vSRX
vSRX

vSRX is not functioning as default gateway

‎06-25-2019 02:14 AM

Got the latest vSRX 19.1 trial running on Esxi.

It's a real basic setup - trust zine with Ubuntu VM, untrust towards internet gateway.

vSRX can reach the internet no problem, but Linux client in the trust zone can only reach the DG interface IP on vSRX, not further.

 

I got the policies configured, NAT, Zone permissions...

I have a feeling it's something basic, but haven't touched SRX in a while so - did they change behaviour after introuducing L7 app stanza in sec policies?

Confg below

show configuration 
## Last commit: 2019-06-24 10:20:12 UTC by root
version 20190319.203446_builder.r1013243;
system {
    root-authentication {
        encrypted-password "$6$wtwr2/1x$OlvHWP89e5/3wrAIcsEuy1EJk9eYb6g7XPVRQwiqWv6PReZq3gL/4.4JHA6HpExlhaWX6V9i2rVFY91H.0cRh/"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
        web-management {
            http {
                interface fxp0.0;
            }
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    host-name Bishop;
    backup-router 10.193.60.1;
    name-server {
        8.8.8.8;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
        file policy_session {
            user info;                  
            match RT_FLOW;
            archive size 1000k world-readable;
            structured-data;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
services {
    application-identification {
        download {
            automatic {
                start-time 06-14.12:00;
                interval 6;
            }
        }
    }
}
security {
    log {
        mode event;
        report;
    }
    idp {
        security-package {
            automatic {
                start-time "2019-6-17.13:50:09 +0000";
                interval 1;
                enable;
            }
        }
    }
    application-tracking;
    utm {
        default-configuration {
            anti-spam {
                type sbl;
            }
        }
        utm-policy UTM_basic {
            anti-virus {
                http-profile junos-sophos-av-defaults;
                ftp {
                    upload-profile junos-sophos-av-defaults;
                    download-profile junos-sophos-av-defaults;
                }
                smtp-profile junos-sophos-av-defaults;
                pop3-profile junos-sophos-av-defaults;
                imap-profile junos-sophos-av-defaults;
            }
            web-filtering {
                http-profile junos-wf-enhanced-log-only;
            }
            anti-spam {
                smtp-profile junos-as-defaults;
            }
        }                               
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set NAT {
                from zone trust;
                to zone untrust;
                rule NAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy LAN-to-WAN {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy UTM_basic;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
            policy Deny_log {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application any;
                }
                then {
                    deny;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
            application-tracking;
            source-identity-log;
        }
        security-zone untrust {         
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description WAN;
            family inet {
                address 10.193.60.40/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description LAN;
            family inet {
                address 192.168.35.40/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.193.60.45/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.193.60.1;
    }
}

 

 

 

 

11 REPLIES 11
vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 02:32 AM

Qucik test:

Try deactivating the 'dynamic application' match condition in your policy and test.

Regards,
Gokul
vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 05:37 AM

no joy.

I have no idea what's going on with this thing...

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 05:46 AM

Lochlain,

 

So to rephrase, you're trying to traverse trust to untrust and it is failing.

Something like this:

 

Ubuntu VM --- LAN/trust --- vSRX --- WAN/untrust---Destination

 

You're testing connectivity from the Ubuntu VM to this 'Destination', is that right?

 

I was about to suggest that you remove the 'dynamic-application' criteria on the trust-to-untrust security policy, but it appears Gokul suggested that and it didn't help.

 

How about enabling a flow traceoption and sharing the results here?

 

Cheers

Pooja 

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 05:48 AM

Lochlain,

 

Refer this for traceoptions https://kb.juniper.net/KB16108

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 05:49 AM

Are you able to ping ge-0/0/0 IP from Ubuntu?

Regards,
Gokul
vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 05:49 AM

I do see management and WAN interface IPs are in same subnet. Could you try by changing fxp0 ip to different subnet? (or deactiviate for testing)

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            description WAN;
            family inet {
                address 10.193.60.40/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description LAN;
            family inet {
                address 192.168.35.40/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.193.60.45/24;
            }
        }
   

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX
Solution
Accepted by topic author Lochlain
‎06-25-2019 01:27 PM

Re: vSRX is not functioning as default gateway

‎06-25-2019 05:51 AM

Lochlain,

 

Also, I wonder if your traffic is using the route via fxp0 instead of ge-0/0/0.

 

It appears fxp0 is sharing a subnet with ge-0/0/0 and if transit traffic indeed is using fxp0, those would be blackholed.

 

fxp0 is only meant for out of band management.

 

You can confirm with 'show route 0/0'

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 08:00 AM

that did it...

Wow. Was it always like this?

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 08:23 AM

Hi Lochlain,

 

Yes it always was.

 

This should explain it in more detail https://kb.juniper.net/KB30863 

 

You cannot have fxp0 and reth interfaces in the same subnet.

You could assign all reth interfaces to a routing instance and leave fxp0 in the default instance, maintaining separation between the two.

 

Hope that helps.

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 08:24 AM

If you need fxp0 to be in the same subnet as one of your revenue ports, you can place fxp0 into a special routing instance called mgmt_junos.

 

 

user@SRX340> show configuration system
management-instance;
backup-router 1.2.3.4 destination [ 0.0.0.0/1 128.0.0.0/1 ];

user@SRX340> show configuration routing-instances 
mgmt_junos {
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 1.2.3.4;
        }
    }
}

vSRX

Re: vSRX is not functioning as default gateway

‎06-25-2019 01:53 PM

Thank you Lochlain Smiley Happy

 

Cheers

Pooja