vSRX
vSRX

Forwarding not working fine on vSRX - JUNOS 17.3R1.10 built 2017-08-23

‎01-25-2020 06:29 AM

Hi,

Here is my topology: 

 

Topology.png

 

In DMZ server I got simple HTTP server with web page.

When I tried to reach it from any desktop by PING it working 100% fine, but when I tried to do it by browser, after few minutes I received error - ERR Connection Reset. Same problem exist in case if I try to connect with any othet internet page.

 

I sniff some traffic and it looks like that all working fine till SW_CORE. On port ge-0/0/7 I see:er1.pngbut in the same time on port ge-0/0/0 or ge-0/0/1 it is looked like:er2.png

 

 

Here is config of SW_CORE device (vSRX, 17.3R1.10): 

## Last commit: 2020-01-25 11:22:45 UTC by root
version 17.3R1.10;
system {
    root-authentication {
        encrypted-password "$6$ShwxRjGD$1TG/oVHGE6Y80ej1j/AiXrJzFDT7Tz/DRJth7jo1aB/OwpzUAR7CygdySzSFbQxxJxrhmb39qwElgrM3qjeT3."; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
    flow {
        tcp-session {
            no-syn-check;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ VLAN_Dyrekcja VLAN_Magazyn VLAN_Pracownicy VLAN_Administracja ];
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ VLAN_Dyrekcja VLAN_Magazyn VLAN_Pracownicy VLAN_Administracja ];
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ VLAN_Dyrekcja VLAN_Magazyn VLAN_Pracownicy VLAN_Administracja ];
                }
            }
        }
    }
    fxp0 {
        unit 0;
    }
}
protocols {
    igmp-snooping {
        vlan all;
    }
}
vlans {
    VLAN_Administracja {
        vlan-id 99;
    }
    VLAN_Dyrekcja {
        vlan-id 10;
    }
    VLAN_Magazyn {
        vlan-id 20;
    }
    VLAN_Pracownicy {
        vlan-id 21;
    }
}

Any ideas what is wrong with it, and how to solve the issue?

4 REPLIES 4
vSRX

Re: Forwarding not working fine on vSRX - JUNOS 17.3R1.10 built 2017-08-23

‎01-27-2020 07:00 AM

Hi Wolan,

 

I don't see a Untrust to Trust or security policies to enable the flow of what you're trying to do.

You may also have to create a custom NAT rule for the webserver too.

KR

Adam

~~~~~~~~~~~~~~~~~~~~~~~
- Please Kudos if you found my response helpful
- Please accept my response as a 'Accepted Solution' if it solved your query
vSRX

Re: Forwarding not working fine on vSRX - JUNOS 17.3R1.10 built 2017-08-23

‎01-27-2020 07:13 AM

Hi Adam,

 

You cannot see any policies becasue this config came from SW_CORE_vSRX (security section is deleted). All I want from this device is only to forward traffic from DSTR devices to FW and from FW to DSTRs.

 

All policies are configured on FW_vSRX and it works fine imo. On WireShark screenshots you can find that traffic is forwarded to DMZ, but when answer with HTTP come back to SW_CORE it is "cut off" (not sure how to say it).

 

Right now I changed this "forwarding" vSRX to vQFX so I workarounded my problem, but I'm just interesting of this behavior.

vSRX

Re: Forwarding not working fine on vSRX - JUNOS 17.3R1.10 built 2017-08-23

‎01-27-2020 07:37 AM

Hi Wolan,

It's because from Trust to Untrust is default Accept but from Untrust to Trust is default Deny. Hence why request for knowing what your NAT is and security policies are doing Smiley Happy

If you believe you are fine with these then please check out https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce-139-srx-serie...

(It's a little old but will help understand step by step things).

You can do this without the Switches or Virtual QFX or a switch in there.

To summise, my general brain space with JunOS for the SRX or vSRX is... you need to tell it what to do otherwise it's going to block it.

KR
Adam

~~~~~~~~~~~~~~~~~~~~~~~
- Please Kudos if you found my response helpful
- Please accept my response as a 'Accepted Solution' if it solved your query
vSRX

Re: Forwarding not working fine on vSRX - JUNOS 17.3R1.10 built 2017-08-23

‎01-27-2020 12:39 PM

Hi Wolan,

 

Out of curiosity, what is the MTU value on these desktop machines you're attempting to open the webpage from?

 

Can you perhaps try reducing the value to, say a 1400 for the time being and test again?

Refer for Windows desktops https://support.zen.co.uk/kb/Knowledgebase/Changing-the-MTU-size-in-Windows-Vista-7-or-8

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!