SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Why can not ping between R1 to R2 ?

    Posted 09-12-2018 19:50

    I am practicing the vSRX configuration....

    Um.. I don't know why can not PING between R1 to R2 ping 

    Is it license problem ?? 

    Help me .. 

     

    # Network Diagram

     

    R1 ---- vSRX ---- R2

     

    Connected R1's eth0/0 to vSRX GE-0/0/1

    Connected R2's set0/0 to vSRX GE-0/0/2

     

    # R1 config

    interface eth0/0

     ip address 192.168.10.2 255.255.255.0

    !

    ip route 0.0.0.0 0.0.0.0 192.168.10.1

     

    # R2 config

    interface eth0/0

     ip address 192.168.20.2 255.255.255.0

    !

    ip route 0.0.0.0 0.0.0.0 192.168.20.1

     

    # vSRX config

     

    version 18.2R1.9;

    system {

        root-authentication {

            encrypted-password “xxxxx”

        }

        services {

            ssh {

                root-login allow;

                protocol-version v2;

            }

            web-management {

                http {

                    interface fxp0.0;

                }

            }

        }

     

        license {

            autoupdate {

                url https://ae1.juniper.net/junos/key_retrieval;

            }

        }

    }

    security {

        policies {                          

            from-zone Trust to-zone Untrust {

                policy T_TO_U {

                    match {

                        source-address any;

                        destination-address any;

                        application any;

                    }

                    then {

                        permit;

                    }

                }

            }

            from-zone Untrust to-zone Trust {

                policy U_TO_T {

                    match {

                        source-address any;

                        destination-address any;

                        application any;

                    }

                    then {

                        permit;

                    }

                }

            }

        }

        zones {

            security-zone Trust {

                host-inbound-traffic {

                    system-services {

                        all;

                    }

                    protocols {

                        all;

                    }

                }

                interfaces {                

                    ge-0/0/2.0;

                }

            }

            security-zone Untrust {

                host-inbound-traffic {

                    system-services {

                        all;

                    }

                    protocols {

                        all;

                    }

                }

                interfaces {

                    ge-0/0/1.0;

                }

            }

        }

    }

    interfaces {

        ge-0/0/1 {

            unit 0 {

                family ethernet-switching {

                    interface-mode access;

                    vlan {

                        members VLAN_10;

                    }

                }

            }

        }

        ge-0/0/2 {

            unit 0 {

                family ethernet-switching {

                    interface-mode access;

                    vlan {

                        members VLAN_20;

                    }                       

                }

            }

        }

        fxp0 {

            unit 0 {

                family inet {

                    address 172.16.100.130/24;

                }

            }

        }

        irb {

            unit 10 {

                family inet {

                    address 192.168.10.1/24;

                }

            }

            unit 20 {

                family inet {

                    address 192.168.20.1/24;

                }

            }

        }

    }

    routing-options {

        static {

            route 0.0.0.0/0 next-hop 172.16.100.2;

        }

    }

    vlans {

        VLAN_10 {

            vlan-id 10;

            l3-interface irb.10;

        }

        VLAN_20 {

            vlan-id 20;

            l3-interface irb.20;            

        }

    }

    !

    # vSRX lincense status

    root> show system license
    License usage:
    Licenses Licenses Licenses Expiry
    Feature name used installed needed
    logical-system 1 0 1 permanent
    Virtual Appliance 1 1 0 46 days
    Sky ATP 1 0 1 invalid
    remote-access-ipsec-vpn-client 0 2 0 permanent

    Licenses installed:
    License identifier: E420588955
    License version: 4
    Software Serial Number: 20150625
    Customer ID: vSRX-JuniperEval
    Features:
    Virtual Appliance - Virtual Appliance
    count-down, Original validity: 60 days

     

    # vSRX route

    root> show route

    inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:26:20
    > to 172.16.100.2 via fxp0.0
    172.16.100.0/24 *[Direct/0] 00:26:20
    > via fxp0.0
    172.16.100.130/32 *[Local/0] 00:26:20
    Local via fxp0.0
    192.168.10.0/24 *[Direct/0] 00:25:42
    > via irb.10
    192.168.10.1/32 *[Local/0] 00:25:42
    Local via irb.10
    192.168.20.0/24 *[Direct/0] 00:19:08
    > via irb.20
    192.168.20.1/32 *[Local/0] 00:19:08
    Local via irb.20

    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    ff02::2/128 *[INET6/0] 00:26:21
    MultiRecv

    root>

     



  • 2.  RE: Why can not ping between R1 to R2 ?
    Best Answer

     
    Posted 09-12-2018 21:50

    Hi Jaehoon,

     

    Can you please try to the change the interface mode of ge-0/0/1 and ge-0/0/2 to trunk instread of access mode?

    Rest configuration looks fine. If the above change does not work for your then can you please collect the traceoptions and upload here following the below steps:

     

    • Log into the SRX device and enter the configuration mode.


  • Specify the file that debugs will be stored for 'security flow' :

    • # set security flow traceoptions file flow-trace
    This sets the file that for security flow debugging to the name flow-trace.



     



  • 3.  RE: Why can not ping between R1 to R2 ?

