SRX Services Gateway
SRX Services Gateway

Tacacs+ Problem

[ Edited ]
‎12-05-2014 03:15 AM

Hey All,

 

I'm new with a Junos platform , and I am facing a problem.

I'm trying to set up in hum SRX100 one authentication via TACACS + . The configuration seems ok Being . The Problem And que an interface used to manage this is a virtual router.
The tacacs + server is on the same network that interface , but when I do a traceroute test to the server IP , the package goes for another interface (default route) .
In ancient SSG5 the problem was resolved , stating which interface should be associated with TACACS . But the SRX100 even making this association , did not get a result .

Someone has seen this problem and managed to solve?

Below is the part of config:
hnsa@FW_A06_MGT_002> show configuration
## Last commit: 2014-12-04 20:59:27 GMT-3 by hnsa
version 12.1X44-D30.4;
system {
host-name FW_A06_MGT_002;
domain-name htbnoc.com;
time-zone GMT-3;
authentication-order tacplus;
root-authentication {
encrypted-password "$1$b3EDb/Nh$SLM0Gdp05/un3ZLomzI3/1"; ## SECRET-DATA
}
name-server {
192.168.3.254;
}
name-resolution {
no-resolve-on-input;
}
tacplus-server {
192.168.3.254 {
port 49;
secret "$9$fzF/1IclvL36clvL7NjHkmQF/Ct"; ## SECRET-DATA
timeout 10;
single-connection;
source-address 192.168.2.2;
}
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus;
}
}
login {
user hnsa {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$97mqiy46$g.iD0hKvEh0neEJMaWCuX0"; ## SECRET-DATA
}
}
user remote {
full-name TAC_USER;
uid 2001;
class super-user;
authentication {
encrypted-password "$1$97mqiy46$g.iD0hKvEh0neEJMaWCuX0"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface fe-0/0/7.0;
}
https {
system-generated-certificate;
interface fe-0/0/7.0;
}
session {
idle-timeout 60;
session-limit 3;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
server 192.168.3.254;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 192.168.255.213/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 192.168.5.215/24;
}
}
}
fe-0/0/4 {
unit 0 {
family inet {
address 192.168.11.214/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.2.2/22;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 198.18.255.219;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
destination {
pool 192_168_11_215_ {
address 192.168.11.215/32;
}
pool 192_168_5_215_ {
address 192.168.5.215/32;
}
}
}
policies {
from-zone MGT_HUB11 to-zone Internet {
policy MGT_HUB11 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone MGT_HUB05 to-zone Internet {
policy MGT_HUB05 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone MGT_HUB11 {
policy MGT_HUB11 {
description "Acesso MGT_HUB11";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone MGT_HUB05 {
policy MGT_HUB05 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone MGT_HUB11 {
interfaces {
fe-0/0/4.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone MGT_HUB05 {
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone MGT_HS {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
routing-instances {
MGT_HG {
instance-type virtual-router;
interface fe-0/0/7.0;
routing-options {
static {
route 192.168.30.0/24 next-hop 198.18.1.255;
}
}
}
}

hnsa@FW_A06_MGT_002>

Tks,

7 REPLIES 7
SRX Services Gateway

Re: Tacacs+ Problem

‎12-05-2014 03:44 AM

Hi engenharia ,

 

I do not see any route pointing to 192.168.3.0/24 on the SRX.

 

On the routing-instance , you have route to 192.168.30.0/24 and not 3.0/24

 

if it is wrong then modify it to 3.0/24

 

then you need to share the 192.168.3.0/24 between inet.0 and virtual-instance by many method.

 

one method is :

 

set routing-options static route 192.168.3.254 next-table MGT_HUGHES.inet.0

 

Regards,
rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

SRX Services Gateway

Re: Tacacs+ Problem

‎12-05-2014 03:47 AM

Hi engenharia ,

 

I do not see any route pointing to 192.168.3.0/24 on the SRX.

 

Also as you are using the source ip address 192.168.2.2 , then you need a route on inet.0 table for 3.254 server

 

set routing-options static route 192.168.3.254/32 next-hop  next-hop-ip

 

 

Regards,
rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: Tacacs+ Problem

[ Edited ]
‎12-05-2014 04:42 AM

Hi rparthi,

 

Thanks for answer. I added the route,  but not work. Smiley Sad

 

Question: Tacacs Sercer is IP 192.168.3.254/22 (these network is connect to fe0/0/7.0 - virtual-router instance).

But the packets tray to departure on fe0/0/0 (internet interface). 

So, the Tacacs server is directly connected on fe0/0/7.0 and the packets still going to interface 192.168.255.0/24 (internet interface).

 

I think is a problem of routing, but i can't solve this.

