SRX

Hello

Could use litle help with debugging a problem.

Long story short, i made working config using lab equipment at hand (srx 210 + mikrotik), everyting worked as expeted. But when i transferred same confix to srx 5400 then ospf started to give trouble. Ospf hello packets dont reach mikrotik.

Basic idea is:

ipsec + gre tunnel, pings are OK, but i think mtu is the problem.

Tests:

srx210  to mikrotik "ping x.x.x.x size 9148 do-not fragment" OK

mikrotik to srx210 "ping x.x.x.x size 1414 do-not fragment" OK 

Moving to srx 5400

srx210  to mikrotik "ping x.x.x.x size 1386 do-not fragment" OK (only 1386) - is that causing ospf hellos not to reach mikrotik

mikrotik to srx210 "ping x.x.x.x size 1414 do-not fragment" OK 

Egert

Hi,

Post moving the config to SRX5400, & when you say OSPF hello pkts dont each at the other end, at which state OSPF neighbor is at? Is it stuck in exstart/exchange? <show ospf neighbor>

and since you have moved from SRX210 to SRX5400, could you ensure that the interface setting are same such as MTU & ensure OSPF is allowed for inbound protocol (sec zone) for each interface that is associated with OSPF. 

Hello,

Ospf is stuck at init status. Mikrotik is not receiving ospf packets from juniper.

Ospf trace log (flag:all):

Sep 18 10:08:15.744432 OSPF periodic xmit from 192.168.3.1 to 224.0.0.5 (IFL 77 area 1.1.1.1)
Sep 18 10:08:16.634671 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.634718 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.634737 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:16.634718
Sep 18 10:08:16.634746 OSPF periodic xmit from (null) to 224.0.0.5 (IFL 73 area 1.1.1.1)
Sep 18 10:08:16.885615 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.885639 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.885659 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:16.885639
Sep 18 10:08:16.885667 OSPF hello from 1.1.1.3 (IFL 73, area 1.1.1.1) absorbed
Sep 18 10:08:24.527424 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:24.527474 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:24.527493 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:24.527474
Sep 18 10:08:24.527528 OSPF periodic xmit from 192.168.3.1 to 224.0.0.5 (IFL 77 area 1.1.1.1)
Sep 18 10:08:25.335293 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:25.335328 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:25.335347 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:25.335328
Sep 18 10:08:25.335400 OSPF periodic xmit from (null) to 224.0.0.5 (IFL 73 area 1.1.1.1)
Sep 18 10:08:26.884333 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:26.884365 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:26.884383 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:26.884365
Sep 18 10:08:26.884391 OSPF hello from 1.1.1.3 (IFL 73, area 1.1.1.1) absorbed

Well one other thing that did change was srx210 had 1g links, on 5400 i replaced them with 10g (changed config acordingly). And for testing i changed 5400 to use 1g aswell, results were same, tunnel up but ospf is only one-way.

For testing i have set all security zones with
 host-inbound-traffic system-service any-service
 host-inbound-traffic protocols all

Also Default-policy permit-all

Mtu seems to act differently on each srx box, pinging from 1 lan to another (over ipsec + gre):

srx 5400 max packet size is: ping 192.168.5.1 size 1386 do-not-fragment
but for 210 it is much larger: ping 192.168.5.1 size 9140 do-not-fragment

Is that the root problem here ?

i havent made any mtu changes its all default

Hi,

Does it alway remains in "init" state? or does go up to "2-way" state or "exstart/exchange state" and falls back?

If your OSPF is stuck & remains in "Init" state, that means you have problem/mismatch with OSPF Hello packets paramaters such as the ospf area id, interface subnet mismatch, hello/deadinterval, interface-type or authentication etc..etc.  Ensure that you have matching parameters at both end.

If you see OSPF neigh struggling in exstart/exchange state, then its MTU issue. In your case of having IPsec/GRE tunnel, ensure that you have a common MTU across the path.

Could you share the related following:

> show ospf neighbor

> show interfaces x/y/z

> related config from SRX and Mikrotik

Hi,

There is known PR condition tracked PR #1274667,  where OSPF over GRE over IPSec is not supported on SRX  with standalone CP.  This is a dayone issue in standalone CP  and is fixed in JUNOS 17.3R1 onwards.

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1274667

May i know what JUNOS release you're running on SRX5k?

Hi,

Current installed Srx 5400 version is 15.1X49-D120.3.

Should i install latest version : 17.3R2 ?

Hi,

Yes, fixed in 17.3R1 onwards so,  17.3R2 should be fine.

Updated to 17.3R2 and ospf started working.

Thanks for the help! 🙂