    Posted 09-13-2018 03:36

    Thank you !!

     

    I solved this problem ..

    After configure the about security log, I found the following message.

    So .. I changed firewall mode "mix-mode" to "packet-based". 

    And communication between R1 and R2 succeeded.

     

    # add config in vSRX 

    security {
    forwarding-options {
    family {
    mpls {
    mode packet-based;
    }
    }
    }
    }

    root@vSRX01> show security flow status
    Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Tap mode: disabled (default)
    Flow trace status
    Flow tracing status: off
    Flow session distribution
    Distribution mode: Hash-based
    GTP-U distribution: Disabled
    Flow ipsec performance acceleration: off
    Flow packet ordering
    Ordering mode: Hardware
    Flow power mode IPsec: Disabled

    root@vSRX01>

    Sep 13 07:46:33 07:46:33.358077:CID-0:THREAD_ID-01:RT:<192.168.20.2/0->192.168.10.2/16;1,0x0> matched filter f0:

    Sep 13 07:46:33 07:46:33.358085:CID-0:THREAD_ID-01:RT:packet [100] ipid = 68, @0x244200ce

    Sep 13 07:46:33 07:46:33.358087:CID-0:THREAD_ID-01:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x68e81000, rtbl_idx = 0

    Sep 13 07:46:33 07:46:33.358103:CID-0:THREAD_ID-01:RT: flow process pak fast ifl 71 in_ifp irb.20

    Sep 13 07:46:33 07:46:33.358105:CID-0:THREAD_ID-01:RT:   goto L3 flow, natp 0x0

    Sep 13 07:46:33 07:46:33.358108:CID-0:THREAD_ID-01:RT:  ge-0/0/2.0:192.168.20.2->192.168.10.2, icmp, (8/0)

    Sep 13 07:46:33 07:46:33.358111:CID-0:THREAD_ID-01:RT: find flow: table 0x20801f90, hash 28673(0xffff), sa 192.168.20.2, da 192.168.10.2, sp 0, dp 16, proto 1, tok 12297, conn-tag 0x00000000

    Sep 13 07:46:33 07:46:33.358116:CID-0:THREAD_ID-01:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

    Sep 13 07:46:33 07:46:33.358121:CID-0:THREAD_ID-01:RT:  flow_first_create_session

    Sep 13 07:46:33 07:46:33.358126:CID-0:THREAD_ID-01:RT:Save init hash spu id 0 to nsp and nsp2!

    Sep 13 07:46:33 07:46:33.358198:CID-0:THREAD_ID-01:RT:First path alloc and instl pending session, natp=0x298be680, id=74

    Sep 13 07:46:33 07:46:33.358201:CID-0:THREAD_ID-01:RT:  flow_first_in_dst_nat: in <ge-0/0/2.0>, out <N/A> dst_adr 192.168.10.2, sp 0, dp 16

    Sep 13 07:46:33 07:46:33.358204:CID-0:THREAD_ID-01:RT:  chose interface ge-0/0/2.0 as incoming nat if.

    Sep 13 07:46:33 07:46:33.358207:CID-0:THREAD_ID-01:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.10.2(16)

    Sep 13 07:46:33 07:46:33.358210:CID-0:THREAD_ID-01:RT:  l2flow_first_routing: Before route-lookup ifp: in <ge-0/0/2.0>, out <N/A>

    Sep 13 07:46:33 07:46:33.358211:CID-0:THREAD_ID-01:RT:l2flow_first_routing: call flow_route_lookup(): src_ip 192.168.20.2, x_dst_ip 192.168.10.2, ifp ge-0/0/2.0, sp 0, dp 16, ip_proto 1, tos 0

    Sep 13 07:46:33 07:46:33.358212:CID-0:THREAD_ID-01:RT:Doing DESTINATION addr route-lookup

    Sep 13 07:46:33 07:46:33.358222:CID-0:THREAD_ID-01:RT:flow_ipv4_rt_lkup success 192.168.10.2, iifl 0x49, oifl 0x46

    Sep 13 07:46:33 07:46:33.358224:CID-0:THREAD_ID-01:RT:L2 TRP drop the mix-mode through traffic for irb.10, dst:192.168.10.2, in vr_id: 0

    Sep 13 07:46:33 07:46:33.358227:CID-0:THREAD_ID-01:RT:flow_initiate_first_path: first pak no session

    Sep 13 07:46:33 07:46:33.358227:CID-0:THREAD_ID-01:RT:  flow find session returns error.

    Sep 13 07:46:33 07:46:33.358228:CID-0:THREAD_ID-01:RT:flow_proc_rc: -1.

    Sep 13 07:46:33 07:46:33.358229:CID-0:THREAD_ID-01:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

    Sep 13 07:46:34 07:46:34.628222:CID-0:THREAD_ID-01:RT:jsf sess close notify

    Sep 13 07:46:34 07:46:34.628224:CID-0:THREAD_ID-01:RT:flow_ipv4_del_flow: sess 74, in hash 32



  • 4.  RE: Why can not ping between R1 to R2 ?

    Posted 09-13-2018 05:18

    Great, but with packed-mode your SRX will now act as a Router with no NG-Firewall functionality.