SRX Services Gateway
Highlighted
SRX Services Gateway

Proxy-Arp only works if monitoring external interface

‎09-05-2016 12:13 PM

Configuring a new srx220 with proxy arp. ISP gives a /29 to use. I have both static nat and destination nat configured for some of the ips I have setup with proxy-arp. None of them were working at all, however when I issue the command:

 

monitor traffic interface ge-0/0/0.0 no-resolve

 

Proxy arp magically works for everything as long I have the monitor command running. 

Seems strange, what am i missing?

 

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Proxy-Arp only works if monitoring external interface

‎09-05-2016 12:30 PM

Hi

 

I'm not sure why this may happen, can you post relevant parts of the config and "show route" output, obfuscating the real IP addresses?

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
SRX Services Gateway

Re: Proxy-Arp only works if monitoring external interface

[ Edited ]
‎09-05-2016 12:44 PM
interfaces {                            
    ge-0/0/0 {                          
        unit 0 {                        
            proxy-arp;                  
            family inet {               
                address 173.xxx.xx.233/29;
            }                           
        }                               
    }                                   
    ge-0/0/1 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members default;    
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/2 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/3 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/4 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/5 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members default;    
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/6 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/7 {                          
        unit 0 {                        
            family ethernet-switching;  
        }                               
    }                                   
    lo0 {                               
        unit 0 {                        
            family inet {               
                address 127.0.0.1/32;   
            }                           
        }                               
    }                                   
    st0 {                               
        unit 0 {                        
            family inet {               
                address 10.255.0.2/30;  
            }                           
        }                               
    }                                   
    vlan {                              
        unit 0 {                        
            family inet {               
                address 192.168.1.254/24;
            }                           
        }                               
        unit 5 {                        
            family inet {               
                address 192.168.2.254/24;
            }                           
        }                               
    }                                   
} 

routing-options {
static {
route 0.0.0.0/0 next-hop 173.xx.xx.238;
route 10.30.0.0/16 next-hop st0.0;
}
}

nat {
source {
pool src-nat-pool-data {
address {
173.xx.xx.234/32;
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule data-test-rule {
match {
source-address 192.168.1.10/32;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-pool-data;
}
}
}
}
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set dmz-to-untrust {
from zone dmz;
to zone untrust;
rule source-nat-rule2 {
match {
source-address 192.168.2.10/32;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-pool-data;
}
}
}
}
}
}
destination {
pool dst-nat-pool-1 {
address 192.168.2.10/32 port 80;
}
rule-set rs1 {
from zone untrust;
rule r1 {
match {
destination-address 173.xx.xx.234/32;
destination-port 80;
}
then {
destination-nat pool dst-nat-pool-1;
}
}
}
}
static {
rule-set static-net03 {
from zone untrust;
rule rule1 {
match {
destination-address 173.xx.xx.237/32;
}
then {
static-nat {
prefix {
192.168.2.17/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
173.xx.xx.235/32;
173.xx.xx.236/32;
173.xx.xx.237/32;
173.xx.xx.234/32;
}
}
}
}

vlans {
default {
vlan-id 1;
l3-interface vlan.0;
}
vlan-dmz {
vlan-id 5;
l3-interface vlan.5;
}
}

show route

inet.0: 15 destinations, 15 routes (14 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:03:50
> to 173.167.79.238 via ge-0/0/0.0
10.30.0.0/16 *[Static/5] 00:04:04
> via st0.0
10.255.0.0/30 *[Direct/0] 00:04:04
> via st0.0
10.255.0.2/32 *[Local/0] 00:04:04
Local via st0.0
173.xx.xx.232/29 *[Direct/0] 00:03:50
> via ge-0/0/0.0
173.xx.xx.233/32 *[Local/0] 00:03:55
Local via ge-0/0/0.0
173.xx.xx.234/32 *[Static/1] 00:03:55
Discard
173.xx.xx.235/32 *[Static/1] 00:03:55
Discard
173.xx.xx.236/32 *[Static/1] 00:03:55
Discard
173.xx.xx.237/32 *[Static/1] 00:03:55
Discard
192.168.1.0/24 *[Direct/0] 00:03:50
> via vlan.0
192.168.1.254/32 *[Local/0] 00:04:04
Local via vlan.0
192.168.2.0/24 *[Direct/0] 00:03:50
> via vlan.5
192.168.2.254/32 *[Local/0] 00:04:04
Local via vlan.5

 

 

 

Highlighted
SRX Services Gateway

Re: Proxy-Arp only works if monitoring external interface

‎09-05-2016 01:23 PM

You should try to remove proxy-arp setting from interface ge-0/0/0 unit 0 stanza.

I don't think it is needed when you have it configured in [security].

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
SRX Services Gateway

Re: Proxy-Arp only works if monitoring external interface

‎09-06-2016 06:21 AM

Thanks for the reply. I will test this out today. One other thing I notcied is that it showing the "Next hop type" as discard, is that correct? 

 

I have a J-series router at another location that is successfully using proxy-arp and when I look at the routes for thos ip addresses, it shows: "Next hop type: Receive"

 

Thanks

Highlighted
SRX Services Gateway

Re: Proxy-Arp only works if monitoring external interface

‎09-06-2016 08:11 AM

Hi

 

That behavior changed somewhere between Junos versions.

Both should be OK as far as I know.

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
SRX Services Gateway
Solution
Accepted by topic author docbrown25
‎09-07-2016 05:57 AM

Re: Proxy-Arp only works if monitoring external interface

‎09-07-2016 05:55 AM

Just to follow up on this. This is all working properly now, the culprit was a cached ARP table on a Comcast SMC modem. The only way to clear the cache is to power cycle the comcast modem, apparently.