SRX Services Gateway
SRX Services Gateway

Source NAT rules not being installed

[ Edited ]
a week ago

Hello,

 

We have some difficulties when configuring Source NAT. All rules are in place, however they seem not to be installed and working.

 

root@SRX1# show security nat                  

source {

    pool src-pool-1 {

        address {

            X.X.X.X/32;

        }

    }

    rule-set rs1 {

        from zone trust;

        to zone untrust;

        rule 1 {

            match {

                source-address 192.168.20.0/24;

                destination-address 0.0.0.0/24;

            }

            then {

                source-nat {

                    pool {

                        src-pool-1;

                    }

                }

            }

        }

    }

}                            

 

But:

 

root@SRX1# run show security nat source rule all           

node0:

--------------------------------------------------------------------------

Total rules: 0

Total referenced IPv4/IPv6 ip-prefixes: 0/0

 

node1:

--------------------------------------------------------------------------

Total rules: 0

Total referenced IPv4/IPv6 ip-prefixes: 0/0

 

{primary:node0}[edit]

 

 

What could be the reason of that?

 

 

 

 

19 REPLIES 19
SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

What is the model and junos version ?

Please try "commit full" (it is a hidden command) and let us know.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

[ Edited ]
a week ago

Hello,

 

 


@Gabriel- wrote:

 

 

What could be the reason of that?

 

 

 

Your configuration, specifically NAT rule, specifically "destination-address"

 


@Gabriel- wrote:

 

        rule 1 {

            match {

                source-address 192.168.20.0/24;

                destination-address 0.0.0.0/24;

 

 

 

Please change the above to 0.0.0.0/0 and You should be golden.

 

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Source NAT rules not being installed

[ Edited ]
a week ago

It's 2 x Juniper SRX 340 in chassis cluster. Junos version is 18.2R3.4. I tried 'commit full' but without success.

 

 

SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

Thank you for this - I fixed destination-prefix, however source NAT still doesn't work.. 

SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

Any "nsd" related error logs in syslog?

show log messages | match nsd

show log messages.0.gz | match nsd  <------(do it for remaining log files)

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

Nothing special in here..

 

root@SRX1# run show log messages | match nsd         

Oct 28 12:18:45   nsd[3027]: nsd_apbr_config_root_read: Entered

Oct 28 12:19:13   nsd[2055]: nsd_apbr_config_root_read: Entered

{primary:node0}[edit]

 

root@SRX1# run show log messages.0.gz | match nsd 

(nothing)

Does it look proper too?

 

root@SRX1# run show chassis cluster status        

Monitor Failure codes:

    CS  Cold Sync monitoring        FL  Fabric Connection monitoring

    GR  GRES monitoring             HW  Hardware monitoring

    IF  Interface monitoring        IP  IP monitoring

    LB  Loopback monitoring         MB  Mbuf monitoring

    NH  Nexthop monitoring          NP  NPC monitoring              

    SP  SPU monitoring              SM  Schedule monitoring

    CF  Config Sync monitoring      RE  Relinquish monitoring

 

Cluster ID: 1

Node   Priority Status               Preempt Manual   Monitor-failures

 

Redundancy group: 0 , Failover count: 1

node0  1        primary              no      no       None           

node1  0        secondary            no      no       FL             

 

Redundancy group: 1 , Failover count: 1

node0  0        primary              no      no       CS             

node1  0        secondary            no      no       CS FL    

SRX Services Gateway

Re: Source NAT rules not being installed

[ Edited ]
a week ago

Cluster is NOT in a healthy state. Fabric link is down and Cold sync monitoring is failed. Please check fabric interface connectivity and the cable (replace/re-connect). If possible, please share following commands output

show chassis alarm

show interfaces terse

show chassis cluster information detail

show configuration | display set | match "fab|cluster"

 

 

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

[ Edited ]
a week ago

(indeed fxp0 is disconnected, but it shouldn't be a problem?)

 

 

root@SRX1> show chassis alarms 

node0:

--------------------------------------------------------------------------

1 alarms currently active

Alarm time               Class  Description

2019-11-29 12:34:17 UTC  Major  Host 0 fxp0 : Ethernet Link Down

 

node1:

--------------------------------------------------------------------------

1 alarms currently active

Alarm time               Class  Description

2019-11-29 15:05:03 UTC  Major  Host 0 fxp0 : Ethernet Link Down

 

 

