SRX Services Gateway
Highlighted
SRX Services Gateway

No j-Web or SSH with Dual-ISP configuration, Dual routing-instances.

‎04-13-2019 06:22 AM

I have several SRX430 that we want to start using Dual ISP on, I built the following configuration with the help of Juniper forums and knowledge base. It all works preety good but I can't access the j-web and SSH.

 

When I ping  or trace route the j-web interface from the my virtual routers I get the no route. 

 

I followed:

https://forums.juniper.net/t5/SRX-Services-Gateway/Internet-failover-with-dual-ISP-configuration-and...

 

and @spuluka recommendations.

 

Any help greatly apriciated.

 

Routing instances

routing-instances {
    PLG-10mb {
        instance-type virtual-router;
        interface ge-0/0/1.0;
        routing-options {
            interface-routes {
                rib-group inet ISP2-ISP1;
            }
            static {
                route 0.0.0.0/0 next-hop 103.217.129.129;
                route 8.8.4.4/32 next-hop 103.225.135.1;
            }
        }
    }
    PLG-4mb {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        routing-options {
            interface-routes {
                rib-group inet ISP1-ISP2;
            }
            static {
                route 0.0.0.0/0 next-hop 103.225.135.1;
            }
        }
    }
}

 

 

 

Firewall filter

policy-options {
    prefix-list ssh-allowed {
        10.0.0.0/8;
        73.242.192.129/32;

    }
    policy-statement LOAD-BALANCE {
        then {
            load-balance per-packet;
        }
    }
}
firewall {
    family inet {
        filter ssh-filter {
            term ssh-allow {
                from {
                    source-prefix-list {
                        ssh-allowed;
                    }
                    protocol tcp;
                    port ssh;
                }
                then accept;
            }
            term everything_else {
                then accept;
            }
            term ssh-block {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    protocol tcp;
                    port ssh;
                }
                then {
                    discard;
                }
            }
        }
    }
    filter F1 {
        term 1 {
            from {
                source-address {
                    10.80.63.249/32;
                }
            }
            then {
                routing-instance PLG-10mb;
            }
        }
        term 2 {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance PLG-4mb;
            }
        }
    }
}

 

 

 

 

Routing-options, i put in a could extra Rib-groups to see if the issue was the j-web and SSH were in the default inet.0 routing table. but that didn't work.

routing-options {
    static {
        route 10.80.56.0/21 next-hop 10.80.63.249;
        route 0.0.0.0/0 {
            next-hop 103.217.129.129;
            preference 5;
        }
        route 192.168.200.0/24 next-hop 10.80.63.249;
        route 10.0.0.0/8 {
            qualified-next-hop st0.2 {
                preference 20;
            }
            preference 2;
        }
        route 63.147.254.122/32 next-hop 103.225.135.1;
        route 63.137.78.2/32 next-hop 103.217.129.129;
        route 8.8.8.8/32 next-hop 103.225.135.1;
        route 10.80.8.0/21 next-hop st0.5;
        route 10.17.0.0/19 {
            next-hop st0.6;
            qualified-next-hop st0.7 {
                preference 20;
            }
        }
        route 172.168.1.0/24 next-hop st0.6;
        route 8.8.4.4/32 next-hop 103.225.135.1;
    }
    rib-groups {
        ISP1-ISP2 {
            import-rib [ PLG-4mb.inet.0 PLG-10mb.inet.0 ];
        }
        ISP2-ISP1 {
            import-rib [ PLG-10mb.inet.0 PLG-4mb.inet.0 ];
        }
       Default-ISP1 {
            import-rib [ inet.0 PLG-4mb.inet.0 ];
        }
        Default-ISP2 {
            import-rib [ inet.0 PLG-10mb.inet.0 ];
        }
    }
}

 

Interfaces

interfaces {
    ge-0/0/0 {
        unit 0 {
            description 10mb;
            family inet {
                filter {
                    input ssh-filter;
                }
                sampling {
                    input;
                    output;
                }
                address 103.225.135.56/26;
            }
        }
    }
    ge-0/0/1 {
        speed 100m;
        link-mode full-duplex;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            description 100mb;
            family inet {
                filter {
                    input ssh-filter;
                }
                address 103.217.129.157/27;
            }
        }
    }
    ge-0/0/2 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family inet {
                filter {
                    input-list F1;
                }
                address 10.80.63.250/29;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.80.63.101/32;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet;
        }
    }

 

 

 

 

 

