SRX

Hi, ALL

 

I have a SRX210 and use 3g express card as backup WAN link and got some problem

 

1.when Primary WAN link down then 3g wireless interface（Dail interface）will become up

   and get public ip from ISP but client can't access Internet by 3g wan link.

 

2.continue problem '1' , SRX 210 can't access Internet by itself when 3g wan link is up.

 

I'm refer 'JUNOS9.5-admin-guide' , 'SRX-210-feature guide' ... 

 

Am I lose any configure？

 

 

thanks,

bruce 6/13

 

Are both interfaces in the same zone? Are you source natting behing Egress interface? Did you check the routing table in both situations?

 

root> show configuration | display set
set version 9.5R1.8
set system root-authentication encrypted-password "$1$VzUqrU12$myf6WVDNfCtMfjB1bgW/20"
set system name-server 168.95.1.1
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 172.27.74.35/27
set interfaces ge-0/0/0 unit 0 backup-options interface dl0.0
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24
set interfaces cl-0/0/8 modem-options init-command-string "ATSO=2\n"
set interfaces cl-0/0/8 dialer-options pool 1 priority 25
set interfaces cl-0/0/8 cellular-options gsm-options select-profile profile-id 1
set interfaces cl-0/0/8 cellular-options gsm-options encrypted-sim-unlock-code "$9$n6F.6tu0BIRcy9C"
set interfaces dl0 description dialer-watch
set interfaces dl0 encapsulation ppp
set interfaces dl0 unit 0 point-to-point
set interfaces dl0 unit 0 family inet negotiate-address
set interfaces dl0 unit 0 dialer-options pool 1
set interfaces dl0 unit 0 dialer-options dial-string 98
set security nat source rule-set mbp-rule from zone trust
set security nat source rule-set mbp-rule to zone untrust
set security nat source rule-set mbp-rule rule mbp-nat-rule match source-address 1.1.1.0/24
set security nat source rule-set mbp-rule rule mbp-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set mbp-rule rule mbp-nat-rule then source-nat interface
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services ssh
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies default-policy permit-all
                   

root> ping 168.95.1.1
PING 168.95.1.1 (168.95.1.1): 56 data bytes
ping: sendto: No route to host

 

regard,

bruce 6/14

 No route to host:  Most likely the interface is down! What does "show interfaces"  terse show?

 

What does show interfaces dl0.0 detail show

Hi,

I had check dial interface status is up ...

 root> show interfaces ter
se
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/0.0              up    down inet     172.27.74.35/27
gr-0/0/0                up    up 
ip-0/0/0                up    up 
ls-0/0/0                up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up 
ge-0/0/1                up    down
ge-0/0/1.0              up    down inet     1.1.1.254/24   
fe-0/0/2                up    down
fe-0/0/3                up    down
fe-0/0/4                up    down
fe-0/0/5                up    down
fe-0/0/6                up    down
fe-0/0/7                up    down
cl-0/0/8                up    up 
cl-0/0/8.0              up    up 
dl0                     up    up 
dl0.0                   up    up   inet     114.137.77.103      --> 0/0
gre                     up    up 
Filename: e        
Wrote 40 lines of output to 'e'
ipip                    up    up 
lo0                     up    up 
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.1.16          --> 0/0
                                   inet6    fe80::224:dcff:fe01:d080
lo0.32768               up    up 
lsi                     up    up 
mtun                    up    up 
pimd                    up    up 
pime                    up    up 
pp0                     up    up 
st0                     up    up 
tap                     up    up 
vlan                    up    up 

 

regard,

bruce 6/15

 

Hi,

 

The problem is sloved after add second default route bind the 'Dialer Interface'.

 

thanks,

bruce 6/15

Hi All

I'm living in Thailand,

When my express aircard connect to computer its configure only dial-number *99#,usernam: gsm,password: gsm

I try to configure my express aircard with srx210 to be primary untrust interface but still not successful.

 

Anyone could help me to verify configuration or want to share the expirience whit this situation ?