{primary:node0}

root@SRX1> show interfaces terse 

Interface               Admin Link Proto    Local                 Remote

ge-0/0/0                up    down

gr-0/0/0                up    up

ip-0/0/0                up    up

lt-0/0/0                up    up

ge-0/0/1                up    up

ge-0/0/2                up    up

ge-0/0/2.0              up    up   aenet    --> fab0.0

ge-0/0/3                up    up

ge-0/0/3.10             up    up   aenet    --> reth1.10

ge-0/0/3.666            up    up   aenet    --> reth1.666

ge-0/0/3.32767          up    up   aenet    --> reth1.32767

ge-0/0/4                up    down

ge-0/0/5                up    down

ge-0/0/6                up    down

ge-0/0/7                up    down

ge-0/0/8                up    up

ge-0/0/8.0              up    up   inet     83.238.49.142/30

ge-0/0/9                up    down

ge-0/0/10               up    down

ge-0/0/11               up    down

ge-0/0/12               up    down

ge-0/0/13               up    down

ge-0/0/14               up    down      

ge-0/0/15               up    down      

ge-5/0/0                up    down

ge-5/0/1                up    up

ge-5/0/2                up    up

ge-5/0/2.0              up    up   aenet    --> fab1.0

ge-5/0/3                up    up

ge-5/0/3.10             up    up   aenet    --> reth1.10

ge-5/0/3.666            up    up   aenet    --> reth1.666

ge-5/0/3.32767          up    up   aenet    --> reth1.32767

ge-5/0/4                up    down

ge-5/0/5                up    down

ge-5/0/6                up    down

ge-5/0/7                up    down

ge-5/0/8                up    up

ge-5/0/8.0              up    up   inet     91.189.249.182/30

ge-5/0/8.32767          up    up  

ge-5/0/9                up    down

ge-5/0/10               up    down

ge-5/0/11               up    down

ge-5/0/12               up    down

ge-5/0/13               up    down

ge-5/0/14               up    down

ge-5/0/15               up    down

esi                     up    up        

fab0                    up    up        

fab0.0                  up    up   inet     30.17.0.200/24  

fab1                    up    up        

fab1.0                  up    up   inet     30.18.0.200/24  

fti0                    up    up        

fxp0                    up    down      

fxp0.0                  up    down inet     10.10.10.1/24   

fxp1                    up    up        

fxp1.0                  up    up   inet     129.16.0.1/2    

                                   tnp      0x1100001       

fxp2                    up    up

fxp2.0                  up    up   tnp      0x1100001       

gre                     up    up

ipip                    up    up

irb                     up    up

jsrv                    up    up

jsrv.1                  up    up   inet     128.0.0.127/2   

lo0                     up    up

lo0.0                   up    up   inet     188.114.65.10       --> 0/0

lo0.16384               up    up   inet     127.0.0.1           --> 0/0

lo0.16385               up    up   inet     10.0.0.1            --> 0/0

                                            10.0.0.16           --> 0/0

                                            128.0.0.1           --> 0/0

                                            128.0.0.4           --> 0/0

                                            128.0.1.16          --> 0/0

lo0.32768               up    up  

lsi                     up    up

mtun                    up    up

pimd                    up    up

pime                    up    up

pp0                     up    up

ppd0                    up    up        

ppe0                    up    up

rbeb                    up    up

reth0                   up    down

reth1                   up    up

reth1.10                up    up   inet     192.168.20.1/24 

reth1.666               up    up   inet     172.16.1.1/24   

reth1.32767             up    up  

st0                     up    up

swfab0                  up    down

swfab1                  up    down

tap                     up    up

vlan                    up    down

vtep                    up    up

 

root@SRX1> show chassis cluster information detail 

node0:

--------------------------------------------------------------------------

Redundancy mode:

    Configured mode: active-active

    Operational mode: active-backup

Cluster configuration:

    Heartbeat interval: 1000 ms

    Heartbeat threshold: 3

    Control link recovery: Enabled

    Fabric link down timeout: 66 sec

Node health information:

    Local node health: Not healthy

    Remote node health: Not healthy

 

Redundancy group: 0, Threshold: 255, Monitoring failures: none

    Events:

        Nov 29 12:32:48.454 : hold->secondary, reason: Hold timer expired

        Nov 29 12:33:04.458 : secondary->primary, reason: Only node present

 

Redundancy group: 1, Threshold: 0, Monitoring failures: cold-sync-monitoring

    Events:

        Nov 29 12:32:48.984 : hold->secondary, reason: Hold timer expired

        Nov 29 12:33:04.542 : secondary->primary, reason: Only node present

 

Control link statistics:                

    Control link 0:                     

        Heartbeat packets sent: 253854  

        Heartbeat packets received: 246436

        Heartbeat packet errors: 0

        Duplicate heartbeat packets received: 0

    Control recovery packet count: 0

    Sequence number of last heartbeat packet sent: 253854

    Sequence number of last heartbeat packet received: 245013

Fabric link statistics:

    Child link 0

        Probes sent: 493496

        Probes received: 0

    Child link 1

        Probes sent: 0

        Probes received: 0

Switch fabric link statistics:

    Probe state : DOWN

    Probes sent: 0

    Probes received: 0

    Probe recv errors: 0

    Probe send errors: 0

    Probe recv dropped: 0

    Sequence number of last probe sent: 0

    Sequence number of last probe received: 0

                                        

Chassis cluster LED information:        

    Current LED color: Amber            

    Last LED change reason: Monitored objects are down

Control port tagging:              

   Disabled                            

 

Cold Synchronization:

    Status:

        Cold synchronization completed for: N/A

        Cold synchronization failed for: N/A

        Cold synchronization not known for: N/A

        Current Monitoring Weight: 255

 

    Progress:

        CS Prereq               0 of 1 SPUs completed

           1. if_state sync          1 SPUs completed

           2. fabric link            0 SPUs completed

           3. policy data sync       1 SPUs completed

           4. cp ready               0 SPUs completed

           5. VPN data sync          0 SPUs completed

           6. IPID data sync         0 SPUs completed

           7. All SPU ready          0 SPUs completed

           8. AppID ready            0 SPUs completed

           9. Tunnel Sess ready      0 SPUs completed

        CS RTO sync             0 of 1 SPUs completed

        CS Postreq              0 of 1 SPUs completed

 

    Statistics:                         

        Number of cold synchronization completed: 0

        Number of cold synchronization failed: 0

 

    Events:

        Nov 29 12:41:24.297 : Cold sync for PFE  is Not complete

 

Loopback Information:

 

    PIC Name        Loopback        Nexthop     Mbuf

    -------------------------------------------------

                    Success         Failure     Success    

 

Interface monitoring:

    Statistics:

        Monitored interface failure count: 0

 

Fabric monitoring:

    Status:

        Fabric Monitoring: Enabled

        Activation status: Active

        Fabric Status reported by data plane: Down

        JSRPD internal fabric status: Down

                                        

Fabric link events:                     

        Dec  2 10:51:06.618 : Fabric link fab1 is up

        Dec  2 10:51:06.619 : Child ge-5/0/2 of fab1 is up

        Dec  2 10:51:06.834 : Fabric link fab0 is up

        Dec  2 10:51:06.835 : Child ge-0/0/2 of fab0 is up

        Dec  2 11:03:37.825 : Fabric link fab0 is up

        Dec  2 11:03:37.826 : Child ge-0/0/2 of fab0 is up

        Dec  2 11:03:37.844 : Fabric link fab1 is up

Dec  2 11:03:37.845 : Child ge-5/0/2 of fab1 is up

        Dec  2 11:03:37.998 : Child ge-0/0/2 of fab0 is up

        Dec  2 11:03:38.093 : Child ge-5/0/2 of fab1 is up

 

Control link status: Up

    Server information:

        Server status : Connected

        Server connected to 130.16.0.1/50968

    Client information:

        Client status : Inactive

        Client connected to None

Control port tagging:

    Disabled

 

Control link events:

        Nov 29 13:23:44.039 : Control link fxp1 is up

        Nov 29 15:01:24.414 : Control link fxp1 is up

        Dec  2 09:47:07.917 : Control link fxp1 is up

        Dec  2 09:51:51.808 : Control link fxp1 is up

        Dec  2 09:54:31.076 : Control link fxp1 is up

        Dec  2 09:57:32.731 : Control link fxp1 is up

        Dec  2 09:59:47.020 : Control link fxp1 is up

        Dec  2 10:02:35.437 : Control link fxp1 is up

        Dec  2 10:14:35.646 : Control link fxp1 is up

        Dec  2 11:03:37.863 : Control link fxp1 is up

 

Hardware monitoring:

    Status:

        Activation status: Enabled

        Redundancy group 0 failover for hardware faults: Enabled

        Hardware redundancy group 0 errors: 0

        Hardware redundancy group 1 errors: 0

 

Schedule monitoring:

    Status:

        Activation status: Disabled

        Schedule slip detected: None

        Timer ignored: No

 

    Statistics:

        Total slip detected count: 1

        Longest slip duration: 3(s)

 

    Events:

        Nov 29 12:31:11.634 : Detected schedule slip

        Nov 29 12:32:11.812 : Cleared schedule slip

                                        

Configuration Synchronization:

    Status:                             

        Activation status: Enabled      

        Last sync operation: Auto-Sync  

        Last sync result: Not needed    

        Last sync mgd messages:         

                                        

    Events:                             

        Nov 29 13:00:35.952 : Auto-Sync: Not needed.

                                        

Cold Synchronization Progress:          

    CS Prereq               0 of 1 SPUs completed

       1. if_state sync          1 SPUs completed

       2. fabric link            0 SPUs completed

       3. policy data sync       1 SPUs completed

       4. cp ready               0 SPUs completed

       5. VPN data sync          0 SPUs completed

       6. IPID data sync         0 SPUs completed

       7. All SPU ready          0 SPUs completed

       8. AppID ready            0 SPUs completed

       9. Tunnel Sess ready      0 SPUs completed

    CS RTO sync             0 of 1 SPUs completed

    CS Postreq              0 of 1 SPUs completed

 

node1:

--------------------------------------------------------------------------

Redundancy mode:

    Configured mode: active-active

    Operational mode: active-backup

Cluster configuration:

    Heartbeat interval: 1000 ms

    Heartbeat threshold: 3

    Control link recovery: Enabled

    Fabric link down timeout: 66 sec

Node health information:

    Local node health: Not healthy

    Remote node health: Not healthy     

                                        

Redundancy group: 0, Threshold: 0, Monitoring failures: fabric-connection-down

    Events:                             

        Nov 29 15:03:54.656 : hold->secondary, reason: Hold timer expired

                                        

Redundancy group: 1, Threshold: -255, Monitoring failures: cold-sync-monitoring, fabric-connection-down

    Events:                             

        Nov 29 15:03:55.008 : hold->secondary, reason: Hold timer expired

Control link statistics:                

    Control link 0:                     

        Heartbeat packets sent: 245014  

        Heartbeat packets received: 244989

        Heartbeat packet errors: 0      

        Duplicate heartbeat packets received: 0

    Control recovery packet count: 0    

    Sequence number of last heartbeat packet sent: 245014

    Sequence number of last heartbeat packet received: 253855

Fabric link statistics:                 

 

  Child link 0                        

        Probes sent: 489391             

        Probes received: 0

    Child link 1

        Probes sent: 0

        Probes received: 0

Switch fabric link statistics:

    Probe state : DOWN

    Probes sent: 0

    Probes received: 0

    Probe recv errors: 0

    Probe send errors: 0

    Probe recv dropped: 0

    Sequence number of last probe sent: 0

    Sequence number of last probe received: 0

 

Chassis cluster LED information:

    Current LED color: Amber

    Last LED change reason: Monitored objects are down

Control port tagging:

    Disabled

 

Cold Synchronization:

    Status:

        Cold synchronization completed for: N/A

        Cold synchronization failed for: N/A

        Cold synchronization not known for: N/A

        Current Monitoring Weight: 255

 

    Progress:

        CS Prereq               0 of 1 SPUs completed

           1. if_state sync          1 SPUs completed

           2. fabric link            0 SPUs completed

           3. policy data sync       1 SPUs completed

           4. cp ready               0 SPUs completed

           5. VPN data sync          0 SPUs completed

           6. IPID data sync         0 SPUs completed

           7. All SPU ready          0 SPUs completed

           8. AppID ready            0 SPUs completed

           9. Tunnel Sess ready      0 SPUs completed

        CS RTO sync             0 of 1 SPUs completed

        CS Postreq              0 of 1 SPUs completed

 

    Statistics:

        Number of cold synchronization completed: 0

        Number of cold synchronization failed: 0

 

    Events:                             

        Nov 29 15:19:29.445 : Cold sync for PFE  is Not complete

                                        

Loopback Information:                   

   PIC Name        Loopback        Nexthop     Mbuf

    -------------------------------------------------

                    Success         Failure     Success    

                                        

Interface monitoring:

    Statistics:

        Monitored interface failure count: 0

 

Fabric monitoring:

    Status:

        Fabric Monitoring: Enabled

        Activation status: Active

        Fabric Status reported by data plane: Down

        JSRPD internal fabric status: Down

 

Fabric link events:

        Dec  2 10:54:42.611 : Child ge-5/0/2 of fab1 is up

        Dec  2 10:54:42.819 : Fabric link fab0 is up

        Dec  2 10:54:42.830 : Fabric link fab0 is up

        Dec  2 10:54:42.831 : Child ge-0/0/2 of fab0 is up

        Dec  2 11:07:13.811 : Fabric link fab0 is up

        Dec  2 11:07:13.822 : Child ge-0/0/2 of fab0 is up

        Dec  2 11:07:13.842 : Fabric link fab1 is up

        Dec  2 11:07:13.845 : Child ge-5/0/2 of fab1 is up

        Dec  2 11:07:13.993 : Child ge-0/0/2 of fab0 is up

        Dec  2 11:07:14.104 : Child ge-5/0/2 of fab1 is up

                                        

Control link status: Up

    Server information:                 

        Server status : Inactive        

        Server connected to None        

    Client information:                 

        Client status : Connected       

        Client connected to 129.16.0.1/62845

Control port tagging:                   

    Disabled                            

                                        

Control link events:                    

