SRX Services Gateway
Highlighted
SRX Services Gateway

SRX110 cross VLAN IP Camera access intermittent

[ Edited ]
‎09-18-2020 11:08 PM

I am running an SRX110H2-VA and an EX3300-24 POE with two VLANs

-VLAN110 with workstations.
-VLAN120 with cameras, NVR, RTSP monitor.

Each VLAN has its own zone. Everything has been working for months but recently I added access from VLAN110 zone for specific workstations to VLAN120 so they could access the cameras and NVR

Everything worked fine for about 5 or so minutes then access to the cameras from those workstations stopped and I can no longer ping the cameras from the SRX. However I am able to ping the NVR and RTSP monitor fine from the workstations and the SRX.

If I log into the EX3300 at this time, I can ping all the cameras fine and the RTSP monitor is displaying the cameras, if I connect a workstation directly to VLAN120 on the switch It can happily talk to the cameras all day without issue, which make me believe that the cameras are still online and functional without issue, but there is something not quite right about the traffic to the SRX.

 

Then at some point they will start to respond again from VLAN110 - 5min, 10min, 40min - The time seems to be random. They work for a period and then gone again. This continues indefinitely.

 

root@gw01> ping 192.168.2.55
PING 192.168.2.55 (192.168.2.55): 56 data bytes
64 bytes from 192.168.2.55: icmp_seq=0 ttl=64 time=2.746 ms
64 bytes from 192.168.2.55: icmp_seq=1 ttl=64 time=2.164 ms
--- 192.168.2.55 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.164/2.455/2.746/0.291 ms

--------------------------10 minutes later-------------------------

root@gw01> ping 192.168.2.55
PING 192.168.2.55 (192.168.2.55): 56 data bytes
--- 192.168.2.55 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

 

This could be something simple that I am not seeing or maybe an issue with the cameras, I am still new to Juniper.

 

SRX

security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}

policies {
from-zone desktop to-zone untrust {
policy desktop-to-untrust {
match {
source-address scope;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone desktop to-zone cameras {
policy desktop-to-cameras {
match {
source-address [ workstation1 workstation2 ];
destination-address any;
application any;
}
then {
permit;
}
}
}
}

zones {
security-zone untrust {
screen untrust-screen;
interfaces {
pt-1/0/0.0;
pp0.0;
}
}
security-zone desktop {
address-book {
address scope 192.168.1.0/24;
address workstation1 192.168.1.100/32;
address workstation2 192.168.1.24/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.110;
}
}
security-zone cameras {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.120;
}
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}

vlan {
unit 110 {
family inet {
address 192.168.1.1/24;
}
}
unit 120 {
family inet {
address 192.168.2.1/24;
}
}
}
}

routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}

vlans {
VLAN110 {
vlan-id 110;
l3-interface vlan.110;
}
VLAN120 {
vlan-id 120;
l3-interface vlan.120;
}
}

 

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: SRX110 cross VLAN IP Camera access intermittent

‎09-19-2020 02:55 AM

During the issue could you verify that the SRX is seeing the requests and permitting the traffic.  This should show the active session and packet counts.  So running it a few times will see if there are increases in counts for both directions or not.

show security flow session destination-prefix 192.168.2.55/32

 

Can you also confirm that all the camera related devices have their default gateway configured as the SRX.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SRX110 cross VLAN IP Camera access intermittent

‎09-19-2020 06:03 AM

Thanks Steve!

I have run when attempting access to the RTSP stream and Ping;

root@gw01> show security flow session destination-prefix 192.168.2.55/32
Session ID: 6618, Policy name: desktop-to-cameras/5, Timeout: 12, Valid
In: 192.168.1.24/40077 --> 192.168.2.55/554;tcp, If: vlan.110, Pkts: 3, Bytes: 180
Out: 192.168.2.55/554 --> 192.168.1.24/40077;tcp, If: vlan.120, Pkts: 0, Bytes: 0

