SRX Services Gateway
Highlighted
SRX Services Gateway

OSPF on SRX 240

‎06-16-2015 01:17 AM

Hi, recently I setup two OSPF sessions for an ecmp setup, but for some reason I can't reach the advertised routes by the ospf neighbors, can some tell me what am I missing in my config ?

 

here is the srx configuration:

# show protocols ospf
export [ ospf-default export-static ];
area 0.0.3.32 {
    interface reth1.0 {
        priority 100;
        hello-interval 1;
        dead-interval 4;
    }
}

# show policy-options policy-statement ospf-default
term ospd-default {
    from {
        route-filter 0.0.0.0/0 exact accept;
    }
}

# show policy-options policy-statement export-static
term export-static {
    from protocol static;
    then accept;
}
term export-local {
    from protocol local;
    then accept;
}
term export-direct {
    from protocol direct;
    then accept;
}

> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
172.16.6.2       reth1.0                Full      172.16.6.2        10     3
172.16.6.6       reth1.0                Full      172.16.6.6        10     3

> show ospf route
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop
                   Type  Type       Type            Interface     Address/LSP
172.16.6.2         Intra AS BR      IP            1 reth1.0       172.16.6.2
172.16.6.6         Intra AS BR      IP            1 reth1.0       172.16.6.6
10.8.0.0/16        Intra Network    IP            1 reth1.0
172.16.1.10/32     Ext1  Network    IP            1 reth1.0       172.16.6.2
                                                                          reth1.0       172.16.6.6
172.16.6.0/30      Intra Network    IP            1 reth1.0
172.16.6.4/30      Intra Network    IP            1 reth1.0


> show route 172.16.1.10 extensive

inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
Restart Complete
172.16.1.10/32 (1 entry, 1 announced)
TSI:
KRT in-kernel 172.16.1.10/32 -> {172.16.6.2, 172.16.6.6}
        *OSPF   Preference: 150
                Next hop type: Router, Next hop index: 262142
                Address: 0x16a058c
                Next-hop reference count: 3
                Next hop: 172.16.6.2 via reth1.0, selected
                Next hop: 172.16.6.6 via reth1.0
                State: <Active Int Ext>
                Local AS: 62299
                Age: 21:20:22   Metric: 1       Tag: 0
                Task: OSPF
                Announcement bits (2): 0-KRT 3-Resolve tree 1
                AS path: I

--- 172.16.1.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

--- 172.16.6.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.603/2.318/3.014/0.576 ms

--- 172.16.6.6 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.584/1.792/2.161/0.262 ms

could be a problem with security zone or ?

 

thanks

Dan

17 REPLIES 17
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 01:23 AM

Hello ,

 

Can you try to ping the IP sourcing the reth1.0 IP address . We do not need security policy for the same since its elf generated traffic and hits self policy .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

[ Edited ]
‎06-16-2015 02:46 AM

what do you mean by "IP sourcing the reth1.0" ? I can ping from both linux routers reth1.0 any ip addresses

 

[root@dns802 ~]# ping 172.16.6.5 -c 3 -q
PING 172.16.6.5 (172.16.6.5) 56(84) bytes of data.

--- 172.16.6.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.519/0.535/0.550/0.022 ms
[root@dns802 ~]# ping 10.8.0.1 -c 3 -q
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.443/0.498/0.568/0.057 ms
[root@dns802 ~]# ip r l | grep def
default via 172.16.6.5 dev ens192  proto zebra

 

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 02:51 AM

Hello ,

 

I ment , are you able to ping those IPs  ( 172.16.1.10 , 172.16.6.2 , 172.16.6.6 )  sourcing reth1.0 IP :

 

ping 172.16.1.10 source <reth1.0 IP>
ping 172.16.6.2 source <reth1.0 IP>
ping 172.16.6.6 source <reth1.0 IP>


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

[ Edited ]
‎06-16-2015 02:58 AM

One thing that I noticed, is that if I ping directly from the router, the source IP address will be from the fxp interface

 

so it looks like from the router everything is working

 

i# run ping 172.16.1.10 source 172.16.6.5 count 3
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.494 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.656 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.686 ms

--- 172.16.1.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.656/1.945/2.494/0.388 ms
i# run ping 172.16.1.10 source 10.8.0.1 count 3
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.568 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.543 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=2.690 ms

--- 172.16.1.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.543/2.267/2.690/0.514 ms

but when I try to ping any ip behind ospf network from any machine behinde the 10.8.0.0/16 network is not working, they are on the same reth1.0

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 03:16 AM

Can you share the complete config of your SRX with us ? So we can have a look to solve the problem you are having ?