        Nov 29 15:04:01.167 : Control link fxp1 is up

        Nov 29 15:04:11.764 : Control link fxp1 is up

        Dec  2 09:50:40.772 : Control link fxp1 is up

        Dec  2 09:55:24.297 : Control link fxp1 is up

        Dec  2 09:58:03.703 : Control link fxp1 is up

        Dec  2 10:01:04.768 : Control link fxp1 is up

        Dec  2 10:03:19.726 : Control link fxp1 is up

        Dec  2 10:06:08.204 : Control link fxp1 is up

        Dec  2 10:18:01.991 : Control link fxp1 is up

        Dec  2 11:07:11.681 : Control link fxp1 is up

 

 

Hardware monitoring:                    

    Status:                             

        Activation status: Enabled      

        Redundancy group 0 failover for hardware faults: Enabled

        Hardware redundancy group 0 errors: 0

        Hardware redundancy group 1 errors: 0

                                        

Schedule monitoring:

    Status:                             

        Activation status: Disabled     

        Schedule slip detected: None    

        Timer ignored: No               

                                        

    Statistics:                         

        Total slip detected count: 2    

        Longest slip duration: 7(s)     

                                        

    Events:                             

        Nov 29 15:02:16.635 : Detected schedule slip

        Nov 29 15:03:16.708 : Cleared schedule slip

        Nov 29 15:05:48.635 : Detected schedule slip

        Nov 29 15:06:48.699 : Cleared schedule slip

                                        

Configuration Synchronization:

    Status:                             

        Activation status: Enabled      

        Last sync operation: Auto-Sync  

        Last sync result: Succeeded     

                                        

    Events:                             

        Nov 29 15:04:30.952 : Auto-Sync: In progress. Attempt: 1

        Nov 29 15:05:41.222 : Auto-Sync: Clearing mgd. Attempt: 1

        Nov 29 15:05:48.626 : Auto-Sync: Succeeded. Attempt: 1

                                        

Cold Synchronization Progress:          

    CS Prereq               0 of 1 SPUs completed

       1. if_state sync          1 SPUs completed

       2. fabric link            0 SPUs completed

       3. policy data sync       1 SPUs completed

       4. cp ready               0 SPUs completed

       5. VPN data sync          0 SPUs completed

       6. IPID data sync         0 SPUs completed

       7. All SPU ready          0 SPUs completed

       8. AppID ready            0 SPUs completed

       9. Tunnel Sess ready      0 SPUs completed

    CS RTO sync             0 of 1 SPUs completed

    CS Postreq              0 of 1 SPUs completed

 

 

root@SRX1> show configuration | display set | match "fab|cluster" 

set chassis cluster control-link-recovery

set chassis cluster reth-count 2

set chassis cluster redundancy-group 1 node 0 priority 200

set chassis cluster redundancy-group 1 node 1 priority 100

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 150

set interfaces fab0 fabric-options member-interfaces ge-0/0/2

set interfaces fab1 fabric-options member-interfaces ge-5/0/2

set interfaces reth1 description link-to-ex2300-cluster

SRX Services Gateway

Re: Source NAT rules not being installed

a week ago
Fab link (ge-0/0/2 and ge-5/0/2) is physically up on both nodes but they are not receiving fabric probes from each other. How is the fab links are connected? Is it directly connected or via any switch?
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

Fab links are connected directly. After your message I added additional ports to fabric links to verify the problem:

 

root@SRX1# show interfaces fab0    

fabric-options {

    member-interfaces {

        ge-0/0/2;

        ge-0/0/4;

    }

}

 

{primary:node0}[edit]

root@SRX1# show interfaces fab1    

fabric-options {

    member-interfaces {

        ge-5/0/2;

        ge-5/0/4;

    }

}

 

And now I see only 1 problem with CS:

 

root@SRX1# run show chassis cluster status    

Monitor Failure codes:

    CS  Cold Sync monitoring        FL  Fabric Connection monitoring

    GR  GRES monitoring             HW  Hardware monitoring

    IF  Interface monitoring        IP  IP monitoring

    LB  Loopback monitoring         MB  Mbuf monitoring

    NH  Nexthop monitoring          NP  NPC monitoring              

    SP  SPU monitoring              SM  Schedule monitoring

    CF  Config Sync monitoring      RE  Relinquish monitoring

 

Cluster ID: 1

Node   Priority Status               Preempt Manual   Monitor-failures

 

Redundancy group: 0 , Failover count: 0

node0  1        primary              no      no       None           

node1  1        secondary            no      no       None           

 

Redundancy group: 1 , Failover count: 0

node0  0        primary              yes     no       CS             

node1  0        secondary            yes     no       CS             

 

 

 

SRX Services Gateway

Re: Source NAT rules not being installed

a week ago
Loopback monitoring is failed on both nodes. Reboot both nodes simultaneously and share previous requested commands output if cluster status is still unhealthy
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

After reboot obofh nodes it doesn't look any better. Smiley Sad

 

root@SRX1> show chassis cluster status    

Monitor Failure codes:

    CS  Cold Sync monitoring        FL  Fabric Connection monitoring

    GR  GRES monitoring             HW  Hardware monitoring

    IF  Interface monitoring        IP  IP monitoring

    LB  Loopback monitoring         MB  Mbuf monitoring

    NH  Nexthop monitoring          NP  NPC monitoring              

    SP  SPU monitoring              SM  Schedule monitoring

    CF  Config Sync monitoring      RE  Relinquish monitoring

 

Cluster ID: 1

Node   Priority Status               Preempt Manual   Monitor-failures

 

Redundancy group: 0 , Failover count: 1

node0  1        primary              no      no       None           

node1  0        secondary            no      no       CF             

 

Redundancy group: 1 , Failover count: 1

node0  0        primary              yes     no       CS             

node1  0        secondary            yes     no       CS CF   

SRX Services Gateway

Re: Source NAT rules not being installed

a week ago
Please share "show chassis cluster information detail" command output
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

I removed loopback interfaces from any redundancy group for now and chassis cluster looks much better now:

 

Cluster ID: 1

Node   Priority Status               Preempt Manual   Monitor-failures

 

Redundancy group: 0 , Failover count: 1

node0  1        primary              no      no       None           

node1  1        secondary            no      no       None           

 

Redundancy group: 1 , Failover count: 1

node0  200      primary              yes     no       None           

node1  100      secondary            yes     no       None

 