Session ID: 6664, Policy name: desktop-to-cameras/5, Timeout: 20, Valid
In: 192.168.1.24/40127 --> 192.168.2.55/554;tcp, If: vlan.110, Pkts: 1, Bytes: 60
Out: 192.168.2.55/554 --> 192.168.1.24/40127;tcp, If: vlan.120, Pkts: 0, Bytes: 0
Total sessions: 2
root@gw01> show security flow session destination-prefix 192.168.2.55/32
Session ID: 6857, Policy name: desktop-to-cameras/5, Timeout: 56, Valid
In: 192.168.1.24/1 --> 192.168.2.55/69;icmp, If: vlan.110, Pkts: 1, Bytes: 84
Out: 192.168.2.55/69 --> 192.168.1.24/1;icmp, If: vlan.120, Pkts: 0, Bytes: 0

Session ID: 7975, Policy name: desktop-to-cameras/5, Timeout: 60, Valid
In: 192.168.1.24/1 --> 192.168.2.55/70;icmp, If: vlan.110, Pkts: 1, Bytes: 84
Out: 192.168.2.55/70 --> 192.168.1.24/1;icmp, If: vlan.120, Pkts: 0, Bytes: 0
Total sessions: 2

I am not sure exactly what I am looking for but "Pkts: 0, Bytes: 0" on return data I am guessing is not good.

 

Default gateway appears to obtain correctly from DHCP on devices

Opie_0-1600519596806.png

Just for fun I did a ping to the NVR (which doesnt suffer the issue)

 

root@gw01> show security flow session destination-prefix 192.168.2.100/32
Session ID: 16032, Policy name: desktop-to-cameras/5, Timeout: 2, Valid
In: 192.168.1.24/1 --> 192.168.2.100/80;icmp, If: vlan.110, Pkts: 1, Bytes: 84
Out: 192.168.2.100/80 --> 192.168.1.24/1;icmp, If: vlan.120, Pkts: 1, Bytes: 84

Session ID: 16757, Policy name: desktop-to-cameras/5, Timeout: 2, Valid
In: 192.168.1.24/1 --> 192.168.2.100/81;icmp, If: vlan.110, Pkts: 1, Bytes: 84
Out: 192.168.2.100/81 --> 192.168.1.24/1;icmp, If: vlan.120, Pkts: 1, Bytes: 84
Total sessions: 2  
Highlighted
SRX Services Gateway

Re: SRX110 cross VLAN IP Camera access intermittent

‎09-20-2020 03:08 AM

Right, the flows show the traffic is permitted and incrementing without replies coming back. A missing default gateway could cause this but is verified now.

 

Are the cameras running ip tables or any security that might be kicking in because the traffic is coming from a different subnet?  Since there is a time lag it might be some kind of security profiling going on.

 

Do you have cli access on the camera to run a packet capture to confirm what is seen there?

 

I also see that ipv6 might be enabled on the camera, is that configured around the network, maybe partially configured dual stack is playing a role.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SRX110 cross VLAN IP Camera access intermittent

‎09-21-2020 01:45 AM

Thanks Steve,

Just to make sure, I set the IP statically and assigned the default gateway.

I was excited as it started to work at this point, but it just turned out to be coincidental as all the cameras started working from VLAN110 and then stopped shortly after.

 

Security2.PNG

 

 

Interestingly from SSH on the cameras - none of them were able to ping the gateway 192.168.2.1 and none of them could ping each other, however they could ping 192.168.2.100 and the desktop I connected to VLAN120.

After I set the IPv6 from "Router Advisement" to "DHCP" on just one of the cameras, they all started to be able to ping the gateway and each other. Still no access from VLAN110 however, and also it was only one camera I changed the settings on so I am willing to conclude that is some kind of coincidence also.

 

Here is a snip of when it is working from VLAN110;

Ping

root@gw01> show security flow session destination-prefix 192.168.2.55/32
Session ID: 22189, Policy name: self-traffic-policy/1, Timeout: 28, Valid
In: 192.168.2.1/15 --> 192.168.2.55/8581;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 192.168.2.55/8581 --> 192.168.2.1/15;icmp, If: vlan.120, Pkts: 0, Bytes: 0

Session ID: 27128, Policy name: self-traffic-policy/1, Timeout: 16, Valid
In: 192.168.2.1/3 --> 192.168.2.55/8581;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 192.168.2.55/8581 --> 192.168.2.1/3;icmp, If: vlan.120, Pkts: 0, Bytes: 0