 

I'm guessing it has something todo with some security policies

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 03:21 AM

Hello ,

 

Does those IPs fall on 10.8.0.0/16 network itself or different network . If so then the packet should not even reach the SRX and it should be internally routed .  If its a different network then , it will be coming to SRX and we can check for policies and other stuff .

 

But this issue pritty much looks to be external to SRX box.


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 03:22 AM

sure, how do you want me to export it ? as set or as normal ?

 

thanks,

Dan

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 03:37 AM

Normal and set are fine to check the configs

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

[ Edited ]
‎06-16-2015 05:29 AM

see config below, for security reasons I have modified some of the IP's cu xxx, also copp rules are note applied

 

thank you

 

version 12.1X44-D40.2;
groups {
    node0 {
        system {
            host-name rtr01-timi;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.99.99.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name rtr02-timi;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.99.99.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    time-zone Europe/Bucharest;
    no-redirects;
    arp {
        aging-timer 5;
        passive-learning;
        purging;
        gratuitous-arp-on-ifup;
        gratuitous-arp-delay 1;
    }
    root-authentication {
        encrypted-password "$1$yiNoLbJN$CTQJJizNyxYFeYXJxt9x./"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        class super-user-local {
            idle-timeout 1;
        }
        user andrei {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$1$3cH/.OwX$SFh1211KUc6BMENcpzNLz0"; ## SECRET-DATA
            }
        }
        user fred {
            uid 2003;
            class super-user;
            authentication {
                encrypted-password "$1$V7o4JmR8$65FMmkJPJ0.xfNbnF4rOx/"; ## SECRET-DATA
            }
        }
        user kiki {
            uid 2004;
            class super-user;
            authentication {
                encrypted-password "$1$xSFKcRZx$I0L5wHzBig4wnWU7GHjsB."; ## SECRET-DATA
            }
        }
        user timi {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$3wCJjy1Q$4VCzAK1qcEvOYahgnPzYI1"; ## SECRET-DATA
            }
        }
        password {
            minimum-length 8;
            maximum-length 20;
            change-type character-sets;
            minimum-changes 3;
        }
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
    max-configurations-on-flash 10;
    max-configuration-rollbacks 10;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 92.86.106.228;
        server 93.114.42.129;
        server 80.96.120.253;
        server 91.216.151.202;
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }
    }
}
interfaces {
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet;
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 62.xxx.xxx.2/30;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                no-redirects;
                address 10.8.0.1/16;
                address 188.xxx.xxx.1/24;
                address 188.xxx.xxx.1/24;
                address 172.16.6.1/30;
                address 172.16.6.5/30;
            }
        }
    }
    st0 {
        description ipsec-vpn;
        unit 0 {
            description to-LV;
            family inet {
                mtu 1420;
                address 172.16.0.2/30;
            }
        }
        unit 1 {
            description to-NJ;
            family inet {
                mtu 1420;
                address 172.16.8.1/30;
            }
        }
    }
}
forwarding-options {
    hash-key {
        family inet {
            layer-3;
            layer-4;
        }
    }
}
snmp {
    community jun1p3r5 {
        clients {
            127.0.0.1/32;
        }
    }
}
routing-options {
    graceful-restart;
    static {
        defaults {
            no-readvertise;
            resolve;
        }
        route 10.6.0.0/16 next-hop st0.0;
        route 10.3.0.0/16 next-hop st0.1;
    }
    router-id 62.xxx.xxx.2;
    autonomous-system 62299;
    forwarding-table {
        export pol-load-balance;
    }
}
protocols {
    bgp {
        mtu-discovery;
        group bm2orange {
            type external;
            import [ pol-default-in pol-reject-any pol-no-crap ];
            export pol-bm2isp-out;
            neighbor 62.xxx.xxx.1 {
                description Org;
                peer-as 8953;
            }
        }
    }
    ospf {
        export [ ospf-default export-static ];
        area 0.0.3.32 {
            interface reth1.0 {
                priority 100;
                hello-interval 1;