 

Also, after that, I can see some NAT rules in the output of that command:

 

root@SRX1# run show security nat source rule all  

node0:

--------------------------------------------------------------------------

Total rules: 1

Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1                      Rule-set: rs1

  Rule-Id                    : 1

  Rule position              : 1

  From zone                  : trust

  To zone                    : untrust

  Match

    Source addresses         : 192.168.20.0    - 192.168.20.255

    Destination addresses    : 0.0.0.0         - 255.255.255.255

  Action                        : src-pool-1

    Persistent NAT type         : N/A              

    Persistent NAT mapping type : address-port-mapping 

    Inactivity timeout          : 0

    Max session number          : 0

  Translation hits           : 440

    Successful sessions      : 263

    Failed sessions          : 177

  Number of sessions         : 4

 

node1:                                  

--------------------------------------------------------------------------

Total rules: 1                          

Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1                      Rule-set: rs1

  Rule-Id                    : 1        

  Rule position              : 1        

  From zone                  : trust    

  To zone                    : untrust  

  Match                                 

    Source addresses         : 192.168.20.0    - 192.168.20.255

    Destination addresses    : 0.0.0.0         - 255.255.255.255

  Action                        : src-pool-1

    Persistent NAT type         : N/A              

    Persistent NAT mapping type : address-port-mapping 

    Inactivity timeout          : 0     

    Max session number          : 0     

  Translation hits           : 177      

    Successful sessions      : 177      

    Failed sessions          : 0        

  Number of sessions         : 4        

 

I see also something good here:

 

root@SRX1# run show security flow session source-prefix 192.168.20.5/32 

 

Session ID: 652, Policy name: internet-access/4, State: Active, Timeout: 1764, Valid

  In: 192.168.20.5/50852 --> 38.90.226.52/8883;tcp, Conn Tag: 0x0, If: reth1.10, Pkts: 41, Bytes: 2930, 

  Out: 38.90.226.52/8883 --> <Source NAT IP>/43064;tcp, Conn Tag: 0x0, If: ge-0/0/8.0, Pkts: 28, Bytes: 5061, 

 

However Internet access / NAT still doesn't work for me, as I'm getting only time-outs. But I think I'm closer now.. 

SRX Services Gateway

Re: Source NAT rules not being installed

a week ago
Normally, Ingress and egress will be reth interfaces in a cluster. But in your case egress interface is a ge- interface. As per flow session, bi-directional traffic is passing through srx. Please share the complete configuration, if possible.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

[ Edited ]
a week ago
## Last changed: 2019-12-02 13:41:38 UTC
version 18.2R3.4;
groups {
    node0 {
        system {
            host-name SRX1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.10.10.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.10.10.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$6$VYv6FshQ$sE7sc4tkEJX7QQlBbzIm.N9UsKX8Gx01QehyL4Rw0lNukWO9O4LSr007bXSKHAfMB4mEQPHgkLYft/TEZNoSd0"; ## SECRET-DATA
    }
    name-server {
        1.1.1.1;
        1.0.0.1;
    }
    services {
        ssh {
            root-login allow;
        }
        web-management {
            http {
                port 80;
                interface reth1.10;
            }
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 150;
            }
        }
    }
}
security {
    nat {
        source {
            pool src-pool-1 {
                address {
                    <My-IP-address-from-PI-Prefix>/32;
                }
            }
            rule-set rs1 {
                from zone trust;
                to zone untrust;
                rule 1 {
                    match {
                        source-address 192.168.20.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                src-pool-1;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy internet-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy test2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                reth1.10 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            http;
                            https;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                ge-0/0/8.0;
                ge-5/0/8.0;
            }
        }
    }
}
interfaces {
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family inet {
                address <ISP 1 IP>/30;
            }
        }
    }
    ge-5/0/3 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/8 {
        disable;
        vlan-tagging;
        unit 0 {
            vlan-id 2609;
            family inet {
                address <ISP 2 IP>/30;
            }
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    reth1 {
        description link-to-ex2300-cluster;
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
            minimum-links 1;
        }
        unit 10 {
            description "Office VLAN";
            vlan-id 10;
            family inet {
                address 192.168.20.1/24;
            }
        }
        unit 666 {
            description "Managment VLAN";
            vlan-id 666;
            family inet {
                address 172.16.1.1/24;
            }
        }
    }
}
routing-options {
    graceful-restart;
    static {
        route <my-pi-prefix>/24 discard;
    }
    autonomous-system XXXX;
}
protocols {
    bgp {
        group bgp-isp {
            type external;
            export send-greencell-prefix;
            neighbor <ISP 1 IP> {
                description netia-isp;
                peer-as XXX;
            }
            neighbor <ISP 2 IP> {
                description snet-isp;
                peer-as XXX;
            }
        }
    }
}
policy-options {
    policy-statement send-greencell-prefix {
        term export-routes {
            from {
                route-filter <my-pi-prefix>/24 exact;
            }
            then accept;
        }
        then reject;
    }
}
SRX Services Gateway

Re: Source NAT rules not being installed

a week ago

Configuration looks ok to me. Hope you are receiving default route from BGP. Please enable to flow traceoption to understand why traffic is not working.

 

set security flow traceoptions file flow.log
set security flow traceoptions file size 20m
set security flow traceoptions file files 20
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter P1 source-prefix < Source IP >
set security flow traceoptions packet-filter P1 destination-prefix < Destination IP >
set security flow traceoptions packet-filter P2 source-prefix < Destination IP >
set security flow traceoptions packet-filter P2 destination-prefix < Source IP >

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Source NAT rules not being installed

[ Edited ]
a week ago

 

Hello,

 

Since last messages, I made some changes in the configuration. I'm attaching my current config and an image (yeah, sorry for that)

 

Yesterday I was able to ping SRX gateway (192.168.20.1) and access the Internet via ISP1 from my computer.

 

However, after disconnecting ISP1 I couldn't access Internet via ISP2 from my computer (but from SRX1 which is master I had access to Internet via ISP2).

 

Today I can't ping gateway and I don't have Internet access (however, SRX have 2 BGP peers active and full Internet access) - but I didn't change configuration... So there is something really wrong in this setup...