Security

    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone trust;
                to zone [ untrust untrust2 ];
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set srx-nat {
                from zone junos-host;
                to zone untrust;
                rule trust-src {
                    match {
                        source-address 10.80.63.250/32;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone vpnzone {
            policy trust-to-vpnzone {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone vpnzone to-zone trust {
            policy vpnzone-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone trust to-zone untrust2 {
            policy trust-to-untrust2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone untrust to-zone untrust2 {
            policy untrust-to-untrust2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone untrust2 to-zone untrust {
            policy untrust2-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone junos-host to-zone trust {
            policy host-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                            ssh;
                            snmp;
                            rpm;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                            ssh;
                            rpm;
                        }
                    }
                }
            }
        }
        security-zone vpnzone {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
            }
            interfaces {
                st0.1;
                st0.2;
                st0.3;
                st0.4;
                st0.5;
                st0.6;
                st0.7;
            }
        }
        security-zone untrust2 {
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            ike;
                            rpm;
                        }
                    }
                }
            }
        }
    }
}

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IP Monitoring

services {
    flow-monitoring {
        version9 {
            template ipv4-test {
                ipv4-template;
            }
        }
    }
    rpm {
        probe Probe-Server {
            test testsvr {
                target address 1.1.1.1;
                probe-count 3;
                probe-interval 10;
                test-interval 5;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/0.0;
                next-hop 103.225.135.1;
            }
        }
        probe Probe-Server1 {
            test testsvr {
                target address 1.1.1.1;
                probe-count 3;
                probe-interval 10;
                test-interval 5;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/1.0;
                next-hop 103.217.129.129;
            }
        }
    }
    ip-monitoring {
        policy Server-Tracking {
            match {
                rpm-probe Probe-Server;
            }
            then {
                preferred-route {
                    routing-instances PLG-4mb {
                        route 0.0.0.0/0 {
                            next-hop 103.217.129.129;
                        }
                    }
                }
            }
        }
        policy Server-Tracking1 {
            match {
                rpm-probe Probe-Server1;
            }
            then {
                preferred-route {
                    routing-instances PLG-10mb {
                        route 0.0.0.0/0 {
                            next-hop 103.225.135.1;
                        }
                    }
                }
            }
        }
    }
}

Thanks

 

 

5 REPLIES 5
SRX Services Gateway

Re: No j-Web or SSH with Dual-ISP configuration, Dual routing-instances.

‎04-13-2019 09:04 AM

Hello Stein,

 

Can you share the output of "show configuration|display set|match system" ? 

 

Also through which interface are you trying to access J-Web ? Is it fxp0 or ge-0/0/2 ? I didn't find any other zones allowing HTTP or HTTPS.

 

Note that all host  in-bound or outbound services from the SRX will use deafult routing-instance to send the traffic.

 

This mean that your inet.0 should have the route for the IP of your PC (form where you are trying to access J-Web).

 

Thanks!

SRX Services Gateway

Re: No j-Web or SSH with Dual-ISP configuration, Dual routing-instances.

‎04-13-2019 10:00 AM

 so I solved this myself, seems I can't addiction to working on weekends.....

 

I noticed when I took the filter off the interface I could get to J-web. So I added a Jweb filter and got it working.

filter F1 {
    term jweb {
        from {
            destination-address {
                10.80.63.250/32;
            }
        }
        then accept;
    }
    term 4 {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            routing-instance PLG-4mb;
        }
    }
    term 3 {
        from {
            source-address {
                10.80.63.249/32;
            }
        }
        then {
            routing-instance PLG-10mb;
        }
    }
}

Question for anyone reading this, do the filters work from Top Down?

 

thanks

 

 

 

 

SRX Services Gateway

Re: No j-Web or SSH with Dual-ISP configuration, Dual routing-instances.

‎04-13-2019 10:04 AM

Well that was simple Smiley Happy Good to see your issue solved.

 

Answer to your question is Yes. Filters work in the order the terms are written.

 

Anything explicitly not mentioned will be dropped.

 

Thanks!

SRX Services Gateway

Re: No j-Web or SSH with Dual-ISP configuration, Dual routing-instances.

‎04-14-2019 08:02 AM

Adding on the filter issue...

 

 

I want to split the traffic betwen the interfaces;

  • VPN out routing-instance PLG-4mb
  • Internet traffic out routing-instance PLG-10mb

 

Would I use a filter for that, or a static route?

 

filter F1 {
    term jweb {
        from {
            destination-address {
                10.80.63.250/32;
            }
        }
        then accept;
    }
    term 4 {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            routing-instance PLG-4mb;
        }
    }
    term 3 {
        from {
            source-address {
                10.80.63.249/32;
            }
        }
        then {
            routing-instance PLG-10mb;
        }
    }
}

 

thanks

SRX Services Gateway

Re: No j-Web or SSH with Dual-ISP configuration, Dual routing-instances.

‎04-16-2019 10:46 PM

Hi There,

 

you would need to use filter based forwarding to split the traffic:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 

I help you, you help me... please share a Kudos or accepted solution whenever you feel I have helped with your problem! Smiley Happy