                dead-interval 4;
            }
        }
    }
    rstp;
}
policy-options {
    prefix-list p-ospf {
        10.99.99.0/24;
        172.16.6.2/32;
        172.16.6.6/32;
    }
    prefix-list p-ssh-servers {
        10.8.0.0/16;
        10.99.99.0/24;
        89.xxx.xxx.34/32;
    }
    prefix-list p-snmp-servers {
        10.8.0.0/16;
        10.99.99.0/24;
    }
    prefix-list p-dns-servers {
        8.8.4.4/32;
        8.8.8.8/32;
        10.8.0.0/16;
        10.99.99.0/24;
        172.16.6.0/30;
        172.16.6.4/30;
    }
    prefix-list p-ntp-servers {
        10.8.0.0/16;
        10.99.99.0/24;
        apply-path "system ntp server <*>";
    }
    prefix-list p-router-interfaces4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list p-bgp-neighbors {
        10.99.99.0/24;
        62.xxx.xxx.1/32;
    }
    prefix-list p-ipsec-neighbors {
        108.xxx.xxx.125/32;
        192.xxx.xxx.66/32;
    }
    policy-statement export-static {
        term export-static {
            from protocol static;
            then accept;
        }
        term export-local {
            from protocol local;
            then accept;
        }
        term export-direct {
            from protocol direct;
            then accept;
        }
    }
    policy-statement ospf-default {
        term ospd-default {
            from {
                route-filter 0.0.0.0/0 exact accept;
            }
        }
    }
    policy-statement ospf-to-rib {
        term ospf-to-rib {
            from protocol ospf;
            then accept;
        }
    }
    policy-statement pol-bm2isp-out {
        term match-local-prefixes {
            from {
                route-filter 188.xxx.xxx.0/24 exact;
                route-filter 188.xxx.xxx.0/24 exact;
            }
            then accept;
        }
    }
    policy-statement pol-default-in {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then accept;
    }
    policy-statement pol-load-balance {
        then {
            load-balance per-packet;
        }
    }
    policy-statement pol-no-crap {
        term no-crap {
            from {
                route-filter 10.0.0.0/8 orlonger;
                route-filter 127.0.0.0/8 orlonger;
                route-filter 169.254.0.0/16 orlonger;
                route-filter 172.16.0.0/12 orlonger;
                route-filter 192.0.2.0/24 orlonger;
                route-filter 224.0.0.0/3 orlonger;
                route-filter 100.64.0.0/10 orlonger;
            }
            then reject;
        }
    }
    policy-statement pol-reject-any {
        then reject;
    }
}
security {
    ike {
        proposal ike-proposal-vpn01 {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
        }
        proposal ike-proposal-vpn02 {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
        }
        policy ike-policy-vpn01 {
            mode main;
            proposals ike-proposal-vpn01;
            pre-shared-key ascii-text "$9$6fS0AORSreW87cyYg4aHkn/CuIEM87"; ## SECRET-DATA
        }
        policy ike-policy-vpn02 {
            mode main;
            proposals ike-proposal-vpn02;
            pre-shared-key ascii-text "$9$haqrMX-Vwg4ZNdqmP5/9EcyKLx24Z"; ## SECRET-DATA
        }
        gateway ike-gate-vpn01 {
            ike-policy ike-policy-vpn01;
            address 192.xxx.xxx.66;
            external-interface reth0.0;
            version v2-only;
        }
        gateway ike-gate-vpn02 {
            ike-policy ike-policy-vpn02;
            address 108.xxx.xxx.125;
            external-interface reth0.0;
            version v2-only;
        }
    }
    ipsec {
        policy ipsec-policy-vpn01 {
            proposal-set standard;
        }
        policy ipsec-policy-vpn02 {
            proposal-set standard;
        }
        vpn ipsec-vpn-vpn01 {
            bind-interface st0.0;
            ike {
                gateway ike-gate-vpn01;
                ipsec-policy ipsec-policy-vpn01;
            }
            establish-tunnels immediately;
        }
        vpn ipsec-vpn-vpn02 {
            bind-interface st0.1;
            ike {
                gateway ike-gate-vpn02;
                ipsec-policy ipsec-policy-vpn02;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        syn-flood-protection-mode syn-proxy;
        tcp-mss {
            ipsec-vpn {
                mss 1420;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool default-nat {
                address {
                    188.xxx.xxx.1/32;
                }
            }
            rule-set internet-nat {
                from zone trust;
                to zone untrust;
                rule any-to-any {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                default-nat;
                            }
                        }
                    }
                }