 

(Currently after rebooting bofh nodes of chassis cluster I'm able to ping my gateway, however I don't have Internet access - routing go via ISP2)

 

version 18.2R3.4;
groups {
    node0 {
        system {
            host-name SRX1;
            backup-router 192.16.35.254 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.16.35.46/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX2;
            backup-router 192.16.35.254 destination 0.0.0.0/0;
        }
        interfaces {                    
            fxp0 {                      
                unit 0 {                
                    family inet {       
                        address 192.16.35.47/24;
                    }                   
                }                       
            }                           
        }                               
    }                                   
}                                       
apply-groups "${node}";       

system {                                
    root-authentication {               
        encrypted-password "ABCDEF"; ## SECRET-DATA
    }                                   
    name-server {                       
        8.8.8.8;                        
        8.8.4.4;                        
    }                                   
    services {                          
        ssh {                           
            root-login allow;
        }
        web-management {
            https {
                system-generated-certificate;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}

chassis {
    cluster {                           
        reth-count 1;                   
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            interface-monitor {
                ge-0/0/4 weight 200;
                ge-0/0/5 weight 200;
                ge-5/0/5 weight 200;
                ge-5/0/4 weight 200;
            }
        }
    }
}
security {
 nat {
        source {
            pool src-nat-pool-1 {
                address {
                    123.123.123.10/32;
                }                       
            }                           
            rule-set rs1 {              
                from zone trust;        
                to zone untrust;        
                rule 1 {                
                    match {             
                        source-address 192.168.20.0/24;
                        destination-address 0.0.0.0/0;
                    }                   
                    then {              
                        source-nat {    
                            pool {      
                                src-nat-pool-1;
                            }           
                        }               
                    }                   
                }                       
            }                           
        }                               
    }                                   
    policies {                          
        from-zone trust to-zone trust { 
            policy permit-all {         
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;    
                }                       
                then {                  
                    permit;             
                }                       
            }                           
        }                               
   from-zone trust to-zone untrust {
            policy permit-all {         
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {                
                reth0.10 {              
                    host-inbound-traffic {
                        system-services {
                            all;        
                        }               
                        protocols {     
                            all;        
                        }               
                    }                   
                }                       
            }                           
        }                               
      security-zone untrust {         
            host-inbound-traffic {      
                system-services {       
                    ping;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                ge-0/0/12.0;
                ge-5/0/12.0;
            }
        }
    }
}
interfaces {
    ge-0/0/4 {
        ether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/5 {
        ether-options {
            redundant-parent reth0;
        }                               
    }                                   
    ge-0/0/12 {                         
        description isp1-bgp;          
        unit 0 {                        
            family inet {               
                address 1.1.1.2/30;
                address 123.123.123.11/24;
            }                           
        }                               
    }                                   
   ge-5/0/4 {                          
        ether-options {                 
            redundant-parent reth0;     
        }                               
    }                                   
    ge-5/0/5 {                          
        ether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/12 {
        description isp2-bgp;
        vlan-tagging;
        unit 0 {
            vlan-id 2609;
            family inet {
                address 2.2.2.2/30;
            }
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
                ge-0/0/3;
            }
        }
    }
    fab1 {                              
        fabric-options {                
            member-interfaces {         
                ge-5/0/2;               
                ge-5/0/3;               
            }                           
        }                               
    }                                   
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;         
            lacp {                      
                passive;                
                periodic slow;          
            }                           
        }                               
        unit 10 {                       
            vlan-id 10;                 
            family inet {               
                address 192.168.20.1/24;
            }                           
        }                               
    }                                   
}                                       
routing-options {                       
    graceful-restart;                   
    autonomous-system 56789;           
}                                       
protocols {                             
    bgp {                               
        group bgp-isp {                 
            type external;              
            import deny-import-prefix;  
            export send-prefix;
            neighbor 1.1.1.1 {    
                description netia-bgp;  
                peer-as 1234;          
            }                           
            neighbor 2.2.2.1 {   
                description snet-bgp;   
                peer-as 4321;          
            }                           
        }                               
    }                                   
}                                       

policy-options {                        
    policy-statement deny-import-prefix {
        term deny-import-routes {       
            from {                      
                route-filter 0.0.0.0/0 exact;
            }                           
            then reject;
        }
        then accept;
    }
    policy-statement send-prefix {
        term export-routes {
            from {
                route-filter 123.123.123.0/24 exact;
            }
            then accept;
        }
        then reject;
    }
}

 

Some more info from SRX:

 

root@SRX1> show chassis alarms 
node0:
--------------------------------------------------------------------------
No alarms currently active

node1:
--------------------------------------------------------------------------
No alarms currently active


root@SRX1> show interfaces terse | match down   
ge-0/0/0                up    down
ge-0/0/6                up    down
ge-0/0/7                up    down
ge-0/0/8                up    down
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
ge-0/0/13               up    down
ge-0/0/14               up    down
ge-0/0/15               up    down
ge-5/0/0                up    down
ge-5/0/6                up    down
ge-5/0/7                up    down
ge-5/0/8                up    down
ge-5/0/9                up    down
ge-5/0/10               up    down
ge-5/0/11               up    down
ge-5/0/13               up    down
ge-5/0/14               up    down
ge-5/0/15               up    down
swfab0                  up    down
swfab1                  up    down
vlan                    up    down


root@SRX1> show configuration | display set | match "fab|cluster" 
set chassis cluster reth-count 1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 200
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 200
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/5 weight 200
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 200
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/3


root@SRX1> show chassis cluster information detail 
node0:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active
Cluster configuration:
    Heartbeat interval: 1000 ms
    Heartbeat threshold: 3
    Control link recovery: Disabled
    Fabric link down timeout: 66 sec
Node health information:
    Local node health: Healthy
    Remote node health: Healthy

Redundancy group: 0, Threshold: 255, Monitoring failures: none
    Events:
        Dec  5 12:47:31.582 : hold->secondary, reason: Hold timer expired
        Dec  5 12:47:35.531 : secondary->primary, reason: Better priority (100/1)

Redundancy group: 1, Threshold: 255, Monitoring failures: none
    Events:
        Dec  5 12:47:31.623 : hold->secondary, reason: Hold timer expired

