    }
                }
            }
        }
        pool t102-dhcp-pool {
            family inet {
                network 10.1.2.0/24;
                range t102-dhcp-range {
                    low 10.1.2.10;
                    high 10.1.2.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.2.1;
                    }
                }
            }
        }
        pool t103-dhcp-pool {
            family inet {
                network 10.1.3.0/24;
                range t102-dhcp-range {
                    low 10.1.3.10;
                    high 10.1.3.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.3.1;
                    }
                }
            }
        }
        pool t104-dhcp-pool {
            family inet {
                network 10.1.4.0/24;
                range t102-dhcp-range {
                    low 10.1.4.10;
                    high 10.1.4.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.4.1;
                    }
                }
            }
        }
        pool t105-dhcp-pool {
            family inet {
                network 10.1.5.0/24;
                range t102-dhcp-range {
                    low 10.1.5.10;
                    high 10.1.5.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.5.1;
                    }
                }
            }
        }
    }
}
vlans {
    vlan-t101 {
        vlan-id 101;
        l3-interface irb.1;
    }
    vlan-t102 {
        vlan-id 102;
        l3-interface irb.2;
    }
    vlan-t103 {
        vlan-id 103;
        l3-interface irb.3;
    }
    vlan-t104 {
        vlan-id 104;
        l3-interface irb.4;
    }
    vlan-t105 {
        vlan-id 105;
        l3-interface irb.5;
    }
}

I notice everything here has private addressing on it and the symptoms ping working but full layer 3 conversations not, this tends to happen when there are multiple paths available to the traffic and a second firewall involved.

Is your outbound test path clean and no possible asymmetrical routing?

Hi Steve,

Thanks for taking the time to reply.

I'm not aware of anything that would cause an issue.

The test laptop itsself only has a single NIC connected directly into the Juniper.

The SRX is sitting behind a second firewall so effectivley we are double natting to get to the internet. We tried changing IPs on the Juniper which didn't help. Interesting we haven't tested if we can connect to services which are internal to the second firewall and hence only have to go through the Juniper - I will look at this on Monday.

I've attached a basic diagram if that helps.

Regards,

Rich.

In this setup the first thing to verify is routing.

Assuming you source nat all coming out of the SRX then the upstream devices should send traffic to the correct interface on the upstream side of the SRX.

With the icmp traffic check the sessions on the SRX during or very shortly after the traffic

show security flow session source-prefix x.x.x.x destination-prefix y.y.y.y

this should show the nat occuring on the traffic session.

Run the same test then for the non-working traffic.

Does the session exist at all?

Is the nat working?

Is there return packet count?

We basically need to verify that security policy, nat and routing get the packets through the system.  More gory details are here.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Hello,

In addition to what has been said, You can use free utility called "tcping" to create short-lived TCP sessions

https://www.elifulkerson.com/projects/tcping.php

I suggest to enable SRX session trace & then run normal ping and TCPing in parallel to see when/at what point TCPing breaks.

SRX session trace how-to:

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

Additionally, I would suggest to check the upstream firewall for any errors/clues as to why the sessions are not working. It may have i.e. a default setting limiting the number of sessions per user which could cause Your grief.

HTH

Thx
Alex

We've done quite a bit of testing today and it looks like the the problem was caused by having the traffic come through the upstream firewall. We were able to connect to addresses on the WAN side of the Juniper even though we couldn't connect past the second firewall. We've move the Juniper so that its directly on the back of the router provided by our ISP and changed its IP to a public facing one.  In this configuration we no longer get the issue.

Thanks for your help it certainly pointed us in the right direction.

Rich.