            }
        }
        destination {
            pool ssh01 {
                address 10.8.20.22/32 port 22;
            }
            rule-set DNAT {
                from zone untrust;
                rule ssh01 {
                    match {
                        destination-address 188.xxx.xxx.222/32;
                        destination-port 22;
                    }
                    then {
                        destination-nat pool ssh01;
                    }
                }
            }
        }
        static {
            rule-set static-nat {
                from zone untrust;
                rule rdp01 {
                    match {
                        destination-address 188.xxx.xxx.220/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.8.20.20/32;
                            }
                        }
                    }
                }
                rule ssh01 {
                    match {
                        destination-address 188.xxx.xxx.222/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.8.20.22/32;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone ipsec_vpn {
            policy trust-to-ipsec_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone ipsec_vpn to-zone trust {
            policy ipsec_vpn-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone ipsec_vpn02 {
            policy trust-to-ipsec_vpn02 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone ipsec_vpn02 to-zone trust {
            policy ipsec_vpn02-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone ipsec_vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
        security-zone ipsec_vpn02 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.1;
            }
        }
    }
}
firewall {
    family inet {
        filter pm-copp-in {
            term copp-important-ssh {
                from {
                    source-prefix-list {
                        p-ssh-servers;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                    protocol tcp;
                    port 22;
                }
                then policer copp-important;
            }
            term copp-important-snmp {
                from {
                    source-prefix-list {
                        p-snmp-servers;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                    protocol udp;
                    port snmp;
                }
                then policer copp-important;
            }
            term copp-important-dns {
                from {
                    source-prefix-list {
                        p-dns-servers;
                        p-router-interfaces4;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                        p-dns-servers;
                    }
                    protocol udp;
                    source-port 53;
                }
                then policer copp-important;
            }
            term copp-normal-icmp {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply time-exceeded ];
                }
                then policer copp-normal;
            }
            term copp-important-ntp {
                from {
                    source-prefix-list {
                        p-ntp-servers;
                        p-router-interfaces4;
                    }
                    destination-prefix-list {
                        p-ntp-servers;
                        p-router-interfaces4;
                    }
                    protocol udp;
                    port ntp;
                }
                then policer copp-important;
            }
            term copp-critical-bgp {
                from {
                    source-prefix-list {
                        p-bgp-neighbors;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                    protocol tcp;
                    port bgp;
                }
                then accept;
            }
            term copp-critical-ipsec {
                from {
                    source-prefix-list {
                        p-ipsec-neighbors;
                    }
                    destination-prefix-list {
                        p-router-interfaces4;
                    }
                }
                then accept;
            }
            term copp-critical-ospf {
                from {
                    source-prefix-list {
                        p-ospf;
                    }
                    protocol ospf;
                }
                then accept;
            }
        }
    }
    policer copp-normal {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 128k;
        }
        then discard;
    }
    policer copp-important {
        if-exceeding {
            bandwidth-limit 20m;
            burst-size-limit 2m;
        }
        then discard;
    }
}

