vSRX
vSRX

Why can not ping between R1 to R2 ?

‎09-12-2018 07:49 PM

I am practicing the vSRX configuration....

Um.. I don't know why can not PING between R1 to R2 ping 

Is it license problem ?? 

Help me .. 

 

# Network Diagram

 

R1 ---- vSRX ---- R2

 

Connected R1's eth0/0 to vSRX GE-0/0/1

Connected R2's set0/0 to vSRX GE-0/0/2

 

# R1 config

interface eth0/0

 ip address 192.168.10.2 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.10.1

 

# R2 config

interface eth0/0

 ip address 192.168.20.2 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.20.1

 

# vSRX config

 

version 18.2R1.9;

system {

    root-authentication {

        encrypted-password “xxxxx”

    }

    services {

        ssh {

            root-login allow;

            protocol-version v2;

        }

        web-management {

            http {

                interface fxp0.0;

            }

        }

    }

 

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

}

security {

    policies {                          

        from-zone Trust to-zone Untrust {

            policy T_TO_U {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone Untrust to-zone Trust {

            policy U_TO_T {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

    }

    zones {

        security-zone Trust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {                

                ge-0/0/2.0;

            }

        }

        security-zone Untrust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                ge-0/0/1.0;

            }

        }

    }

}

interfaces {

    ge-0/0/1 {

        unit 0 {

            family ethernet-switching {

                interface-mode access;

                vlan {

                    members VLAN_10;

                }

            }

        }

    }

    ge-0/0/2 {

        unit 0 {

            family ethernet-switching {

                interface-mode access;

                vlan {

                    members VLAN_20;

                }                       

            }

        }

    }

    fxp0 {

        unit 0 {

            family inet {

                address 172.16.100.130/24;

            }

        }

    }

    irb {

        unit 10 {

            family inet {

                address 192.168.10.1/24;

            }

        }

        unit 20 {

            family inet {

                address 192.168.20.1/24;

            }

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 172.16.100.2;

    }

}

vlans {

    VLAN_10 {

        vlan-id 10;

        l3-interface irb.10;

    }

    VLAN_20 {

        vlan-id 20;

        l3-interface irb.20;            

    }

}

!

# vSRX lincense status

root> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
logical-system 1 0 1 permanent
Virtual Appliance 1 1 0 46 days
Sky ATP 1 0 1 invalid
remote-access-ipsec-vpn-client 0 2 0 permanent

Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days

 

# vSRX route

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:26:20
> to 172.16.100.2 via fxp0.0
172.16.100.0/24 *[Direct/0] 00:26:20
> via fxp0.0
172.16.100.130/32 *[Local/0] 00:26:20
Local via fxp0.0
192.168.10.0/24 *[Direct/0] 00:25:42
> via irb.10
192.168.10.1/32 *[Local/0] 00:25:42
Local via irb.10
192.168.20.0/24 *[Direct/0] 00:19:08
> via irb.20
192.168.20.1/32 *[Local/0] 00:19:08
Local via irb.20

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128 *[INET6/0] 00:26:21
MultiRecv

root>

 

3 REPLIES 3
vSRX
Solution
Accepted by topic author JAEHOON
‎09-13-2018 03:25 AM

Re: Why can not ping between R1 to R2 ?

‎09-12-2018 09:49 PM

Hi Jaehoon,

 

Can you please try to the change the interface mode of ge-0/0/1 and ge-0/0/2 to trunk instread of access mode?

Rest configuration looks fine. If the above change does not work for your then can you please collect the traceoptions and upload here following the below steps:

 

  • Log into the SRX device and enter the configuration mode.


  • Specify the file that debugs will be stored for 'security flow' :
  • # set security flow traceoptions file flow-trace
    This sets the file that for security flow debugging to the name flow-trace.

  • Set the traceoptions flag:
    # set security flow traceoptions flag basic-datapath
  • This sets the traceoptions to perform the basic...


    1. Use filters to reduce the volume of data
      # set security flow traceoptions packet-filter f0 destination-prefix <X.X.X.X>
      # set security flow traceoptions packet-filter f0 source-prefix <Y.Y.Y.Y>
    2. Issue the commit to apply the configuration and exit the configuration mode.  Logging starts after the commit.
      # commit and-quit

    You can read the file by the command : show log flow-trace

    Regards,

    Rishi

    JTAC

     

    vSRX

    Re: Why can not ping between R1 to R2 ?

    ‎09-13-2018 03:36 AM

    Thank you !!

     

    I solved this problem ..

    After configure the about security log, I found the following message.

    So .. I changed firewall mode "mix-mode" to "packet-based". 

    And communication between R1 and R2 succeeded.