        Dec  5 12:47:37.002 : secondary->primary, reason: Remote yield (0/0)
Control link statistics:                
    Control link 0:                     
        Heartbeat packets sent: 606     
        Heartbeat packets received: 564 
        Heartbeat packet errors: 0      
        Duplicate heartbeat packets received: 0
    Control recovery packet count: 0    
    Sequence number of last heartbeat packet sent: 606
    Sequence number of last heartbeat packet received: 594
Fabric link statistics:                 
    Child link 0                        
        Probes sent: 794                
        Probes received: 792            
    Child link 1                        
        Probes sent: 789                
        Probes received: 788            
Switch fabric link statistics:          
    Probe state : DOWN                  
    Probes sent: 0                      
    Probes received: 0                  
    Probe recv errors: 0
    Probe send errors: 0
    Probe recv dropped: 0
    Sequence number of last probe sent: 0
    Sequence number of last probe received: 0

Chassis cluster LED information:
    Current LED color: Green
    Last LED change reason: No failures
Control port tagging:
    Disabled

Cold Synchronization:
    Status:
        Cold synchronization completed for: N/A
        Cold synchronization failed for: N/A
        Cold synchronization not known for: N/A
        Current Monitoring Weight: 0
  Progress:
        CS Prereq               1 of 1 SPUs completed
           1. if_state sync          1 SPUs completed
           2. fabric link            1 SPUs completed
           3. policy data sync       1 SPUs completed
           4. cp ready               1 SPUs completed
           5. VPN data sync          1 SPUs completed
           6. IPID data sync         1 SPUs completed
           7. All SPU ready          1 SPUs completed
           8. AppID ready            1 SPUs completed
           9. Tunnel Sess ready      1 SPUs completed
        CS RTO sync             1 of 1 SPUs completed
        CS Postreq              1 of 1 SPUs completed
                                        
    Statistics:                         
        Number of cold synchronization completed: 0
        Number of cold synchronization failed: 0
                                        
    Events:                             
        Dec  5 12:49:03.508 : Cold sync for PFE  is RTO sync in process
        Dec  5 12:49:03.576 : Cold sync for PFE  is Completed

Loopback Information:

    PIC Name        Loopback        Nexthop     Mbuf
    -------------------------------------------------
                    Success         Success     Success    

Interface monitoring:
    Statistics:
        Monitored interface failure count: 0

    Events:
        Dec  5 12:49:06.839 : Interface ge-0/0/4 monitored by rg 1, changed state from Down to Up
        Dec  5 12:49:07.016 : Interface ge-0/0/5 monitored by rg 1, changed state from Down to Up

Fabric monitoring:
    Status:
        Fabric Monitoring: Enabled
        Activation status: Active
        Fabric Status reported by data plane: Up
        JSRPD internal fabric status: Up
                                        
Fabric link events:                     
        Dec  5 12:49:02.415 : Child ge-5/0/2 of fab1 is up
        Dec  5 12:49:04.402 : Fabric link fab1 is up
        Dec  5 12:49:04.413 : Child ge-5/0/3 of fab1 is up
        Dec  5 12:49:05.203 : Child link-0 of fab1 is up, pfe notification
        Dec  5 12:49:05.267 : Fabric link fab0 is up
        Dec  5 12:49:05.278 : Child ge-0/0/3 of fab0 is up
        Dec  5 12:49:05.572 : Child link-0 of fab0 is up, pfe notification
        Dec  5 12:49:06.578 : Fabric link up, link status timer
        Dec  5 12:49:07.577 : Child link-1 of fab0 is up, pfe notification
        Dec  5 12:49:07.692 : Child link-1 of fab1 is up, pfe notification

Control link status: Up
    Server information:
        Server status : Connected
        Server connected to 130.16.0.1/52245
    Client information:
        Client status : Inactive
        Client connected to None
Control port tagging:
    Disabled

Control link events:
        Dec  5 12:45:30.155 : Control link fxp1 is down
        Dec  5 12:45:40.609 : Control link fxp1 is down
        Dec  5 12:46:04.491 : Control link fxp1 is up
        Dec  5 12:47:35.535 : Control link fxp1 is up
        Dec  5 12:47:41.507 : Control link fxp1 is up
        Dec  5 12:47:57.520 : Control link fxp1 is up
        Dec  5 12:47:57.581 : Control link fxp1 is up
        Dec  5 12:48:35.337 : Control link fxp1 is up
        Dec  5 12:48:41.302 : Control link fxp1 is up
        Dec  5 12:48:41.464 : Control link fxp1 is up
                                        
Hardware monitoring:                    
    Status:                             
        Activation status: Enabled      
        Redundancy group 0 failover for hardware faults: Enabled
        Hardware redundancy group 0 errors: 0
        Hardware redundancy group 1 errors: 0

Schedule monitoring:
    Status:
        Activation status: Disabled
        Schedule slip detected: None
        Timer ignored: No

    Statistics:
        Total slip detected count: 1
        Longest slip duration: 3(s)

    Events:
        Dec  5 12:45:56.819 : Detected schedule slip
        Dec  5 12:46:56.950 : Cleared schedule slip

Configuration Synchronization:
    Status:
        Activation status: Enabled
        Last sync operation: Auto-Sync
        Last sync result: Not needed    
        Last sync mgd messages:         
                                        
    Events:                             
        Dec  5 12:47:36.095 : Auto-Sync: Not needed.
                                        
Cold Synchronization Progress:          
    CS Prereq               1 of 1 SPUs completed
       1. if_state sync          1 SPUs completed
       2. fabric link            1 SPUs completed
       3. policy data sync       1 SPUs completed
       4. cp ready               1 SPUs completed
       5. VPN data sync          1 SPUs completed
       6. IPID data sync         1 SPUs completed
       7. All SPU ready          1 SPUs completed
       8. AppID ready            1 SPUs completed
       9. Tunnel Sess ready      1 SPUs completed
    CS RTO sync             1 of 1 SPUs completed
    CS Postreq              1 of 1 SPUs completed

node1:                                  
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active
Cluster configuration:
    Heartbeat interval: 1000 ms
    Heartbeat threshold: 3
    Control link recovery: Disabled
    Fabric link down timeout: 66 sec
Node health information:
    Local node health: Healthy
    Remote node health: Healthy

Redundancy group: 0, Threshold: 255, Monitoring failures: none
    Events:
        Dec  5 12:43:54.036 : hold->secondary, reason: Hold timer expired

