SRX

We are deploying an SRX210-HE with a T1 ePIM module to a remote site. I'm running Junos 12.1R4.7 with a setup like this:

t1-1/0/0 Trust 192.168.1.2/30

ge-0/0/0 Untrust 192.168.2.1/24

I can see routes created from interfaces on my device and I can create a route for something like this:

set routing-options static route 192.168.3.0/24 next-hop 192.168.2.10 no-resolve

And the route shows up in the routing table as expected.

If I add a default route to point at the other end of my T1 (i.e. my core router) the route does not show up in the routing table:

set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

The route is in the configuration but does not enter the routing table. If I try to ping a subnet that would be at the end of my T1 I get 'route not found' or something to that effect.

This is true even when the T1 interface is up, if I add 'no-resolve', do not use 'no-resolve', etc.

I have used ScreenOS, Junos on routers, switches, etc so this isn't my first rodeo when it comes to routing or Junos.

It is however our first foray into using an SRX in production.

I'm thinking that there has to be something in an SRX that I need to do in order to get a default route to show up - virtual router, policy, protocol, something - but I'm unsure as to what that should be.

Docs I have seen do not show any difference than with a non-ES Junos device as far as a default route goes.

I would be grateful for a kick n the pants toward the right direction or the missing piece that is eluding me at this point.

Ok - so my stupid question of the day would be:

Do you see the local / direct routes for the associated interface? 

Here is what I see with 'show route' and 'show route hidden'

root@firewall> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.3.0/24 *[Static/5] 00:00:06 > to 192.168.2.1 via ge-0/0/0.0

192.168.2.0/24 *[Direct/0] 00:00:06 > via ge-0/0/0.0

192.168.2.1/32 *[Local/0] 00:02:26 Local via ge-0/0/0.0

192.168.10.49/32 *[Direct/0] 00:03:23 > via lo0.0

192.168.1.2/32 *[Local/0] 00:02:20 Reject

root@firewall> show route hidden

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

t1-1/0/0 is 192.168.1.2 and is down in this example (not connected to other end of the link).

If I connect t1-1/0/0 the last entry is replaced by the following when I view the route table:

192.168.1.0/30 *[Direct/0] 00:05:08 via t1-1/0/0.0

192.168.1.2/32 *[Local/0] 00:05:08 via t1-1/0/0.0

'show route hidden' shows 6 destinations, 6 routes (6 active, 0 holdown, 0 hidden)

As long as the other end is reachable the route should show up in the table. Reachability is a seperate issue.The one thought I had was is the I/F in a zone. That might be an issue. You don't need a policy but I am not sure what the impact would be if the I/F was not assigned to a zone (assuming you are not running in packet mode.)

SRX config attached

Attachment(s)

srx210-config.txt   4 KB 1 version

I could get around all of this in packet mode.

If I don't have the T1 inf in a zone I wouldn't be able to form another zone anywhere (another interface) as the equipment is at the site of another agency so we have Trust (them) and Untrust (how we get to them).

I do have SSG 20 running in this type of configuration so I figured that this would be a slam dunk as far as porting to SRX platform...guess I should know better at this point in IT

Wow - config looks just fine. I am hanging out today with another Juniper SE and he looked at it also and we can't see anything that would prevent the route from being populated. 

I'm thinking I will open a JTAC ticket and see if I can get some answers, will back port the answer to this thread to help out anyone else.

The SRX is brand new (as is the T1 module) so I can't rule out something related to being new, etc.

The explanation is that I'm a dumbass.

I transcribed the configuration here properly, what I didn't do was account for the fact that I was trying to assign the same /30 that the T1 interface is using as the next-hop.

So instead of having the remove end be something like 192.168.1.1/30 and the SRX end 192.168.1.2/30 I kept switching the two in the actual configuration so I would have set routing-options static route 0.0.0.0/0 next-hop 192.168.1.2 where 192.168.1.2 was actually the IP address of the T1 interface rather than the actual next-hop address.

So Junos will take (commit) a route like this but will not put it into the routing table.

If someone else runs across this type of a situation be sure to verify that the interface and next-hop addresses you are using are correct.

Thanks to MuttBarker for weighing in on this one, sorry to waste everyone's time.

Hey Nate - thanks for the update and for the explaination. Sometimes the simplest things are the hardest to see. 

I realize I'm dragging up an old post, but I was having very similar issues. I knew deep down I was doing something quite idiotic but kept looking for more technical answers as to why my routing instance wasn't working and why routes weren't showing in the forwarding table. Turns out I accidentally forgot to append /24 to my interface address. Since it was then a /32 naturally it couldn't communicate with anything else in the subnet.

---

@NateK wrote:

The explanation is that I'm a dumbass.

 

I transcribed the configuration here properly, what I didn't do was account for the fact that I was trying to assign the same /30 that the T1 interface is using as the next-hop.

 

So instead of having the remove end be something like 192.168.1.1/30 and the SRX end 192.168.1.2/30 I kept switching the two in the actual configuration so I would have set routing-options static route 0.0.0.0/0 next-hop 192.168.1.2 where 192.168.1.2 was actually the IP address of the T1 interface rather than the actual next-hop address.

 

So Junos will take (commit) a route like this but will not put it into the routing table.

 

If someone else runs across this type of a situation be sure to verify that the interface and next-hop addresses you are using are correct.

 

Thanks to MuttBarker for weighing in on this one, sorry to waste everyone's time.

---

Digging up a really old post here I know but thanks for taking the time to post this, as I similarly had just made the exact same mistake, went googling for why an SRX wouldn't show a default route and found this post.

I had indeed mixed up using the next-hop address of the default gateway as the actual interface IP on the SRX instead of the proper default gateway IP and couldn't work out why my default route was not showing in the routing table.