SRX Services Gateway
Highlighted
SRX Services Gateway

Multiple IP's on the loopback interface not working

‎07-16-2014 11:27 AM

I have an SRX550 with version 12.1X44-D20.3.  To provide availablility, I have two ISP's terminating in the device and doing BGP with them.  I advertise my /24, and they advertise just a 0.0.0.0 back to me.  Pretty straight forward.  The two interfaces peering with the ISP's have a local IP address on them that is just the peering IP.  The actual /24 IP's that I advertise are bound on the loopback interface.  This however doesn't seem to be working. The interface configuration is:

 

[code]

{primary:node1}
root@SSC-SRX550-1> show configuration interfaces lo0
unit 0 {
    family inet {
        filter {
            input Network_MGMT_Access;
        }
        address 198.97.232.2/24;
        address 198.97.232.1/24;
    }
}

[/code]

 

In this current configuration, only the .2 address will ping.  It installs the correct route on the device:

 

[code]

198.97.232.0/24    *[Direct/0] 20:02:38
                    > via lo0.0
198.97.232.2/32    *[Local/0] 20:02:38
                      Local via lo0.0

[/code]

 

But there is no /32 route for the .1 address.  It also won't show up on the interface list:

 

[code]

root@SSC-SRX550-1> show interfaces terse | match lo0   
lo0                     up    up 
lo0.0                   up    up   inet     198.97.232.2/24
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0

[/code]

 

 

Am I missing something obvious about why this isn't working as I expect?

12 REPLIES 12
Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-16-2014 02:15 PM

Hi,

 

Can u explain what r u trying to acheive exactly. I mean what is the problem u facing in BGP. May be there is another option better than assign secondary IP address on lo0 interface

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-16-2014 04:06 PM

It's pretty straight forward.  Two interfaces terminated with connections from two different ISP's:

 

0/0/0 -> ISP1

0/0/0 -> ISP2

 

Each ISP peers with use so we can advertise our /24 subnet back to them.  And then, we need to have several IP's from our /24 bound to the firewall and several of them as static NAT's.  So far, I can bind only a single IP from the /24 to the lo0 interface at a time. 

Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-16-2014 08:01 PM

Hi,

 

If you are trying to advertsise the routes to BGP then instead of configuring multiple subnets on lo0, we can use discard routes.

 

set routing-options static route 198.97.232.2/24 discard

 

and export this static route in BGP using policy options.

 

Below URL gives more details on this.

 

http://www.juniper.net/techpubs/en_US/junos14.1/topics/example/bgp-advertise-inactive.html

 

Thanks,

Suraj

 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway
Solution
Accepted by topic author gsweet@sav
‎08-26-2015 01:27 AM

Re: Multiple IP's on the loopback interface not working

‎07-17-2014 04:19 AM

Hello,

I think it is pretty clear - You are telling Your SRX router the following:

1/ that all other addresses apart from 198.97.232.2 are directly connected to lo0.0

and

2/ that all other addresses apart from 198.97.232.1 are directly connected to lo0.0

No wonder it gets confused  where .2 and .1 belong - "do they belong to me or are they directly connected?"

There is a workaround - You need to spell /24 only once as below:

 

aarseniev@srx210> show configuration interfaces lo0 
Jul 17 11:03:52
unit 0 {
    family inet {
        address 198.97.232.2/24;
        address 198.97.232.1/32;
    }
}

 And the result is:

 

aarseniev@srx210> show route 198.97.232.0/24   
Jul 17 11:03:37

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

198.97.232.0/24    *[Direct/0] 00:00:04
                    > via lo0.0
198.97.232.1/32    *[Direct/0] 00:00:04
                    > via lo0.0
                    [OSPF/10] 00:00:03, metric 0
                    > via lo0.0
198.97.232.2/32    *[Local/0] 00:00:04
                      Local via lo0.0

 

This is from SRX210 with JUNOS 11.4, I don't have a SRX with 12.1 code but expect it to behave the same.