Redundancy group: 1, Threshold: 255, Monitoring failures: none
    Events:
        Dec  5 12:43:55.246 : hold->secondary, reason: Hold timer expired
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 595     
        Heartbeat packets received: 573 
        Heartbeat packet errors: 0      
        Duplicate heartbeat packets received: 0
    Control recovery packet count: 0    
    Sequence number of last heartbeat packet sent: 595
    Sequence number of last heartbeat packet received: 607
Fabric link statistics:                 
    Child link 0                        
        Probes sent: 795                
        Probes received: 794            
    Child link 1                        
        Probes sent: 793                
        Probes received: 789            

Switch fabric link statistics:          
    Probe state : DOWN                  
    Probes sent: 0                      
    Probes received: 0                  
    Probe recv errors: 0                
    Probe send errors: 0                
    Probe recv dropped: 0               
    Sequence number of last probe sent: 0
    Sequence number of last probe received: 0

Chassis cluster LED information:
    Current LED color: Green
    Last LED change reason: No failures
Control port tagging:
    Disabled

Cold Synchronization:
    Status:
        Cold synchronization completed for: N/A
        Cold synchronization failed for: N/A
        Cold synchronization not known for: N/A
        Current Monitoring Weight: 0

    Progress:
        CS Prereq               1 of 1 SPUs completed
           1. if_state sync          1 SPUs completed
           2. fabric link            1 SPUs completed
           3. policy data sync       1 SPUs completed
           4. cp ready               1 SPUs completed
           5. VPN data sync          1 SPUs completed
           6. IPID data sync         1 SPUs completed
           7. All SPU ready          1 SPUs completed
           8. AppID ready            1 SPUs completed
           9. Tunnel Sess ready      1 SPUs completed
        CS RTO sync             1 of 1 SPUs completed
        CS Postreq              1 of 1 SPUs completed
                                        
    Statistics:                         
        Number of cold synchronization completed: 0
        Number of cold synchronization failed: 0

    Events:                             
        Dec  5 12:45:21.592 : Cold sync for PFE  is RTO sync in process
        Dec  5 12:45:23.176 : Cold sync for PFE  is Post-req check in process
        Dec  5 12:45:25.173 : Cold sync for PFE  is Completed
                                        
Loopback Information:

    PIC Name        Loopback        Nexthop     Mbuf
    -------------------------------------------------
                    Success         Success     Success    

Interface monitoring:
    Statistics:
        Monitored interface failure count: 0

    Events:
        Dec  5 12:45:25.361 : Interface ge-0/0/4 monitored by rg 1, changed state from Down to Up
        Dec  5 12:45:25.531 : Interface ge-0/0/5 monitored by rg 1, changed state from Down to Up

Fabric monitoring:
    Status:
        Fabric Monitoring: Enabled
        Activation status: Active
        Fabric Status reported by data plane: Up
        JSRPD internal fabric status: Up
                                        
Fabric link events:                     
        Dec  5 12:45:20.932 : Child ge-5/0/2 of fab1 is up
        Dec  5 12:45:22.920 : Fabric link fab1 is up
        Dec  5 12:45:22.924 : Fabric link fab1 is up
        Dec  5 12:45:22.929 : Child ge-5/0/3 of fab1 is up
        Dec  5 12:45:23.707 : Child link-0 of fab1 is up, pfe notification
        Dec  5 12:45:23.793 : Fabric link fab0 is up
        Dec  5 12:45:23.797 : Fabric link fab0 is up
        Dec  5 12:45:23.801 : Child ge-0/0/3 of fab0 is up
        Dec  5 12:45:24.710 : Fabric link up, link status timer
        Dec  5 12:45:26.207 : Child link-1 of fab1 is up, pfe notification
        Dec  5 12:45:24.710 : Fabric link up, link status timer
        Dec  5 12:45:26.207 : Child link-1 of fab1 is up, pfe notification
                                        
Control link status: Up
    Server information:                 
        Server status : Inactive        
        Server connected to None        
    Client information:                 
        Client status : Connected       
        Client connected to 129.16.0.1/62845
Control port tagging:
    Disabled

Control link events:
        Dec  5 12:41:51.953 : Control link fxp1 is down
        Dec  5 12:42:01.142 : Control link fxp1 is down
        Dec  5 12:42:24.600 : Control link fxp1 is up
        Dec  5 12:44:00.131 : Control link fxp1 is up
        Dec  5 12:44:10.167 : Control link fxp1 is up

Hardware monitoring:
    Status:
        Activation status: Enabled
        Redundancy group 0 failover for hardware faults: Enabled
        Hardware redundancy group 0 errors: 0
        Hardware redundancy group 1 errors: 0

Schedule monitoring:
    Status:
        Activation status: Disabled
        Schedule slip detected: None
        Timer ignored: No               
                                        
    Statistics:                         
        Total slip detected count: 2    
        Longest slip duration: 7(s)     
                                        
    Events:                             
        Dec  5 12:42:16.242 : Detected schedule slip
        Dec  5 12:43:16.420 : Cleared schedule slip
        Dec  5 12:45:42.538 : Detected schedule slip
        Dec  5 12:46:42.717 : Cleared schedule slip
Configuration Synchronization:
    Status:                             
        Activation status: Enabled      
        Last sync operation: Auto-Sync  
        Last sync result: Succeeded

    Events:
        Dec  5 12:44:23.885 : Auto-Sync: In progress. Attempt: 1
        Dec  5 12:45:35.952 : Auto-Sync: Clearing mgd. Attempt: 1
        Dec  5 12:45:42.530 : Auto-Sync: Succeeded. Attempt: 1

Cold Synchronization Progress:
    CS Prereq               1 of 1 SPUs completed
       1. if_state sync          1 SPUs completed
       2. fabric link            1 SPUs completed
       3. policy data sync       1 SPUs completed
       4. cp ready               1 SPUs completed
       5. VPN data sync          1 SPUs completed
       6. IPID data sync         1 SPUs completed
       7. All SPU ready          1 SPUs completed
       8. AppID ready            1 SPUs completed
       9. Tunnel Sess ready      1 SPUs completed
    CS RTO sync             1 of 1 SPUs completed
    CS Postreq              1 of 1 SPUs completed

 

 

 

Attachments

SRX Services Gateway

Re: Source NAT rules not being installed

Monday

These difficulties have been resolved with changing cabling.