     

    # add config in vSRX 

    security {
    forwarding-options {
    family {
    mpls {
    mode packet-based;
    }
    }
    }
    }

    root@vSRX01> show security flow status
    Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Tap mode: disabled (default)
    Flow trace status
    Flow tracing status: off
    Flow session distribution
    Distribution mode: Hash-based
    GTP-U distribution: Disabled
    Flow ipsec performance acceleration: off
    Flow packet ordering
    Ordering mode: Hardware
    Flow power mode IPsec: Disabled

    root@vSRX01>

    Sep 13 07:46:33 07:46:33.358077:CID-0:THREAD_ID-01:RT:<192.168.20.2/0->192.168.10.2/16;1,0x0> matched filter f0:

    Sep 13 07:46:33 07:46:33.358085:CID-0:THREAD_ID-01:RTSmiley Tongueacket [100] ipid = 68, @0x244200ce

    Sep 13 07:46:33 07:46:33.358087:CID-0:THREAD_ID-01:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x68e81000, rtbl_idx = 0

    Sep 13 07:46:33 07:46:33.358103:CID-0:THREAD_ID-01:RT: flow process pak fast ifl 71 in_ifp irb.20

    Sep 13 07:46:33 07:46:33.358105:CID-0:THREAD_ID-01:RT:   goto L3 flow, natp 0x0

    Sep 13 07:46:33 07:46:33.358108:CID-0:THREAD_ID-01:RT:  ge-0/0/2.0:192.168.20.2->192.168.10.2, icmp, (8/0)

    Sep 13 07:46:33 07:46:33.358111:CID-0:THREAD_ID-01:RT: find flow: table 0x20801f90, hash 28673(0xffff), sa 192.168.20.2, da 192.168.10.2, sp 0, dp 16, proto 1, tok 12297, conn-tag 0x00000000

    Sep 13 07:46:33 07:46:33.358116:CID-0:THREAD_ID-01:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

    Sep 13 07:46:33 07:46:33.358121:CID-0:THREAD_ID-01:RT:  flow_first_create_session

    Sep 13 07:46:33 07:46:33.358126:CID-0:THREAD_ID-01:RTSmiley Frustratedave init hash spu id 0 to nsp and nsp2!

    Sep 13 07:46:33 07:46:33.358198:CID-0:THREAD_ID-01:RT:First path alloc and instl pending session, natp=0x298be680, id=74

    Sep 13 07:46:33 07:46:33.358201:CID-0:THREAD_ID-01:RT:  flow_first_in_dst_nat: in <ge-0/0/2.0>, out <N/A> dst_adr 192.168.10.2, sp 0, dp 16

    Sep 13 07:46:33 07:46:33.358204:CID-0:THREAD_ID-01:RT:  chose interface ge-0/0/2.0 as incoming nat if.

    Sep 13 07:46:33 07:46:33.358207:CID-0:THREAD_ID-01:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.10.2(16)

    Sep 13 07:46:33 07:46:33.358210:CID-0:THREAD_ID-01:RT:  l2flow_first_routing: Before route-lookup ifp: in <ge-0/0/2.0>, out <N/A>

    Sep 13 07:46:33 07:46:33.358211:CID-0:THREAD_ID-01:RT:l2flow_first_routing: call flow_route_lookup(): src_ip 192.168.20.2, x_dst_ip 192.168.10.2, ifp ge-0/0/2.0, sp 0, dp 16, ip_proto 1, tos 0

    Sep 13 07:46:33 07:46:33.358212:CID-0:THREAD_ID-01:RTSmiley Very Happyoing DESTINATION addr route-lookup

    Sep 13 07:46:33 07:46:33.358222:CID-0:THREAD_ID-01:RT:flow_ipv4_rt_lkup success 192.168.10.2, iifl 0x49, oifl 0x46

    Sep 13 07:46:33 07:46:33.358224:CID-0:THREAD_ID-01:RT:L2 TRP drop the mix-mode through traffic for irb.10, dst:192.168.10.2, in vr_id: 0

    Sep 13 07:46:33 07:46:33.358227:CID-0:THREAD_ID-01:RT:flow_initiate_first_path: first pak no session

    Sep 13 07:46:33 07:46:33.358227:CID-0:THREAD_ID-01:RT:  flow find session returns error.

    Sep 13 07:46:33 07:46:33.358228:CID-0:THREAD_ID-01:RT:flow_proc_rc: -1.

    Sep 13 07:46:33 07:46:33.358229:CID-0:THREAD_ID-01:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

    Sep 13 07:46:34 07:46:34.628222:CID-0:THREAD_ID-01:RT:jsf sess close notify

    Sep 13 07:46:34 07:46:34.628224:CID-0:THREAD_ID-01:RT:flow_ipv4_del_flow: sess 74, in hash 32

    vSRX

    Re: Why can not ping between R1 to R2 ?

    ‎09-13-2018 05:17 AM

    Great, but with packed-mode your SRX will now act as a Router with no NG-Firewall functionality.

    Regards
    Chris