 

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 12:27 PM

anyone ?

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-16-2015 10:15 PM

Hello ,

 

Your configuration looks fine . Also when we source the ping with reth1.0 IP , you where able to reach the OSPF network .

So now the issue as stated by you is that your host behind the SRX cannot reach the OSPF network , for that we need to run flow traceoptions in your SRX device and see if we are dropping the packets or doing asymetric routing .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

[ Edited ]
‎06-17-2015 12:34 AM
# run show log flow-trace
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow0: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow0: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648602:CID-1:RT:filter 0 name f0 is set

Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow1: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow1: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow0: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow0: Destination ID set to 2
Jun 17 10:31:42 10:31:50.362687:CID-2:RT:filter 0 name f0 is set

Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow2: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow2: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow1: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow1: Destination ID set to 2
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow3: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow3: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow2: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow2: Destination ID set to 2
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow4: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.647804:CID-1:CTRL:flow4: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow3: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow3: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow5: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow5: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow4: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358090:CID-2:CTRL:flow4: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow6: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow6: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow5: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow5: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow7: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow7: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow6: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358411:CID-2:CTRL:flow6: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow8: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow8: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow7: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow7: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow9: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow9: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow8: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow8: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow10: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow10: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow9: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow9: Destination ID set to 2
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow11: Rate limit changed to 0
Jun 17 10:31:42 10:31:42.648151:CID-1:CTRL:flow11: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow10: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow10: Destination ID set to 2
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow11: Rate limit changed to 0
Jun 17 10:31:42 10:31:50.358553:CID-2:CTRL:flow11: Destination ID set to 2
Jun 17 10:32:04 10:32:04.003393:CID-1:RT:<10.8.20.22/1->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:04 10:32:04.003393:CID-1:RT:packet [84] ipid = 20573, @0x4320c51c

Jun 17 10:32:04 10:32:04.003393:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4320c300, rtbl_idx = 0

Jun 17 10:32:04 10:32:04.003469:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:04 10:32:04.003469:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:04 10:32:04.003469:CID-1:RT: find flow: table 0x511609a0, hash 57765(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 1, dp 6717, proto 1, tok 6

Jun 17 10:32:04 10:32:04.003469:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:04 10:32:04.003469:CID-1:RT:  flow_first_create_session

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 1, dp 6717

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 1, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x11a3d,0x1a3d)

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/14389 proto 1

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/14389 proto 1

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:04 10:32:04.003590:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:04 10:32:04.003885:CID-1:RT:  flow find session returns error.

Jun 17 10:32:04 10:32:04.003885:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:04 10:32:04.384754:CID-1:RT:jsf sess close notify

Jun 17 10:32:04 10:32:04.384774:CID-1:RT:flow_ipv4_del_flow: sess 288214, in hash 32

Jun 17 10:32:04 10:32:04.384774:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:<10.8.20.22/2->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:packet [84] ipid = 20574, @0x4367539c

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43675180, rtbl_idx = 0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:05 10:32:05.003313:CID-1:RT: find flow: table 0x511609a0, hash 49333(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 2, dp 6717, proto 1, tok 6

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  flow_first_create_session

Jun 17 10:32:05 10:32:05.003313:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 2, dp 6717

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 2, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x21a3d,0x1a3d)

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/31284 proto 1

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/31284 proto 1

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:05 10:32:05.003643:CID-1:RT:  flow find session returns error.

Jun 17 10:32:05 10:32:05.003643:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:06 10:32:06.003356:CID-1:RT:<10.8.20.22/3->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:06 10:32:06.003356:CID-1:RT:packet [84] ipid = 20575, @0x4319dd1c

Jun 17 10:32:06 10:32:06.003356:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4319db00, rtbl_idx = 0

Jun 17 10:32:06 10:32:06.003356:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:06 10:32:06.003544:CID-1:RT: find flow: table 0x511609a0, hash 10181(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 3, dp 6717, proto 1, tok 6

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  flow_first_create_session

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 3, dp 6717

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 3, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x31a3d,0x1a3d)

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/23603 proto 1

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/23603 proto 1

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:06 10:32:06.003544:CID-1:RT:  flow find session returns error.

Jun 17 10:32:06 10:32:06.003544:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:06 10:32:06.386710:CID-1:RT:jsf sess close notify

Jun 17 10:32:06 10:32:06.386710:CID-1:RT:flow_ipv4_del_flow: sess 287850, in hash 32

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:jsf sess close notify

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:flow_ipv4_del_flow: sess 289155, in hash 32

Jun 17 10:32:06 10:32:06.386728:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:07 10:32:07.003295:CID-1:RT:<10.8.20.22/4->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:packet [84] ipid = 20576, @0x4319dd1c

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4319db00, rtbl_idx = 0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:07 10:32:07.003467:CID-1:RT: find flow: table 0x511609a0, hash 1749(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 4, dp 6717, proto 1, tok 6

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  flow_first_create_session

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 4, dp 6717

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 4, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x41a3d,0x1a3d)

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/39218 proto 1

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/39218 proto 1

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:07 10:32:07.003467:CID-1:RT:  flow find session returns error.