(I'm apologize if my English is not good)

 

set version 9.5R2.7
set system host-name srx
set system time-zone Asia/Bangkok
set system root-authentication encrypted-password "$1$knr5OwnH$ZJNm4HgtpTOMEQQdWlwhp1"
set system name-server 203.144.255.71
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.5
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.10
set system services dhcp pool 192.168.1.0/24 domain-name srx.x1.co.th
set system services dhcp pool 192.168.1.0/24 name-server 203.144.255.71
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 server-identifier 192.168.1.1
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.27.130.89/24
set interfaces fe-0/0/2 unit 0 family inet address 192.168.3.1/24
set interfaces fe-0/0/3 unit 0 family inet address 192.168.4.1/24
set interfaces cl-0/0/8 dialer-options pool 1 priority 25
set interfaces cl-0/0/8 cellular-options gsm-options select-profile profile-id 1
set interfaces dl0 description 3g-wireless
set interfaces dl0 encapsulation ppp
set interfaces dl0 unit 0 point-to-point
set interfaces dl0 unit 0 family inet negotiate-address
set interfaces dl0 unit 0 dialer-options pool 1
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set routing-options static route 0.0.0.0/0 next-hop 172.27.130.230
set security nat source rule-set untrust-int-nat from zone trust
set security nat source rule-set untrust-int-nat to zone untrust
set security nat source rule-set untrust-int-nat rule nat-1 match source-address 192.168.0.0/16
set security nat source rule-set untrust-int-nat rule nat-1 match destination-address 0.0.0.0/0
set security nat source rule-set untrust-int-nat rule nat-1 then source-nat interface
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address Plug 192.168.1.5/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone trust interfaces fe-0/0/3.0
set security zones security-zone untrust address-book address internet1 172.27.130.230/32
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services telnet
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy rule2 match source-address Plug
set security policies from-zone trust to-zone untrust policy rule2 match destination-address any
set security policies from-zone trust to-zone untrust policy rule2 match application any
set security policies from-zone trust to-zone untrust policy rule2 then permit
set security policies from-zone trust to-zone untrust policy rule2 then log session-close
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then permit
set schedulers scheduler workingtime monday start-time 08:00:00 stop-time 18:00:00
set schedulers scheduler workingtime tuesday start-time 08:00:00 stop-time 18:00:00
set schedulers scheduler workingtime wednesday start-time 08:00:00 stop-time 18:00:00
set schedulers scheduler workingtime thursday start-time 08:00:00 stop-time 18:00:00
set schedulers scheduler workingtime friday start-time 08:00:00 stop-time 18:00:00
set schedulers scheduler non-workingtime sunday start-time 00:00:00 stop-time 23:59:59
set schedulers scheduler non-workingtime monday start-time 18:00:01 stop-time 23:59:59
set schedulers scheduler non-workingtime monday start-time 00:00:00 stop-time 07:59:59
set schedulers scheduler non-workingtime tuesday start-time 00:00:00 stop-time 07:59:59
set schedulers scheduler non-workingtime tuesday start-time 18:00:01 stop-time 23:59:59
set schedulers scheduler non-workingtime wednesday start-time 00:00:00 stop-time 07:59:59
set schedulers scheduler non-workingtime wednesday start-time 18:00:01 stop-time 23:59:59
set schedulers scheduler non-workingtime thursday start-time 00:00:00 stop-time 07:59:59
set schedulers scheduler non-workingtime thursday start-time 18:00:01 stop-time 23:59:59
set schedulers scheduler non-workingtime friday start-time 00:00:00 stop-time 07:59:59
set schedulers scheduler non-workingtime friday start-time 18:00:01 stop-time 23:59:59
set schedulers scheduler non-workingtime saturday start-time 00:00:00 stop-time 23:59:59

 

root@srx# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/0.0              up    down inet     192.168.1.1/24 
gr-0/0/0                up    up 
ip-0/0/0                up    up 
ls-0/0/0                up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up 
ge-0/0/1                up    up 
ge-0/0/1.0              up    up   inet     172.27.130.89/24
fe-0/0/2                up    down
fe-0/0/2.0              up    down inet     192.168.3.1/24 
fe-0/0/3                up    down
fe-0/0/3.0              up    down inet     192.168.4.1/24 
fe-0/0/4                up    down
fe-0/0/5                up    down
fe-0/0/6                up    down
fe-0/0/7                up    down
cl-0/0/8                down  down
cl-0/0/8.0              up    down
dl0                     up    up 
dl0.0                   up    up   inet   
gre                     up    up 
ipip                    up    up 
lo0                     up    up 
lo0.0                   up    up   inet     127.0.0.1           --> 0/0
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.1.16          --> 0/0
                                   inet6    fe80::224:dcff:fed2:35c0
lo0.32768               up    up 
lsi                     up    up 
mtun                    up    up 
pimd                    up    up 
pime                    up    up 
pp0                     up    up 
st0                     up    up 
tap                     up    up 
vlan                    up    up  

 

 

Thanks for advance.

Dear NetfosTsc, Could you please provide your srx210+3g configuration for me to reference, I will have a project to use srx210+3g in soon.

 

thanks for advance.

---

@NetfosTsc wrote:

Hi,

 

The problem is sloved after add second default route bind the 'Dialer Interface'.

 

thanks,

bruce 6/15

---