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-17-2014 05:09 PM

Of course!  That made perfect sense and fixed the locally attached IP's.  However I now have static NAT issues that aren't resolved.  I have this setup:

 

# show security nat
static {
    rule-set Netscaler {
        from zone untrust;
        rule 198-97-232-247 {
            match {
                destination-address 198.97.232.247/32;
            }
            then {
                static-nat {
                    prefix {
                        10.1.1.2/32;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface lo0.0 {
        address {
            198.97.232.247/32;
        }
    }
}

 

Which seems pretty simple and straight forward. And I can see that it installs the route for it:

 

# run show route 198.97.232.247

inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)
198.97.232.247/32 (1 entry, 1 announced)
        *Static Preference: 1
                Next hop type: Discard
                Address: 0x117ae1c
                Next-hop reference count: 3
                State: <Active Int ProxyArp>
                Age: 8:27
                Task: RPD Unix Domain Server./var/run/rpd_serv.local
                Announcement bits (2): 0-KRT 3-Resolve tree 1
                AS path: I

 

And my understanding is that the "Next hope type: Discard" is correct/normal for proxy-arp's.  However nothing I can do can ping that IP.  I know the host behind it is good.  And I can even see in my filter that counts ICMP packets that packets are getting there, but not doing anything.  Thoughts?  This one seems to have stumped JTAC.

Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-18-2014 12:27 AM

Hello,

 


gsweet@sav wrote:

And my understanding is that the "Next hope type: Discard" is correct/normal for proxy-arp's.  However nothing I can do can ping that IP.  I know the host behind it is good.  And I can even see in my filter that counts ICMP packets that packets are getting there, but not doing anything.  Thoughts?  This one seems to have stumped JTAC.


In order to be able to see ICMP Echo replies from destination NAT IP, You need to enable ICMP Echo/ping in the appropriate policy. When You do that, ICMP Echo requests from outside will be translated to go to 10.1.1.2 and provided this host is answering pings, You should get an ICMP Echo reply translated back and appearing to come from  198.97.232.247.

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-18-2014 09:21 AM

Yep, and I've got all that setup unless I am missing something:

 

untrust security zone:

 

# show security zones security-zone untrust
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    reth0.0;
    reth1.0;
    lo0.0;
}

 

Security policies:

 

# show security policies from-zone untrust to-zone DMZ 
policy untrust_to_Netscaler {
    match {
        source-address any;
        destination-address Netscaler;
        application [ junos-dns-tcp junos-dns-udp junos-icmp-ping ];
    }
    then {
        permit;
    }
}
policy Permit-all-test {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
        log {
            session-init;
        }
    }
}

Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-18-2014 09:45 AM

Hello,

Destination NAT is performed BEFORE policy, so You need to match on private dst.IP in this policy

Check out Figure 9.1

http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#nat_precedence_in_the_junos_event_chai...

What doess "destination-address Netscaler" address-book entry contains?

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-18-2014 10:36 AM

Yep, got that.  The Netscaler pool is the internal IP of the target.  However we did add the any:any policy to work around this temporarily.  Even then, we get no sessions flows.

Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-19-2014 01:09 PM

Hello there,

2 further questions:

1/ how do You advertise  198.97.232.247 to the outside world? BGP, IGP, static on the upstream GW?

2/ do You use any routing instances at all to steer traffic differently?

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-21-2014 12:05 PM

We advertise BGP.  We advertise the whole /24.  There aren't any routing instances configured.

 

We know that traffic has no issues getting to the device because we can assign any IP in the /24 as a physical IP on the loopback and they all respond with out issue.  It appears to only be the static NAT's that are having problems. 

Highlighted
SRX Services Gateway

Re: Multiple IP's on the loopback interface not working

‎07-25-2014 11:01 AM

So as a follow up, here is what the final solution was: rebooting the cluster. I was letting the cluster do a  minor firmware update from 12.1X44-D20 to D30.4.  I don’t know if it is that minor update, or if it was the chassis reboot that was required.  But whenit came back up I went to start a test ping to try a suggestion and lo and behold… it started pinging! So, now I am all resolved. 

Feedback