 

See the traceroute:

hnsa@FW_A06_MGT_002> traceroute 192.168.3.254
traceroute to 192.168.3.254 (192.168.3.254), 30 hops max, 40 byte packets
traceroute: sendto: No route to host
1 traceroute: wrote 192.168.3.254 40 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote 192.168.3.254 40 chars, ret=-1
^C
hnsa@FW_A06_MGT_002>

 

These virtual-router instance is used just for separate management. All others interfaces are used to real traffic.

 

The config about route:

 

routing-instances {
MGT_HS {
instance-type virtual-router;
interface fe-0/0/7.0;
routing-options {
static {
route 192.168.30.0/24 next-hop 192.168.1.255;
}

 

And default route is to internet interface (fe0/0/0.0)

 

routing-options {
static {
route 0.0.0.0/0 next-hop 198.18.255.219;
}
}

 

Any idea?

 

Tks

 

SRX Services Gateway

Re: Tacacs+ Problem

‎12-05-2014 05:06 AM


Hi engenharia ,

 

I do not think you have added a route for 192.168.3.0/24 or 192.168.3.254/32 route.

This route will not be active if next-hop gateway is not reachable.

 

System is not seeing the route.

 

share the route configuration:

 

1. show route | no-more

 

2. show configuration routing-options

3. show configuration routing-instances

 

if TACAS server is reachable via Fe-0/0/7 interface then your Fe-0/0/7 routing instance should have route to TACASserver.


you need 2 route statement:

 

set routing-instances MGT_HUGHES routing-options static route 192.168.3.254/32 next-hop next-hop-ipaddress

 

then commit the changes

 

then try reaching it using the command:

1.   traceroute 192.168.3.254 routing-instance MGT_HUGHES

2.  traceroute 192.168.3.254 interface fe-0/0/7

Regards,
rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: Tacacs+ Problem

[ Edited ]
‎12-05-2014 05:26 AM

Hi rparthi,

 

See the output of commands:

 

hnsa@FW_A06_MGT_002> show route | no-more

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:29:32
> to 192.168.255.219 via fe-0/0/0.0
192.168.5.215/32 *[Local/0] 1d 23:44:55
Reject
192.168.11.214/32 *[Local/0] 1d 23:44:55
Reject
192.168.255.0/24 *[Direct/0] 1d 23:44:48
> via fe-0/0/0.0
192.168.255.213/32 *[Local/0] 1d 23:44:55
Local via fe-0/0/0.0

MGT_HS.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.30.0/24 *[Static/5] 1d 23:44:48
> to 192.168.1.255 via fe-0/0/7.0
192.168.0.0/22 *[Direct/0] 1d 23:44:48
> via fe-0/0/7.0
192.168.2.2/32 *[Local/0] 1d 23:44:55
Local via fe-0/0/7.0
192.168.3.254/32 *[Static/5] 19:37:02
> to 198.18.1.255 via fe-0/0/7.0

 

_______________________________________

 

 

hnsa@FW_A06_MGT_002> show configuration routing-options
static {
route 0.0.0.0/0 next-hop 192.168.255.219;
}

hnsa@FW_A06_MGT_002>

 

_________________________________________

 

 

hnsa@FW_A06_MGT_002> show configuration routing-instances
MGT_HS {
instance-type virtual-router;
interface fe-0/0/7.0;
routing-options {
static {
route 192.168.30.0/24 next-hop 192.168.1.255;
route 192.168.3.254/32 next-hop 192.168.1.255;
}
}
}

 

 

See the result about traceroute to 192.168.3.254:

 

hnsa@FW_A06_MGT_002> traceroute 192.168.3.254
traceroute to 192.168.3.254 (192.168.3.254), 30 hops max, 40 byte packets
1 192.168.255.219 (192.168.255.219) 4.031 ms 3.566 ms 2.837 ms
2 192.168.3.254 (192.168.3.254) 3.112 ms 3.557 ms *

hnsa@FW_A06_MGT_002>

 

 

Tks,

SRX Services Gateway
Solution
Accepted by topic author engenharia
‎08-26-2015 01:27 AM

Re: Tacacs+ Problem

‎12-05-2014 05:41 AM

Hi engenharia ,


Route is added now:

 

share this output :


traceroute 192.168.3.254 routing-instance MGT_HUGHES
traceroute 192.168.3.254 interface fe-0/0/7

 

if these 2 succeeds then your Tacas server connection should work.

 

if you want traceroute 192.168.3.254 to work  then add the following line:

 

set routing-options static route 192.168.3.254 next-table MGT_HUGHES.inet.0

 

Note :

ensure you the return routes added on connected devices 192.168.1.255 for SRX.

 

Your VR should also have route to inet.0 network.

 

Regards,
rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: Tacacs+ Problem

‎12-05-2014 09:07 AM

Hi rparthi,

 

Thanks for help. Now i can authenticate with Tacacs+!

 

Regards,

engenharia