SRX Services Gateway
Highlighted
SRX Services Gateway

Ip Monitoring not working with NAT

[ Edited ]
‎03-22-2018 06:15 AM

Hello Folks,

 

I have created a test setup with an SRX300 with dual ISP Failover

Ziggo is the default ISP and connected through ge-0/0/0.0 with next-hop 10.255.255.254

DSL is secondary and connected through ge-0/0/1.0 with next-hop 10.255.253.254

Both interfaces are in the same zone

I have a strange issue.

When i deactivate the services section i can ping to 8.8.8.8 from 10.255.255.131 (my current ge/0-0-0.0 address)

When i activate the services section i cannot ping to 8.8.8.8 from 10.255.255.131

When i set the target address for example to an address within the subnet of the WAN interface and use nog next-hop address the rpm is working but i want to monitor an address in another subnet.

 

Thanx in advance

 

The result is that the ip-monitoring result is FAIL

root# run show services ip-monitoring status

Policy - test (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Ziggo/0.0              test-1          8.8.8.8          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         10.255.253.254   APPLIED

This are the current routes

inet.0: 7 destinations, 10 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/1] 00:03:05, metric2 0
                    > to 10.255.253.254 via ge-0/0/1.0
                    [Static/5] 01:56:50
                    > to 10.255.255.254 via ge-0/0/0.0
                    [Access-internal/12] 01:08:01
                    > to 10.255.253.254 via ge-0/0/1.0
                    [Access-internal/12] 01:56:50
                    > to 10.255.255.254 via ge-0/0/0.0
10.0.0.0/24        *[Direct/0] 01:57:07
                    > via ge-0/0/5.0
10.0.0.254/32      *[Local/0] 01:57:07
                      Local via ge-0/0/5.0
10.255.253.0/24    *[Direct/0] 01:08:01
                    > via ge-0/0/1.0
10.255.253.22/32   *[Local/0] 01:08:01
                      Local via ge-0/0/1.0
10.255.255.0/24    *[Direct/0] 01:56:50
                    > via ge-0/0/0.0
10.255.255.131/32  *[Local/0] 01:56:50
                      Local via ge-0/0/0.0

This are the interfaces

root# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.255.255.131/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.255.253.22/24
ge-0/0/2                up    down
ge-0/0/3                up    down
ge-0/0/4                up    down
ge-0/0/5                up    up
ge-0/0/5.0              up    up   inet     10.0.0.254/24
ge-0/0/6                up    down
ge-0/0/7                up    down
gre                     up    up
ipip                    up    up
irb                     up    up
jsrv                    up    up
jsrv.1                  up    up   inet     128.0.0.127/2
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down
vtep                    up    up

This is the current configuration

version 15.1X49-D120.3;

services {
    rpm {
        probe Ziggo/0.0 {
            test test-1 {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 2;
                test-interval 2;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/0.0;
                next-hop 10.255.255.254;
            }
        }
    }
    ip-monitoring {
        policy test {
            match {
                rpm-probe Ziggo/0.0;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop 10.255.253.254;
                    }
                }
            }
        }
    }
}
security {
    nat {
        source {
            rule-set SNAT {
                from zone Data;
                to zone Internet;
                rule 10 {
                    match {
                        source-address 10.0.0.0/24;
                        destination-address 0.0.0.0/0;
                        application any;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Data to-zone Internet {
            policy allow-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    dhcp;
                    ssh;
                    https;
                }
            }
            interfaces {
                ge-0/0/0.0;
                ge-0/0/1.0;
            }
        }
        security-zone Data {
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ping;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp-client;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                dhcp-client;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 10.0.0.254/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.255.255.254;
    }
}

 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Ip Monitoring not working with NAT

‎03-22-2018 07:11 AM

It turns out that this configurations is working but I have to disable or unplug the ge-0/0/0 interface before the probe gets the status : PASS

So the questioni is  why needs the interface go down / up first before working again

 

 

 

Highlighted
SRX Services Gateway

Re: Ip Monitoring not working with NAT

‎03-22-2018 08:19 AM

Hi robbert1979,

 

Depending on the version you are running, you may be hitting a bug.

Please check the output of ;

>show route

 

If the secondary route/interface continues to show the prefernce as 1, the primary route/interface would not take over, though it will be active.

The issue is fixed from 12.3X48-D55 and 15.1X49-D110.

 

If you are hiitting this particular bug, you can fix it by upgrading.

 

Please check the IP-monitoring information and see if the status shows as PASS but 'Not-Applied'

 

Shailesh
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Ip Monitoring not working with NAT

‎03-23-2018 08:05 AM

Hello ssn,

I am using 15.1X49-D120.3 so the bug is not applicable to this configuration i suppose

When the failover takes place and the primary connection comes back the routing table still gives the result below

 

0.0.0.0/0          *[Static/1] 00:01:03, metric2 0
                    > to 10.255.253.254 via ge-0/0/1.0

 When i bring the interface down and up the following route is active

0.0.0.0/0          *[Static/5] 00:00:04
                    > to 10.255.255.254 via ge-0/0/0.0
Highlighted
SRX Services Gateway

Re: Ip Monitoring not working with NAT

‎04-12-2018 12:39 AM

The configuration below is working as expected. The failover is fully functional without unplug and replug any connector.

The only thing is that i don't want a specific route for in this case 8.8.8.8

When the failover takes place the new default 0/0 route with pref 1 is going through 10.255.253.254

I guess this means that RPM will try to reach 8.8.8.8 with source address 10.255.255.131/24 through next-hop 10.255.253.254/24 what is not in the same subnet.

 

When i disable the route 8.8.8.8/32 and i put in a next-hop in the rpm the failover will not working at all but i am able to ping the next-hop

 

What am i missing ?

 

 

services {
    rpm {
        probe probe1 {
            test test1 {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 2;
                test-interval 2;
                source-address 10.255.255.131;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/1.0;
            }
        }
    }
    ip-monitoring {
        policy test {
            match {
                rpm-probe probe1;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop 10.255.253.254;
                    }
                }
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.255.255.254;
        route 8.8.8.8/32 {
            next-hop 10.255.255.254;
            preference 1;
        }
    }
}
Feedback