Jun 17 10:32:07 10:32:07.003467:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:08 10:32:08.003347:CID-1:RT:<10.8.20.22/5->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:packet [84] ipid = 20577, @0x4320c51c

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4320c300, rtbl_idx = 0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:08 10:32:08.003347:CID-1:RT: find flow: table 0x511609a0, hash 26085(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 5, dp 6717, proto 1, tok 6

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  flow_first_create_session

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 5, dp 6717

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 5, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:08 10:32:08.003347:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x51a3d,0x1a3d)

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/29233 proto 1

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/29233 proto 1

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:08 10:32:08.003786:CID-1:RT:  flow find session returns error.

Jun 17 10:32:08 10:32:08.003786:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:08 10:32:08.386970:CID-1:RT:jsf sess close notify

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:flow_ipv4_del_flow: sess 290026, in hash 32

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:jsf sess close notify

Jun 17 10:32:08 10:32:08.386970:CID-1:RT:flow_ipv4_del_flow: sess 289460, in hash 32

Jun 17 10:32:08 10:32:08.387031:CID-1:RT:ha_ifp: reth1.0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:<10.8.20.22/6->172.16.1.10/6717;1> matched filter f0:

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:packet [84] ipid = 20578, @0x432dda1c

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x432dd800, rtbl_idx = 0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT: flow process pak fast ifl 68 in_ifp reth1.0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  reth1.0:10.8.20.22->172.16.1.10, icmp, (8/0)

Jun 17 10:32:09 10:32:09.003377:CID-1:RT: find flow: table 0x511609a0, hash 17653(0xffff), sa 10.8.20.22, da 172.16.1.10, sp 6, dp 6717, proto 1, tok 6

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  flow_first_create_session

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 172.16.1.10, sp 6, dp 6717

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:  chose interface reth1.0 as incoming nat if.

Jun 17 10:32:09 10:32:09.003377:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.1.10(6717)

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.8.20.22, x_dst_ip 172.16.1.10, in ifp reth1.0, out ifp N/A sp 6, dp 6717, ip_proto 1, tos 0

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:Doing DESTINATION addr route-lookup

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  routed (x_dst_ip 172.16.1.10) from trust (reth1.0 in 1) to reth1.0, Next-hop: 172.16.6.6

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x61a3d,0x1a3d)

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/19248 proto 1

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:             10.8.20.22/2048 -> 172.16.1.10/19248 proto 1

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  packet dropped, denied by policy

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  denied by policy default-policy-00(2), dropping pkt

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  packet dropped,  policy deny.

Jun 17 10:32:09 10:32:09.003729:CID-1:RT:  flow find session returns error.

Jun 17 10:32:09 10:32:09.003729:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Jun 17 10:32:10 10:32:10.384859:CID-1:RT:jsf sess close notify

Jun 17 10:32:10 10:32:10.384859:CID-1:RT:flow_ipv4_del_flow: sess 288575, in hash 32

Jun 17 10:32:10 10:32:10.384878:CID-1:RT:ha_ifp: reth1.0

flow trace attached looks like some policy is dropping the packet

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-17-2015 12:47 AM

I found the solution for the problem, looks like the defaul-policy for srx re is deny-all so i set the following policy

 

 

set security policies default-policy permit-all

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author ndanl
‎08-26-2015 01:27 AM

Re: OSPF on SRX 240

‎06-17-2015 12:49 AM

Yes!

 

You need to make an policy to allow traffic within zone trust to zone trust:

 

set security policies from zone trust to zone trust  policy default-permit match source-address any

set security policies from zone trust to zone trust  policy default-permit match destination-address any

set security policies from zone trust to zone trust  policy default-permit match application any

set security policies from zone trust to zone trust  policy default-permit then permit

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-17-2015 12:50 AM

@ndanl wrote:

I found the solution for the problem, looks like the defaul-policy for srx re is deny-all so i set the following policy

 

 

set security policies default-policy permit-all

 


This can work but you now allow everything from any where! see my last post to allow the traffic within only the trust zone.

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

[ Edited ]
‎06-17-2015 01:16 AM

correct your solution is better since you still can control the traffic, annoying zones Smiley Happy

 

thank you

--
Dan

Highlighted
SRX Services Gateway

Re: OSPF on SRX 240

‎06-17-2015 01:46 AM

Hi,

 

nice to see that your problem is solved! :-)

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------