Accessing the web interface

root@gw01> show security flow session destination-prefix 192.168.2.55/32
Session ID: 2930, Policy name: desktop-to-cameras/5, Timeout: 300, Valid
In: 192.168.1.100/37591 --> 192.168.2.55/80;tcp, If: vlan.110, Pkts: 3519, Bytes: 141573
Out: 192.168.2.55/80 --> 192.168.1.100/37591;tcp, If: vlan.120, Pkts: 7061, Bytes: 10092907
Total sessions: 1

root@gw01> show security flow session destination-prefix 192.168.2.55/32
Session ID: 2930, Policy name: desktop-to-cameras/5, Timeout: 300, Valid
In: 192.168.1.100/37591 --> 192.168.2.55/80;tcp, If: vlan.110, Pkts: 4669, Bytes: 187669
Out: 192.168.2.55/80 --> 192.168.1.100/37591;tcp, If: vlan.120, Pkts: 9223, Bytes: 13200551
Total sessions: 1

 I can't seem to find anything security related apart from an IP address filter but that appears turned off on all cameras.

Security.PNG

 

Even though IPV6 (I am fairly sure is turned off on the SRX the cameras still seem to be getting or creating an IPV6 IP address which I am not sure if I can disable completely.

Is there something I need to configure on the SRX110 so it turns it off? I assumed it was off unless enabled. I have no devices using it.

 

eth0 Link encap:Ethernet HWaddr BC:51:FE:96:6F:FB
inet addr:192.168.2.54 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::be51:feff:fe96:6ffb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120854 errors:0 dropped:0 overruns:0 frame:0
TX packets:181012 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12980200 (12.3 MiB) TX bytes:205114449 (195.6 MiB)
Interrupt:65

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:242 errors:0 dropped:0 overruns:0 frame:0
TX packets:242 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:23000 (22.4 KiB) TX bytes:23000 (22.4 KiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

This is the option list on the camera when SSH

# help
Support Commands:
taskShow printPart prtHardInfo
getPreviewStatus setIp setV6ip
setGateway dspStatus outputClose
outputOpen getDebug setDebug
debugLog getIrstate getMtu
camCmd getCamVer getIrstate
getLux getMcuInfo getMotion
getRawdata setIrcmd setRectFrame
updateCamera setLaserMode getLaserMode
setIrMode getIrMode setBaiguangMode
getBaiguangMode setYTLock InquireFanSwitch
StartLaser CloseLaser LaserMotReset
EnlargeCur ReduceCur SetCur
LaserMotDirect LaserTeleOffset LaserWideOffset
InqSwitch InqCurrent InqCurMotDirect
getMcuStateInfo setFastFocus getTrackStatus
getSelfcheckResult setLdcMode getLdcMode
getPreviewStatus appCmd camCmd
ezoomlens_start_t2_test prtLensCurve getLensCurve
getIp gdbcfg {Test1}
{Test2} {Test3} {Test4}
{TestN} {TestY} getIsp
getISP getisp setIsp
setISP setisp regread
regwrite setAgingMode getAgingMode
setAgingTime getAgingTime setLensZoomPos
getLensZoomPos dm365 ss
showKey showServer showUpnp
showStatus showDefence setLBS
setAlarm cloudService t1
ifconfig netstat ping
ping6 top iostat
mpstat ps reset
dmesg iwpriv exit
getDateInfo diagnose help
zhimakaimen

Any thoughts are appreciated.

Highlighted
SRX Services Gateway

Re: SRX110 cross VLAN IP Camera access intermittent

a month ago

This is confusing but I do suspect that ipv6 is playing a role here based on your testing.

 

The v6 address is a link local scope that will only work inside a layer 2 domain.

Windows and OSX systems do also automatically setup link local v6 addresses by default.

Some OS will default try v6 first if available then fall back to v4, but this generally won't happen with link local only addresses.

The SRX will not forward outside the vlan any v6 traffic without some configuration.

Perhaps setting up the SRX with v6 in both vlans would allow this to work.

 

When the cameras could ping their gateway were they also able to get out to the gateway of the other vlan?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback