Quantcast
Are you the publisher? Claim or contact us about this channel


Embed this content in your HTML

Search

Report adult content:

click to rate:

Account: (login)

More Channels


Showcase


Channel Catalog


Articles on this Page

(showing articles 1 to 50 of 50)
(showing articles 1 to 50 of 50)


Channel Description:

All SRX Services Gateway posts
    0 0

    Cluster is NOT in a healthy state. Fabric link is down and Cold sync monitoring is failed. Please check fabric interface connectivity and the cable (replace/re-connect). If possible, please share following commands output

    show chassis alarm

    show interfaces terse

    show chassis cluster information detail

    show configuration | display set | match "fab|cluster"

     

     

     

     

     

     


    0 0

    (indeed fxp0 is disconnected, but it shouldn't be a problem?)

     

     

    root@SRX1> show chassis alarms 

    node0:

    --------------------------------------------------------------------------

    1 alarms currently active

    Alarm time               Class  Description

    2019-11-29 12:34:17 UTC  Major  Host 0 fxp0 : Ethernet Link Down

     

    node1:

    --------------------------------------------------------------------------

    1 alarms currently active

    Alarm time               Class  Description

    2019-11-29 15:05:03 UTC  Major  Host 0 fxp0 : Ethernet Link Down

     

     

    {primary:node0}

    root@SRX1> show interfaces terse 

    Interface               Admin Link Proto    Local                 Remote

    ge-0/0/0                up    down

    gr-0/0/0                up    up

    ip-0/0/0                up    up

    lt-0/0/0                up    up

    ge-0/0/1                up    up

    ge-0/0/2                up    up

    ge-0/0/2.0              up    up   aenet    --> fab0.0

    ge-0/0/3                up    up

    ge-0/0/3.10             up    up   aenet    --> reth1.10

    ge-0/0/3.666            up    up   aenet    --> reth1.666

    ge-0/0/3.32767          up    up   aenet    --> reth1.32767

    ge-0/0/4                up    down

    ge-0/0/5                up    down

    ge-0/0/6                up    down

    ge-0/0/7                up    down

    ge-0/0/8                up    up

    ge-0/0/8.0              up    up   inet     83.238.49.142/30

    ge-0/0/9                up    down

    ge-0/0/10               up    down

    ge-0/0/11               up    down

    ge-0/0/12               up    down

    ge-0/0/13               up    down

    ge-0/0/14               up    down      

    ge-0/0/15               up    down      

    ge-5/0/0                up    down

    ge-5/0/1                up    up

    ge-5/0/2                up    up

    ge-5/0/2.0              up    up   aenet    --> fab1.0

    ge-5/0/3                up    up

    ge-5/0/3.10             up    up   aenet    --> reth1.10

    ge-5/0/3.666            up    up   aenet    --> reth1.666

    ge-5/0/3.32767          up    up   aenet    --> reth1.32767

    ge-5/0/4                up    down

    ge-5/0/5                up    down

    ge-5/0/6                up    down

    ge-5/0/7                up    down

    ge-5/0/8                up    up

    ge-5/0/8.0              up    up   inet     91.189.249.182/30

    ge-5/0/8.32767          up    up  

    ge-5/0/9                up    down

    ge-5/0/10               up    down

    ge-5/0/11               up    down

    ge-5/0/12               up    down

    ge-5/0/13               up    down

    ge-5/0/14               up    down

    ge-5/0/15               up    down

    esi                     up    up        

    fab0                    up    up        

    fab0.0                  up    up   inet     30.17.0.200/24  

    fab1                    up    up        

    fab1.0                  up    up   inet     30.18.0.200/24  

    fti0                    up    up        

    fxp0                    up    down      

    fxp0.0                  up    down inet     10.10.10.1/24   

    fxp1                    up    up        

    fxp1.0                  up    up   inet     129.16.0.1/2    

                                       tnp      0x1100001       

    fxp2                    up    up

    fxp2.0                  up    up   tnp      0x1100001       

    gre                     up    up

    ipip                    up    up

    irb                     up    up

    jsrv                    up    up

    jsrv.1                  up    up   inet     128.0.0.127/2   

    lo0                     up    up

    lo0.0                   up    up   inet     188.114.65.10       --> 0/0

    lo0.16384               up    up   inet     127.0.0.1           --> 0/0

    lo0.16385               up    up   inet     10.0.0.1            --> 0/0

                                                10.0.0.16           --> 0/0

                                                128.0.0.1           --> 0/0

                                                128.0.0.4           --> 0/0

                                                128.0.1.16          --> 0/0

    lo0.32768               up    up  

    lsi                     up    up

    mtun                    up    up

    pimd                    up    up

    pime                    up    up

    pp0                     up    up

    ppd0                    up    up        

    ppe0                    up    up

    rbeb                    up    up

    reth0                   up    down

    reth1                   up    up

    reth1.10                up    up   inet     192.168.20.1/24 

    reth1.666               up    up   inet     172.16.1.1/24   

    reth1.32767             up    up  

    st0                     up    up

    swfab0                  up    down

    swfab1                  up    down

    tap                     up    up

    vlan                    up    down

    vtep                    up    up

     

    root@SRX1> show chassis cluster information detail 

    node0:

    --------------------------------------------------------------------------

    Redundancy mode:

        Configured mode: active-active

        Operational mode: active-backup

    Cluster configuration:

        Heartbeat interval: 1000 ms

        Heartbeat threshold: 3

        Control link recovery: Enabled

        Fabric link down timeout: 66 sec

    Node health information:

        Local node health: Not healthy

        Remote node health: Not healthy

     

    Redundancy group: 0, Threshold: 255, Monitoring failures: none

        Events:

            Nov 29 12:32:48.454 : hold->secondary, reason: Hold timer expired

            Nov 29 12:33:04.458 : secondary->primary, reason: Only node present

     

    Redundancy group: 1, Threshold: 0, Monitoring failures: cold-sync-monitoring

        Events:

            Nov 29 12:32:48.984 : hold->secondary, reason: Hold timer expired

            Nov 29 12:33:04.542 : secondary->primary, reason: Only node present

     

    Control link statistics:                

        Control link 0:                     

            Heartbeat packets sent: 253854  

            Heartbeat packets received: 246436

            Heartbeat packet errors: 0

            Duplicate heartbeat packets received: 0

        Control recovery packet count: 0

        Sequence number of last heartbeat packet sent: 253854

        Sequence number of last heartbeat packet received: 245013

    Fabric link statistics:

        Child link 0

            Probes sent: 493496

            Probes received: 0

        Child link 1

            Probes sent: 0

            Probes received: 0

    Switch fabric link statistics:

        Probe state : DOWN

        Probes sent: 0

        Probes received: 0

        Probe recv errors: 0

        Probe send errors: 0

        Probe recv dropped: 0

        Sequence number of last probe sent: 0

        Sequence number of last probe received: 0

                                            

    Chassis cluster LED information:        

        Current LED color: Amber            

        Last LED change reason: Monitored objects are down

    Control port tagging:              

       Disabled                            

     

    Cold Synchronization:

        Status:

            Cold synchronization completed for: N/A

            Cold synchronization failed for: N/A

            Cold synchronization not known for: N/A

            Current Monitoring Weight: 255

     

        Progress:

            CS Prereq               0 of 1 SPUs completed

               1. if_state sync          1 SPUs completed

               2. fabric link            0 SPUs completed

               3. policy data sync       1 SPUs completed

               4. cp ready               0 SPUs completed

               5. VPN data sync          0 SPUs completed

               6. IPID data sync         0 SPUs completed

               7. All SPU ready          0 SPUs completed

               8. AppID ready            0 SPUs completed

               9. Tunnel Sess ready      0 SPUs completed

            CS RTO sync             0 of 1 SPUs completed

            CS Postreq              0 of 1 SPUs completed

     

        Statistics:                         

            Number of cold synchronization completed: 0

            Number of cold synchronization failed: 0

     

        Events:

            Nov 29 12:41:24.297 : Cold sync for PFE  is Not complete

     

    Loopback Information:

     

        PIC Name        Loopback        Nexthop     Mbuf

        -------------------------------------------------

                        Success         Failure     Success    

     

    Interface monitoring:

        Statistics:

            Monitored interface failure count: 0

     

    Fabric monitoring:

        Status:

            Fabric Monitoring: Enabled

            Activation status: Active

            Fabric Status reported by data plane: Down

            JSRPD internal fabric status: Down

                                            

    Fabric link events:                     

            Dec  2 10:51:06.618 : Fabric link fab1 is up

            Dec  2 10:51:06.619 : Child ge-5/0/2 of fab1 is up

            Dec  2 10:51:06.834 : Fabric link fab0 is up

            Dec  2 10:51:06.835 : Child ge-0/0/2 of fab0 is up

            Dec  2 11:03:37.825 : Fabric link fab0 is up

            Dec  2 11:03:37.826 : Child ge-0/0/2 of fab0 is up

            Dec  2 11:03:37.844 : Fabric link fab1 is up

    Dec  2 11:03:37.845 : Child ge-5/0/2 of fab1 is up

            Dec  2 11:03:37.998 : Child ge-0/0/2 of fab0 is up

            Dec  2 11:03:38.093 : Child ge-5/0/2 of fab1 is up

     

    Control link status: Up

        Server information:

            Server status : Connected

            Server connected to 130.16.0.1/50968

        Client information:

            Client status : Inactive

            Client connected to None

    Control port tagging:

        Disabled

     

    Control link events:

            Nov 29 13:23:44.039 : Control link fxp1 is up

            Nov 29 15:01:24.414 : Control link fxp1 is up

            Dec  2 09:47:07.917 : Control link fxp1 is up

            Dec  2 09:51:51.808 : Control link fxp1 is up

            Dec  2 09:54:31.076 : Control link fxp1 is up

            Dec  2 09:57:32.731 : Control link fxp1 is up

            Dec  2 09:59:47.020 : Control link fxp1 is up

            Dec  2 10:02:35.437 : Control link fxp1 is up

            Dec  2 10:14:35.646 : Control link fxp1 is up

            Dec  2 11:03:37.863 : Control link fxp1 is up

     

    Hardware monitoring:

        Status:

            Activation status: Enabled

            Redundancy group 0 failover for hardware faults: Enabled

            Hardware redundancy group 0 errors: 0

            Hardware redundancy group 1 errors: 0

     

    Schedule monitoring:

        Status:

            Activation status: Disabled

            Schedule slip detected: None

            Timer ignored: No

     

        Statistics:

            Total slip detected count: 1

            Longest slip duration: 3(s)

     

        Events:

            Nov 29 12:31:11.634 : Detected schedule slip

            Nov 29 12:32:11.812 : Cleared schedule slip

                                            

    Configuration Synchronization:

        Status:                             

            Activation status: Enabled      

            Last sync operation: Auto-Sync  

            Last sync result: Not needed    

            Last sync mgd messages:         

                                            

        Events:                             

            Nov 29 13:00:35.952 : Auto-Sync: Not needed.

                                            

    Cold Synchronization Progress:          

        CS Prereq               0 of 1 SPUs completed

           1. if_state sync          1 SPUs completed

           2. fabric link            0 SPUs completed

           3. policy data sync       1 SPUs completed

           4. cp ready               0 SPUs completed

           5. VPN data sync          0 SPUs completed

           6. IPID data sync         0 SPUs completed

           7. All SPU ready          0 SPUs completed

           8. AppID ready            0 SPUs completed

           9. Tunnel Sess ready      0 SPUs completed

        CS RTO sync             0 of 1 SPUs completed

        CS Postreq              0 of 1 SPUs completed

     

    node1:

    --------------------------------------------------------------------------

    Redundancy mode:

        Configured mode: active-active

        Operational mode: active-backup

    Cluster configuration:

        Heartbeat interval: 1000 ms

        Heartbeat threshold: 3

        Control link recovery: Enabled

        Fabric link down timeout: 66 sec

    Node health information:

        Local node health: Not healthy

        Remote node health: Not healthy     

                                            

    Redundancy group: 0, Threshold: 0, Monitoring failures: fabric-connection-down

        Events:                             

            Nov 29 15:03:54.656 : hold->secondary, reason: Hold timer expired

                                            

    Redundancy group: 1, Threshold: -255, Monitoring failures: cold-sync-monitoring, fabric-connection-down

        Events:                             

            Nov 29 15:03:55.008 : hold->secondary, reason: Hold timer expired

    Control link statistics:                

        Control link 0:                     

            Heartbeat packets sent: 245014  

            Heartbeat packets received: 244989

            Heartbeat packet errors: 0      

            Duplicate heartbeat packets received: 0

        Control recovery packet count: 0    

        Sequence number of last heartbeat packet sent: 245014

        Sequence number of last heartbeat packet received: 253855

    Fabric link statistics:                 

     

      Child link 0                        

            Probes sent: 489391             

            Probes received: 0

        Child link 1

            Probes sent: 0

            Probes received: 0

    Switch fabric link statistics:

        Probe state : DOWN

        Probes sent: 0

        Probes received: 0

        Probe recv errors: 0

        Probe send errors: 0

        Probe recv dropped: 0

        Sequence number of last probe sent: 0

        Sequence number of last probe received: 0

     

    Chassis cluster LED information:

        Current LED color: Amber

        Last LED change reason: Monitored objects are down

    Control port tagging:

        Disabled

     

    Cold Synchronization:

        Status:

            Cold synchronization completed for: N/A

            Cold synchronization failed for: N/A

            Cold synchronization not known for: N/A

            Current Monitoring Weight: 255

     

        Progress:

            CS Prereq               0 of 1 SPUs completed

               1. if_state sync          1 SPUs completed

               2. fabric link            0 SPUs completed

               3. policy data sync       1 SPUs completed

               4. cp ready               0 SPUs completed

               5. VPN data sync          0 SPUs completed

               6. IPID data sync         0 SPUs completed

               7. All SPU ready          0 SPUs completed

               8. AppID ready            0 SPUs completed

               9. Tunnel Sess ready      0 SPUs completed

            CS RTO sync             0 of 1 SPUs completed

            CS Postreq              0 of 1 SPUs completed

     

        Statistics:

            Number of cold synchronization completed: 0

            Number of cold synchronization failed: 0

     

        Events:                             

            Nov 29 15:19:29.445 : Cold sync for PFE  is Not complete

                                            

    Loopback Information:                   

       PIC Name        Loopback        Nexthop     Mbuf

        -------------------------------------------------

                        Success         Failure     Success    

                                            

    Interface monitoring:

        Statistics:

            Monitored interface failure count: 0

     

    Fabric monitoring:

        Status:

            Fabric Monitoring: Enabled

            Activation status: Active

            Fabric Status reported by data plane: Down

            JSRPD internal fabric status: Down

     

    Fabric link events:

            Dec  2 10:54:42.611 : Child ge-5/0/2 of fab1 is up

            Dec  2 10:54:42.819 : Fabric link fab0 is up

            Dec  2 10:54:42.830 : Fabric link fab0 is up

            Dec  2 10:54:42.831 : Child ge-0/0/2 of fab0 is up

            Dec  2 11:07:13.811 : Fabric link fab0 is up

            Dec  2 11:07:13.822 : Child ge-0/0/2 of fab0 is up

            Dec  2 11:07:13.842 : Fabric link fab1 is up

            Dec  2 11:07:13.845 : Child ge-5/0/2 of fab1 is up

            Dec  2 11:07:13.993 : Child ge-0/0/2 of fab0 is up

            Dec  2 11:07:14.104 : Child ge-5/0/2 of fab1 is up

                                            

    Control link status: Up

        Server information:                 

            Server status : Inactive        

            Server connected to None        

        Client information:                 

            Client status : Connected       

            Client connected to 129.16.0.1/62845

    Control port tagging:                   

        Disabled                            

                                            

    Control link events:                    

            Nov 29 15:04:01.167 : Control link fxp1 is up

            Nov 29 15:04:11.764 : Control link fxp1 is up

            Dec  2 09:50:40.772 : Control link fxp1 is up

            Dec  2 09:55:24.297 : Control link fxp1 is up

            Dec  2 09:58:03.703 : Control link fxp1 is up

            Dec  2 10:01:04.768 : Control link fxp1 is up

            Dec  2 10:03:19.726 : Control link fxp1 is up

            Dec  2 10:06:08.204 : Control link fxp1 is up

            Dec  2 10:18:01.991 : Control link fxp1 is up

            Dec  2 11:07:11.681 : Control link fxp1 is up

     

     

    Hardware monitoring:                    

        Status:                             

            Activation status: Enabled      

            Redundancy group 0 failover for hardware faults: Enabled

            Hardware redundancy group 0 errors: 0

            Hardware redundancy group 1 errors: 0

                                            

    Schedule monitoring:

        Status:                             

            Activation status: Disabled     

            Schedule slip detected: None    

            Timer ignored: No               

                                            

        Statistics:                         

            Total slip detected count: 2    

            Longest slip duration: 7(s)     

                                            

        Events:                             

            Nov 29 15:02:16.635 : Detected schedule slip

            Nov 29 15:03:16.708 : Cleared schedule slip

            Nov 29 15:05:48.635 : Detected schedule slip

            Nov 29 15:06:48.699 : Cleared schedule slip

                                            

    Configuration Synchronization:

        Status:                             

            Activation status: Enabled      

            Last sync operation: Auto-Sync  

            Last sync result: Succeeded     

                                            

        Events:                             

            Nov 29 15:04:30.952 : Auto-Sync: In progress. Attempt: 1

            Nov 29 15:05:41.222 : Auto-Sync: Clearing mgd. Attempt: 1

            Nov 29 15:05:48.626 : Auto-Sync: Succeeded. Attempt: 1

                                            

    Cold Synchronization Progress:          

        CS Prereq               0 of 1 SPUs completed

           1. if_state sync          1 SPUs completed

           2. fabric link            0 SPUs completed

           3. policy data sync       1 SPUs completed

           4. cp ready               0 SPUs completed

           5. VPN data sync          0 SPUs completed

           6. IPID data sync         0 SPUs completed

           7. All SPU ready          0 SPUs completed

           8. AppID ready            0 SPUs completed

           9. Tunnel Sess ready      0 SPUs completed

        CS RTO sync             0 of 1 SPUs completed

        CS Postreq              0 of 1 SPUs completed

     

     

    root@SRX1> show configuration | display set | match "fab|cluster" 

    set chassis cluster control-link-recovery

    set chassis cluster reth-count 2

    set chassis cluster redundancy-group 1 node 0 priority 200

    set chassis cluster redundancy-group 1 node 1 priority 100

    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 150

    set interfaces fab0 fabric-options member-interfaces ge-0/0/2

    set interfaces fab1 fabric-options member-interfaces ge-5/0/2

    set interfaces reth1 description link-to-ex2300-cluster


    0 0

    Fab link (ge-0/0/2 and ge-5/0/2) is physically up on both nodes but they are not receiving fabric probes from each other. How is the fab links are connected? Is it directly connected or via any switch?

    0 0

    Fab links are connected directly. After your message I added additional ports to fabric links to verify the problem:

     

    root@SRX1# show interfaces fab0    

    fabric-options {

        member-interfaces {

            ge-0/0/2;

            ge-0/0/4;

        }

    }

     

    {primary:node0}[edit]

    root@SRX1# show interfaces fab1    

    fabric-options {

        member-interfaces {

            ge-5/0/2;

            ge-5/0/4;

        }

    }

     

    And now I see only 1 problem with CS:

     

    root@SRX1# run show chassis cluster status    

    Monitor Failure codes:

        CS  Cold Sync monitoring        FL  Fabric Connection monitoring

        GR  GRES monitoring             HW  Hardware monitoring

        IF  Interface monitoring        IP  IP monitoring

        LB  Loopback monitoring         MB  Mbuf monitoring

        NH  Nexthop monitoring          NP  NPC monitoring              

        SP  SPU monitoring              SM  Schedule monitoring

        CF  Config Sync monitoring      RE  Relinquish monitoring

     

    Cluster ID: 1

    Node   Priority Status               Preempt Manual   Monitor-failures

     

    Redundancy group: 0 , Failover count: 0

    node0  1        primary              no      no       None           

    node1  1        secondary            no      no       None           

     

    Redundancy group: 1 , Failover count: 0

    node0  0        primary              yes     no       CS             

    node1  0        secondary            yes     no       CS             

     

     

     


    0 0

    Loopback monitoring is failed on both nodes. Reboot both nodes simultaneously and share previous requested commands output if cluster status is still unhealthy

    0 0

    After reboot obofh nodes it doesn't look any better. Smiley Sad

     

    root@SRX1> show chassis cluster status    

    Monitor Failure codes:

        CS  Cold Sync monitoring        FL  Fabric Connection monitoring

        GR  GRES monitoring             HW  Hardware monitoring

        IF  Interface monitoring        IP  IP monitoring

        LB  Loopback monitoring         MB  Mbuf monitoring

        NH  Nexthop monitoring          NP  NPC monitoring              

        SP  SPU monitoring              SM  Schedule monitoring

        CF  Config Sync monitoring      RE  Relinquish monitoring

     

    Cluster ID: 1

    Node   Priority Status               Preempt Manual   Monitor-failures

     

    Redundancy group: 0 , Failover count: 1

    node0  1        primary              no      no       None           

    node1  0        secondary            no      no       CF             

     

    Redundancy group: 1 , Failover count: 1

    node0  0        primary              yes     no       CS             

    node1  0        secondary            yes     no       CS CF   


    0 0

    Please share "show chassis cluster information detail" command output

    0 0

    This is where I'm upto:-

     

        ge-0/0/1 {
            vlan-tagging;
            unit 0 {
                encapsulation ppp-over-ether;
                vlan-id 101;
            }
        }
        pp0 {
            unit 0 {
                ppp-options {
                    chap {
                        default-chap-secret "Password"; ## SECRET-DATA
                        local-name "Username";
                        passive;
                    }
                }
                pppoe-options {
                    underlying-interface ge-0/0/1.0;
                    auto-reconnect 10;
                    client;
                }
                family inet {
                    mtu 1492;
                    negotiate-address;
                }
            }
        }

     

    Key differences:

    1. I need to send the VLAN tag 101 - does what I have look correct?

    2. I don't have idle-timeout 0 - does this matter?

    3. I don't think no-rfc2486 is relevant in my case.

    4. The connection uses CHAP authentication only.


    0 0

    I removed loopback interfaces from any redundancy group for now and chassis cluster looks much better now:

     

    Cluster ID: 1

    Node   Priority Status               Preempt Manual   Monitor-failures

     

    Redundancy group: 0 , Failover count: 1

    node0  1        primary              no      no       None           

    node1  1        secondary            no      no       None           

     

    Redundancy group: 1 , Failover count: 1

    node0  200      primary              yes     no       None           

    node1  100      secondary            yes     no       None

     

     

    Also, after that, I can see some NAT rules in the output of that command:

     

    root@SRX1# run show security nat source rule all  

    node0:

    --------------------------------------------------------------------------

    Total rules: 1

    Total referenced IPv4/IPv6 ip-prefixes: 2/0

    source NAT rule: 1                      Rule-set: rs1

      Rule-Id                    : 1

      Rule position              : 1

      From zone                  : trust

      To zone                    : untrust

      Match

        Source addresses         : 192.168.20.0    - 192.168.20.255

        Destination addresses    : 0.0.0.0         - 255.255.255.255

      Action                        : src-pool-1

        Persistent NAT type         : N/A              

        Persistent NAT mapping type : address-port-mapping 

        Inactivity timeout          : 0

        Max session number          : 0

      Translation hits           : 440

        Successful sessions      : 263

        Failed sessions          : 177

      Number of sessions         : 4

     

    node1:                                  

    --------------------------------------------------------------------------

    Total rules: 1                          

    Total referenced IPv4/IPv6 ip-prefixes: 2/0

    source NAT rule: 1                      Rule-set: rs1

      Rule-Id                    : 1        

      Rule position              : 1        

      From zone                  : trust    

      To zone                    : untrust  

      Match                                 

        Source addresses         : 192.168.20.0    - 192.168.20.255

        Destination addresses    : 0.0.0.0         - 255.255.255.255

      Action                        : src-pool-1

        Persistent NAT type         : N/A              

        Persistent NAT mapping type : address-port-mapping 

        Inactivity timeout          : 0     

        Max session number          : 0     

      Translation hits           : 177      

        Successful sessions      : 177      

        Failed sessions          : 0        

      Number of sessions         : 4        

     

    I see also something good here:

     

    root@SRX1# run show security flow session source-prefix 192.168.20.5/32 

     

    Session ID: 652, Policy name: internet-access/4, State: Active, Timeout: 1764, Valid

      In: 192.168.20.5/50852 --> 38.90.226.52/8883;tcp, Conn Tag: 0x0, If: reth1.10, Pkts: 41, Bytes: 2930, 

      Out: 38.90.226.52/8883 --> <Source NAT IP>/43064;tcp, Conn Tag: 0x0, If: ge-0/0/8.0, Pkts: 28, Bytes: 5061, 

     

    However Internet access / NAT still doesn't work for me, as I'm getting only time-outs. But I think I'm closer now.. 


    0 0

    Dear EMTSU,

    In my case, the VLAN tag is configured in ONT where the fiber terminates. So it is not needed, but if your ISP doesn't support that, then you can do it in your router itself. 

    Idle time out is needed and in my experience, it makes sure the connection is always up.

    My ISP didn't mention, what authentication they are using, so as per PPoe wizard in SRX there is an option to automatically identify it. I selected that, that's why both authentication there.

    When I started to configure the first PPoE connection, I have gone through a number of different problems as you have experienced. What I did was, I configure my laptop as a PPoE client and directly connected to my ISP modem (bridged MODE) and check whether it is working or not, If the PPPoE connection is working with my windows machine then the ISP side is  OK and your router configuration is to blame. Please go through the below link to configure your windows machine. 

    https://helpdesk.voyager.co.nz/index.php?/Knowledgebase/Article/View/222/49/ufb---pc-to-ont-isolation-via-pppoe

     

    Please also let me know what error you are experiencing while configuring the above link.

     

     


    0 0

    Normally, Ingress and egress will be reth interfaces in a cluster. But in your case egress interface is a ge- interface. As per flow session, bi-directional traffic is passing through srx. Please share the complete configuration, if possible.

    0 0
  • 12/02/19--06:09: Re: Event-options question ?
  • Hi, Egerro,

     

    Thanks for your kind document and information,

     

    If your configuration can append the wanted results to the same file "event-result" until some limits/conditions ?

     

    Thanks a lot


    0 0
  • 12/02/19--06:11: Re: Source-Nat disable query
  • Did you check it out? what are the results???

     

    You should get a dedicated ip with a vpn to bypass all the restrictions. A lot of deals are out there as it is Cyber Monday, Cyber Monday is one of the biggest shopping events, but it’s also the time when cybercriminals hunt for gullible shoppers. Protect yourself as you snag discounts on your favorite items with PureVPN. They have their own deal for Cyber Monday – 5 Years plan for just $79!


    0 0

    ## Last changed: 2019-12-02 13:41:38 UTC
    version 18.2R3.4;
    groups {
        node0 {
            system {
                host-name SRX1;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 10.10.10.1/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name SRX2;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 10.10.10.2/24;
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";
    system {
        root-authentication {
            encrypted-password "$6$VYv6FshQ$sE7sc4tkEJX7QQlBbzIm.N9UsKX8Gx01QehyL4Rw0lNukWO9O4LSr007bXSKHAfMB4mEQPHgkLYft/TEZNoSd0"; ## SECRET-DATA
        }
        name-server {
            1.1.1.1;
            1.0.0.1;
        }
        services {
            ssh {
                root-login allow;
            }
            web-management {
                http {
                    port 80;
                    interface reth1.10;
                }
            }
        }
    }
    chassis {
        cluster {
            control-link-recovery;
            reth-count 2;
            redundancy-group 1 {
                node 0 priority 200;
                node 1 priority 100;
                preempt;
                interface-monitor {
                    ge-0/0/3 weight 150;
                }
            }
        }
    }
    security {
        nat {
            source {
                pool src-pool-1 {
                    address {<My-IP-address-from-PI-Prefix>/32;
                    }
                }
                rule-set rs1 {
                    from zone trust;
                    to zone untrust;
                    rule 1 {
                        match {
                            source-address 192.168.20.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                pool {
                                    src-pool-1;
                                }
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy internet-access {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy test2 {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone trust {
                policy permit-all {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone untrust {
                policy permit-all {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                interfaces {
                    reth1.10 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                                http;
                                https;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    ge-0/0/8.0;
                    ge-5/0/8.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/3 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-0/0/8 {
            unit 0 {
                family inet {
                    address <ISP 1 IP>/30;
                }
            }
        }
        ge-5/0/3 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-5/0/8 {
            disable;
            vlan-tagging;
            unit 0 {
                vlan-id 2609;
                family inet {
                    address <ISP 2 IP>/30;
                }
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/2;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-5/0/2;
                }
            }
        }
        reth1 {
            description link-to-ex2300-cluster;
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
                minimum-links 1;
            }
            unit 10 {
                description "Office VLAN";
                vlan-id 10;
                family inet {
                    address 192.168.20.1/24;
                }
            }
            unit 666 {
                description "Managment VLAN";
                vlan-id 666;
                family inet {
                    address 172.16.1.1/24;
                }
            }
        }
    }
    routing-options {
        graceful-restart;
        static {
            route <my-pi-prefix>/24 discard;
        }
        autonomous-system XXXX;
    }
    protocols {
        bgp {
            group bgp-isp {
                type external;
                export send-greencell-prefix;
                neighbor <ISP 1 IP> {
                    description netia-isp;
                    peer-as XXX;
                }
                neighbor <ISP 2 IP> {
                    description snet-isp;
                    peer-as XXX;
                }
            }
        }
    }
    policy-options {
        policy-statement send-greencell-prefix {
            term export-routes {
                from {
                    route-filter <my-pi-prefix>/24 exact;
                }
                then accept;
            }
            then reject;
        }
    }

    0 0

    Hi,

     

    I'm installing and configuring a VDSL2 mPIM at a remote site. We need to setup the mPIM for ADSL. Both the ADSL line and config are new (this is a first install). Our technician at the remote site has installed the mPIM card and booted the SRX. He connected the port to the telco outlet. Although the interface is configured no LEDs are On or Blinking. Telco claims they have successfully delivered the ADSL connection. I need to determine if this is a problem with our connection from the Telco, a hardware problem or a misconfiguration. See several outputs of the SRX below. I would kindly ask to verify the config, give troubleshooting tips. Any help is appriciated.

     

    Thanks in advance for your help,

     

    Kind regards,

    Dimitry

     

     

    root@router>show chassis hardware   

    FPC 1 REV 09 750-064612 Serial number FPC PIC 0 1x VDSL2 mPIM (RoHS)

     

    root@router>show configuration interface 

    et interfaces at-1/0/0 encapsulation ethernet-over-atm
    set interfaces at-1/0/0 atm-options vpi 0
    set interfaces at-1/0/0 dsl-options operating-mode auto
    set interfaces at-1/0/0 unit 0 description "To Interconnect ADSL mPIM"
    set interfaces at-1/0/0 unit 0 encapsulation ether-over-atm-llc
    set interfaces at-1/0/0 unit 0 vci 0.35
    set interfaces at-1/0/0 unit 0 family inet address 10.10.10.2/30

     

    root@router> show interfaces at-1/0/0
    Physical interface: at-1/0/0, Enabled, Physical link is Down
    Interface index: 150, SNMP ifIndex: 536
    Link-level type: Ethernet-over-ATM, MTU: 1514, Clocking: Internal, ADSL mode, Speed: ADSL,
    Loopback: None
    Device flags : Present Running Down
    Link flags : None
    CoS queues : 8 supported, 8 maximum usable queues
    Current address: cc:e1:94:5a:78:2a
    Last flapped : 2019-10-15 12:32:53 CEST (6w6d 04:00 ago)
    Input rate : 0 bps (0 pps)
    Output rate : 0 bps (0 pps)
    ADSL alarms : None
    ADSL defects : None
    ADSL status:
    Modem status : Down
    DSL mode : Auto Annex A
    Last fail code: None
    Subfunction : 0x00
    Seconds in showtime : 0

     

    root@router>show interfaces terse

    at-1/0/0 up down
    at-1/0/0.0 up down inet 10.10.10.2/30

     


    0 0

    You will also need a dialer interface.... if its VDSL you configure pt-1/0/0 and if its ADSL you configure at-1/0/0

     

    VDSL Example DSL and Dialer Interfaces:

    pt-1/0/0 {
        vlan-tagging;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 10;
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                pap {
                    local-name user1;
                    local-password "password1"; ## SECRET-DATA
                    passive;
                }
                lcp-max-conf-req 0;
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                idle-timeout 0;
                auto-reconnect 120;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }

    Zone: 

    security-zone untrust {
        interfaces {
            pp0.0 {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
            }
        }
    }

    Routing-Options:

    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }

    NAT:

    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule destination-nat-rule {
                match {
                    destination-address [ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 123.100.102.161/29 ];
                }
                then {
                    source-nat {
                        off;
                    }
                }
            }
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

     


    0 0

    Configuration looks ok to me. Hope you are receiving default route from BGP. Please enable to flow traceoption to understand why traffic is not working.

     

    set security flow traceoptions file flow.log
    set security flow traceoptions file size 20m
    set security flow traceoptions file files 20
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter P1 source-prefix < Source IP >
    set security flow traceoptions packet-filter P1 destination-prefix < Destination IP >
    set security flow traceoptions packet-filter P2 source-prefix < Destination IP >
    set security flow traceoptions packet-filter P2 destination-prefix < Source IP >

     


    0 0

    Hello,

     

    Thank you, ftp active/passive is working now. How do i also make ftp work through vpn and source-NAT towards remote sites.

     

    ALG:

    ftp ftps-extension enabled

     

    IPSEC:
    security {
    ike {
    proposal cust-vpn3 {
    authentication-method pre-shared-keys;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
    }
    policy cust-vpn3 {
    mode main;
    proposals cust-vpn3;
    pre-shared-key ascii-text "$9$qQgoGf5z9Aaatp"; ## SECRET-DATA
    }
    gateway cust-vpn3 {
    ike-policy cust-vpn3;
    address 89.234.187.21;
    dead-peer-detection {
    interval 10;
    threshold 5;
    }
    local-identity inet 5.100.21.88;
    remote-identity inet 89.234.187.21;
    external-interface reth0.100;
    }
    }
    }
    ipsec {
    proposal cust-vpn3 {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
    }
    policy cust-vpn3 {
    perfect-forward-secrecy {
    keys group14;
    }
    proposals cust-vpn3;
    }
    vpn cust-vpn3 {
    bind-interface st0.10;
    ike {
    gateway cust-vpn3;
    ipsec-policy cust-vpn3;
    }
    traffic-selector NET-PROD-CUST {
    local-ip 172.39.31.39/32;  (NAT IP)
    remote-ip 172.16.4.0/25;
    }
    establish-tunnels immediately;
    }
    }

     

    NAT:

    nat {
    source {
    pool vpn-cust-pool {
    address {
    172.39.31.39/32;
    }
    }
    rule-set vpn-cust-nat {
    from zone application;
    to zone vpn-cust;
    rule snat-cust {
    match {
    source-address 172.23.168.0/21;
    destination-address 172.16.4.0/25;
    }
    then {
    source-nat {
    pool {
    vpn-cust-pool;
    }
    }
    }
    }
    }


    Global addressbook:
    set security address-book global address NET-PROD 172.23.168.0/21
    set security address-book global address NET-CUST 172.16.4.0/25

     

    Application:
    application FTP-ALGignore {
    application-protocol ignore;
    protocol tcp;
    destination-port 21;

    application PASSIVE_FTP_PORTS {
    protocol tcp;
    destination-port 1024-65535;

    Security Policy:
    from-zone application to-zone vpn-cust {
    policy VPN-PROD-to-CUST {
    match {
    source-address NET-PROD;
    destination-address NET-CUST;
    application [FTP-ALGignore PASSIVE_FTP_PORTS ];
    }
    then {
    permit;
    }
    }


    0 0

    Dears,

     

    We have a Cluster HA active -passive Juniper SRX650 enviornment(Node 0 was active).

    Now the node 0 is down and Node 1 is the primary and everything working fine .

    I want to replace the faulty  power adapter and what  are the necessary steps I have to take to replace it  without donwtime.

    Notes:

    set chassis cluster redundancy-group 1 preempt     /// is enabled

    Attached the screenshot of current cluster status

     

    Thanks & Regards,

    SS

     

     


    0 0

    Hi Dawid,

     

    Thank you for your reply.

     

    This isn't an internetconnection but a Ethernet-circuit at Layer2 to our main-office. Is the dailer interface also nesessary for this type of connection?

     

    Do you expert the interface go to UP state when the cable of the Telco is connected with dsl-option operation-mode auto enabled? Or does this require the dailer interface?


    0 0

    Thanks Vikas!


    0 0

    I modified the juniper example code to fit my situation, but commit check on the SRX345 (local box) says I need to specifically define MTU size on the MPLS over GRE interface:

    root@SRX345# commit check
    [edit interfaces gr-0/0/0]
      'unit 0'
        gr-0/0/0.0: Must configure MPLS family MTU
    error: configuration check-out failed

    But I'm not sure what to set it at:

    [edit interfaces gr-0/0/0 unit 0]
    root@SRX345# set family mpls mtu ?
    Possible completions:<mtu>                Protocol family maximum transmission unit

    How do I calculate what mtu I should use in this case? I read that:

     

    If the MPLS MTU is not explicitly configured in the configuration, Junos OS derives the MPLS MTU from the physical interface MTU. From this value, the software subtracts the encapsulation-specific overhead and space for the maximum number of labels that might be pushed in the Packet Forwarding Engine


    It doesn't seem like it's picking it up automatically, though here I see 1476, should I use that?

    root@SRX345> show interfaces gr-0/0/0.0
    Logical interface gr-0/0/0.0 (Index 84) (SNMP ifIndex 557)
    Flags: Up Point-To-Point SNMP-Traps 0x0
    IP-Header 1.2.3.4:5.6.7.8:47:df:64:0000000000000000
    Encapsulation: GRE-NULL
    Gre keepalives configured: Off, Gre keepalives adjacency state: down
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: 1476

     


    0 0
  • 12/03/19--15:18: Re: Source-Nat disable query
  • Hi,

     

    I am preparing the script for it but wanted to know if a proxy-arp should be configured for this like below ? 

    set proxy-arp interface ge-0/0/15.0 address <SINGLE PUBLIC IP>

     

    Also i will be turning the source-nat off for that user subnet and putting in the static-nat command as mentioned in below threads but will that work as source-nat is turned off ?  

     

    Note : The user vlan subnet is getting NATTED to this single public ip as mentioned in the previous post thread


    0 0

    Hi all, I have cluster SRX550 and formed dynamic VPN via J-web VPN Wizard.

    Now I can use Pulse Secure to connect this VPN form outside network, after connect VPN I get the ip address 192.168.168.x/24

    However,   I cannot access the internal vlan 128 network after connect VPN (fail to ping 172.16.128.1)

     

    Please find  SRX550 config below for your reference.


    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.168.0/24

    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match source-address any
    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match destination-address any
    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match application any
    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn

    set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.168.0/24
    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32

     

    set security zones security-zone Internal interfaces reth1.128 host-inbound-traffic system-services all
    set security zones security-zone Internal interfaces reth1.128 host-inbound-traffic protocols all

    set interfaces reth1 unit 128 vlan-id 128
    set interfaces reth1 unit 128 family inet address 172.16.128.1/24

    set vlans vlan128 vlan-id 128

     

    May I know is there missed some config (maybe policy or route) ? How can I access the vlan 128 network after connect VPN form outside network? Thanks!!

     

     


    0 0

    your 'remote-protected-ressources' should be your internal network(s) - so basically you have to use this config line instead:

     

    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 172.16.128.0/24

    Please change this and let us know of the result :-)


    0 0

    Do you have the static route setup for 172.16.4.0/25 to st0.10

     

    If that is in place can you generate traffic and see if the sessions are created

    show security flow session destination-prefix 172.16.4.0/25 source-prefix 172.23.168.0/21

     


    0 0
  • 12/03/19--16:58: Re: Source-Nat disable query
  • Proxy arp should be enabled for any ip address you are using in a nat pool that is in the same subnet as the egress interface.  This will be necessary for the flows to function.

     

    You will NOT use static nat for this application as Pura has pointed out.  Static nat is a one ip mapped to another single ip address.  This is not a source nat pool so is not applicable here.

     

    Also you will NOT be adding source nat off for your application.  You will instead build a list of nat rules from specific first with your current general source nat interface as the last rule on the list.  Thus anything that matches your specific rules will apply those and all else falls down to the final source nat interface.

     


    0 0

    The safest approach is probably to follow the full RMA node replacement procedure as outlined in this kb article.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21134

     

    But if there are no configuration changes made since the power supply failure and the hardware replacement is just that you likely can simply add the unit and power up the SRX.  The cluster should reform and become healthy again.

     


    0 0

    Hello,

    Usually, JUNOS family mpls default MTU == JUNOS family inet MTU - 12 B (minus 3 labels), I suggest You use 1476-12=1462 B as a starting value for family mpls MTU and decrease further if large frames do not pass.

    HTH

    Thx

    Alex


    0 0

    Hi,

    I have used this config instead but I still cannot access internal network 172.16.128.x.


    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 172.16.128.0/24


    0 0
  • 12/03/19--21:08: SRX series sfp compatability
  • Juniper 10G sfp SR is working for EX3400 ,but when connecting to SRX ,it is showing UNSUPPORTED.


    0 0

    Hi,

     

    Not because a SFP is Juniper it will work on all Juniper devices. In the following link type your SRX model in the search bar and it will take you to the supported SFPs for your SRX. Confirm if the one you have is listed there. Try the same with your EX model.

     

    https://apps.juniper.net/hct/home/

     

    Please mark my comment as "Solution" if it applies.

     


    0 0

    Hi Henry

     

    I believe there is a limitation with host-inbound-traffic coming via Dynamic VPN. Can you try pinging an address on subnet 172.16.128.0/24 different from 172.16.128.1?

     


    0 0

    Hi, there have a dell switch (172.16.128.2) connected to SRX but I cannot ping it successfully in VPN network. How can I remove the limitation with host-inbound-traffic coming via Dynamic VPN

    0 0

    It turns out that I very nearly had the right config...... The VLAN tag not being needed was the key to success, despite my ISP being insistent that it was! Also in the mix, there was a fault with the service too. Thank you for all of your help and sticking with me.


    0 0

    There is a very strange phenomenon. I have successfully ping 172.16.128.1 via dynamic VPN in this morning and afternoon. But it is fail to ping again after reconnect the VPN session.

    0 0

    Henry you might as well be hitting the following problem:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&actp=METADATA

     


    0 0

    Okay, I set the MTU to 1462 and committed my code.

     

    It looks like my gre tunnel on the home office SRX345 is up, but not passing any traffic, so:

    show interfaces gr-0/0/0 detail
    Physical interface: gr-0/0/0, Enabled, Physical link is Up
      Interface index: 152, SNMP ifIndex: 528, Generation: 155
      Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
      Link flags     : Scheduler Keepalives DTE
      Hold-times     : Up 0 ms, Down 0 ms
      Device flags   : Present Running
      Interface flags: Point-To-Point
      Statistics last cleared: Never
      Traffic statistics:
       Input  bytes  :                    0                    0 bps
       Output bytes  :                    0                    0 bps
       Input  packets:                    0                    0 pps
       Output packets:                    0                    0 pps
    
      Logical interface gr-0/0/0.0 (Index 90) (SNMP ifIndex 557) (Generation 155)
        Flags: Up Point-To-Point SNMP-Traps Clear-DF-bit 0x0
        IP-Header 10.1.1.2:10.1.1.1:47::64:0000000000000000 Encapsulation: GRE-NULL
        Copy-tos-to-outer-ip-header: Off
        Gre keepalives configured: Off, Gre keepalives adjacency state: down
        Traffic statistics:
         Input  bytes  :                    0
         Output bytes  :              2610754
         Input  packets:                    0
         Output packets:                27776
        Local statistics:
         Input  bytes  :                    0
         Output bytes  :              2610754
         Input  packets:                    0
         Output packets:                27776
        Transit statistics:
         Input  bytes  :                    0                    0 bps
         Output bytes  :                    0                    0 bps
         Input  packets:                    0                    0 pps
         Output packets:                    0                    0 pps
        Security: Zone: untrust
        Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
        ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
        ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
        rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
        ntp sip r2cp webapi-clear-text webapi-ssl
        Flow Statistics :
        Flow Input statistics :
          Self packets :                     0
          ICMP packets :                     0
          VPN packets :                      0
          Multicast packets :                0
          Bytes permitted by policy :        0
          Connections established :          0
        Flow Output statistics:
          Multicast packets :                0
          Bytes permitted by policy :        0
        Flow error statistics (Packets dropped due to):
          Address spoofing:                  0
          Authentication failed:             0
          Incoming NAT errors:               0
          Invalid zone received packet:      0
          Multiple user authentications:     0
          Multiple incoming NAT:             0
          No parent for a gate:              0
          No one interested in self packets: 0
          No minor session:                  0
          No more sessions:                  0
          No NAT gate:                       0
          No route present:                  0
          No SA for incoming SPI:            0
          No tunnel found:                   0
          No session for a gate:             0
          No zone or NULL zone binding       0
          Policy denied:                     0
          Security association not active:   0
          TCP sequence number out of window: 0
          Syn-attack protection:             0
          User authentication errors:        0
        Protocol inet, MTU: 1500, Generation: 172, Route table: 0
          Flags: Sendbcast-pkt-to-re, User-MTU
          Input Filters: inet-packet-mode
        Protocol mpls, MTU: 1462, Maximum labels: 3, Generation: 173,
        Route table: 0
          Flags: User-MTU
          Input Filters: mpls-packet-mode

    And ipsec doesn't look like:

    show security ipsec statistics
    ESP Statistics:
      Encrypted bytes:                0
      Decrypted bytes:                0
      Encrypted packets:              0
      Decrypted packets:              0
    AH Statistics:
      Input bytes:                    0
      Output bytes:                   0
      Input packets:                  0
      Output packets:                 0
    Errors:
      AH authentication failures: 0, Replay errors: 0
      ESP authentication failures: 0, ESP decryption failures: 0
      Bad headers: 0, Bad trailers: 0

    and

    show security ipsec security-associations
      Total active tunnels: 0

    also

    show interfaces ge-0/0/2
    Physical interface: ge-0/0/2, Enabled, Physical link is Up
      Interface index: 137, SNMP ifIndex: 512
      Link-level type: Ethernet-VPLS, MTU: 1514, LAN-PHY mode,
      Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None,
      MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
      Flow control: Disabled, Auto-negotiation: Enabled, Remote fault: Online
      Device flags   : Present Running
      Interface flags: SNMP-Traps Internal: 0x0
      Link flags     : None
      CoS queues     : 8 supported, 8 maximum usable queues
      Current address: ec:13:db:d3:9e:03, Hardware address: ec:13:db:d3:9e:03
      Last flapped   : 2019-12-05 07:51:07 GMT-8 (00:00:54 ago)
      Input rate     : 472 bps (0 pps)
      Output rate    : 0 bps (0 pps)
      Active alarms  : None
      Active defects : None
      Interface transmit statistics: Disabled
    
      Logical interface ge-0/0/2.0 (Index 89) (SNMP ifIndex 558)
        Flags: Up SNMP-Traps 0x0 Encapsulation: Ethernet-VPLS
        Input packets : 81
        Output packets: 0
        Security: Zone: Null

    and

    Logical interface lt-0/0/0.2000 (Index 94) (SNMP ifIndex 561)
        Flags: Up Point-To-Point SNMP-Traps 0x0 DLCI 1 Encapsulation: FR-NLPID
        Input packets : 27644
        Output packets: 27628
        Security: Zone: trust-flow
        Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
        ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
        ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
        rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
        ntp sip r2cp webapi-clear-text webapi-ssl
        Protocol inet, MTU: 4470
          Flags: Sendbcast-pkt-to-re
    
      Logical interface lt-0/0/0.2001 (Index 95) (SNMP ifIndex 562)
        Flags: Up Point-To-Point SNMP-Traps 0x0 DLCI 1 Encapsulation: FR-NLPID
        Input packets : 27628
        Output packets: 27644
        Security: Zone: untrust
        Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
        ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
        ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
        rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
        ntp sip r2cp webapi-clear-text webapi-ssl
        Protocol inet, MTU: 4470
          Flags: Sendbcast-pkt-to-re
          Addresses, Flags: Is-Primary
            Local: 10.1.1.1

    0 0
  • 12/05/19--02:02: Setting up NDP proxy on SRX
  • I have been trying to enable NDP proxy on my SRX340. The official documentation is a bit vauge - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ndp-proxy-configuring.html

     

    I have two interfaces, ge-0/0/0.0 and irb.1 both set to the same IPv6 /64 prefix and using the eui-64 option to generate the SRX's addresses. For example lets say the prefix is 2001Smiley Very HappyB8::/64

     

    The ge-0/0/0.0 interface is the egress interface and is in the untrust security zone. It is directly connected to the ISPs upstream router. The default gateway has been configured by the ISP as 2001Smiley Very HappyB8::1 and this is set as the default IPv6 route in the SRX.

     

    The irb.1 is a VLAN used by hosts in the trust security zone and has a router advertisement enabled with the prefix 2001Smiley Very HappyB8::/64 so that hosts on the VLAN can use SLAAC to configure their prefix and set the SRX as their default route.

     

    At this stage the SRX can ping both the ISP gateway on 2001Smiley Very HappyB8::1 and other public addresses such as 2001:4860:4860::8888. The SRX can also ping hosts on the VLAN.

     

    However other public IPv6 addresses can't ping the VLAN hosts. I traced this to the ISP gateway not knowing about a next hop so it instead generates Neighbor Discovery Protocol solicitations for the VLAN host IP on the ge-0/0/0.0 link and of course doesn't get a reply as the host is on a different interface. There is a similar story when VLAN hosts attempt to ping the ISP gateway.

     

    However when a VLAN pings another public address it knows from the RA to forward it to the SRX. The SRX then knows to forward this to the ISP gateway and the ping request makes it to the destination, however the reply gets stuck at the ge-0/0/0.0 link.

     

    After some Googling I discovered the correct solution to this problem is a NDP proxy. The proxy will listen on both interfaces for NDP solicititations for addresses it knows is on a different interface. The proxy then replies to the solicititation with a advertisement using the SRX's MAC on the interface. This will then cause hosts to forward the traffic to the SRX which can then be correctly routed.

     

    According to the SRX documentation at https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ndp-proxy-configuring.html I need to enable "set interfaces interface-name family inet6 ndp-proxy interface-restricted". It doesn't specify if I should do both interfaces, but that is what I have tried along with only enabling it on one or ther other interface.

     

    However it appears the NDP proxy doesn't work correctly. I have verified both with the built in SRX packet capture using "monitor traffic" command as well as with Wireshark on the VLAN hosts that the SRX receives the NDP solicitation request, then immediately it sends out another soliciation request for the exact same IP address on the interface it received the solicitation on. Of course there is no reply to either solicitation.

     

    It seems as though the SRX should also send a soliciation request for the IP address on the other subnet interface but it doesn't. Thus it never finds the MAC for the IP address. This is even the case when the SRX already knows which interface the IP is on when looking at the "show ipv6 neighbors" command.

     

    So far I have tried many different settings but I still can't get the SRX to forward NDP solicitations from one interface to another one when they are both on the same subnet. I am not sure if this is because the interfaces are in different zones and the documentation doesn't mention any reasons for it to not be working.

     

    Has anyone managed to enable the IPv6 Neighbor Discovery Protocol proxy on a SRX? If so what configuration did you use?

     

    Is this a bug in the SRX?


    0 0

     

    Hello,

     

    Since last messages, I made some changes in the configuration. I'm attaching my current config and an image (yeah, sorry for that)

     

    Yesterday I was able to ping SRX gateway (192.168.20.1) and access the Internet via ISP1 from my computer.

     

    However, after disconnecting ISP1 I couldn't access Internet via ISP2 from my computer (but from SRX1 which is master I had access to Internet via ISP2).

     

    Today I can't ping gateway and I don't have Internet access (however, SRX have 2 BGP peers active and full Internet access) - but I didn't change configuration... So there is something really wrong in this setup...

     

    (Currently after rebooting bofh nodes of chassis cluster I'm able to ping my gateway, however I don't have Internet access - routing go via ISP2)

     

    version 18.2R3.4;
    groups {
        node0 {
            system {
                host-name SRX1;
                backup-router 192.16.35.254 destination 0.0.0.0/0;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 192.16.35.46/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name SRX2;
                backup-router 192.16.35.254 destination 0.0.0.0/0;
            }
            interfaces {                    
                fxp0 {                      
                    unit 0 {                
                        family inet {       
                            address 192.16.35.47/24;
                        }                   
                    }                       
                }                           
            }                               
        }                                   
    }                                       
    apply-groups "${node}";       
    
    system {                                
        root-authentication {               
            encrypted-password "ABCDEF"; ## SECRET-DATA
        }                                   
        name-server {                       
            8.8.8.8;                        
            8.8.4.4;                        
        }                                   
        services {                          
            ssh {                           
                root-login allow;
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
    }
    
    chassis {
        cluster {                           
            reth-count 1;                   
            redundancy-group 0 {
                node 0 priority 100;
                node 1 priority 1;
            }
            redundancy-group 1 {
                node 0 priority 100;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/4 weight 200;
                    ge-0/0/5 weight 200;
                    ge-5/0/5 weight 200;
                    ge-5/0/4 weight 200;
                }
            }
        }
    }
    security {
     nat {
            source {
                pool src-nat-pool-1 {
                    address {
                        123.123.123.10/32;
                    }                       
                }                           
                rule-set rs1 {              
                    from zone trust;        
                    to zone untrust;        
                    rule 1 {                
                        match {             
                            source-address 192.168.20.0/24;
                            destination-address 0.0.0.0/0;
                        }                   
                        then {              
                            source-nat {    
                                pool {      
                                    src-nat-pool-1;
                                }           
                            }               
                        }                   
                    }                       
                }                           
            }                               
        }                                   
        policies {                          
            from-zone trust to-zone trust { 
                policy permit-all {         
                    match {                 
                        source-address any; 
                        destination-address any;
                        application any;    
                    }                       
                    then {                  
                        permit;             
                    }                       
                }                           
            }                               
       from-zone trust to-zone untrust {
                policy permit-all {         
                    match {                 
                        source-address any; 
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                permit-all;
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {                
                    reth0.10 {              
                        host-inbound-traffic {
                            system-services {
                                all;        
                            }               
                            protocols {     
                                all;        
                            }               
                        }                   
                    }                       
                }                           
            }                               
          security-zone untrust {         
                host-inbound-traffic {      
                    system-services {       
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    ge-0/0/12.0;
                    ge-5/0/12.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/4 {
            ether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/5 {
            ether-options {
                redundant-parent reth0;
            }                               
        }                                   
        ge-0/0/12 {                         
            description isp1-bgp;          
            unit 0 {                        
                family inet {               
                    address 1.1.1.2/30;
                    address 123.123.123.11/24;
                }                           
            }                               
        }                                   
       ge-5/0/4 {                          
            ether-options {                 
                redundant-parent reth0;     
            }                               
        }                                   
        ge-5/0/5 {                          
            ether-options {
                redundant-parent reth0;
            }
        }
        ge-5/0/12 {
            description isp2-bgp;
            vlan-tagging;
            unit 0 {
                vlan-id 2609;
                family inet {
                    address 2.2.2.2/30;
                }
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/2;
                    ge-0/0/3;
                }
            }
        }
        fab1 {                              
            fabric-options {                
                member-interfaces {         
                    ge-5/0/2;               
                    ge-5/0/3;               
                }                           
            }                               
        }                                   
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;         
                lacp {                      
                    passive;                
                    periodic slow;          
                }                           
            }                               
            unit 10 {                       
                vlan-id 10;                 
                family inet {               
                    address 192.168.20.1/24;
                }                           
            }                               
        }                                   
    }                                       
    routing-options {                       
        graceful-restart;                   
        autonomous-system 56789;           
    }                                       
    protocols {                             
        bgp {                               
            group bgp-isp {                 
                type external;              
                import deny-import-prefix;  
                export send-prefix;
                neighbor 1.1.1.1 {    
                    description netia-bgp;  
                    peer-as 1234;          
                }                           
                neighbor 2.2.2.1 {   
                    description snet-bgp;   
                    peer-as 4321;          
                }                           
            }                               
        }                                   
    }                                       
    
    policy-options {                        
        policy-statement deny-import-prefix {
            term deny-import-routes {       
                from {                      
                    route-filter 0.0.0.0/0 exact;
                }                           
                then reject;
            }
            then accept;
        }
        policy-statement send-prefix {
            term export-routes {
                from {
                    route-filter 123.123.123.0/24 exact;
                }
                then accept;
            }
            then reject;
        }
    }
    

     

    Some more info from SRX:

     

    root@SRX1> show chassis alarms 
    node0:
    --------------------------------------------------------------------------
    No alarms currently active
    
    node1:
    --------------------------------------------------------------------------
    No alarms currently active
    
    
    root@SRX1> show interfaces terse | match down   
    ge-0/0/0                up    down
    ge-0/0/6                up    down
    ge-0/0/7                up    down
    ge-0/0/8                up    down
    ge-0/0/9                up    down
    ge-0/0/10               up    down
    ge-0/0/11               up    down
    ge-0/0/13               up    down
    ge-0/0/14               up    down
    ge-0/0/15               up    down
    ge-5/0/0                up    down
    ge-5/0/6                up    down
    ge-5/0/7                up    down
    ge-5/0/8                up    down
    ge-5/0/9                up    down
    ge-5/0/10               up    down
    ge-5/0/11               up    down
    ge-5/0/13               up    down
    ge-5/0/14               up    down
    ge-5/0/15               up    down
    swfab0                  up    down
    swfab1                  up    down
    vlan                    up    down
    
    
    root@SRX1> show configuration | display set | match "fab|cluster" 
    set chassis cluster reth-count 1
    set chassis cluster redundancy-group 0 node 0 priority 100
    set chassis cluster redundancy-group 0 node 1 priority 1
    set chassis cluster redundancy-group 1 node 0 priority 100
    set chassis cluster redundancy-group 1 node 1 priority 1
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 200
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 200
    set chassis cluster redundancy-group 1 interface-monitor ge-5/0/5 weight 200
    set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 200
    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab0 fabric-options member-interfaces ge-0/0/3
    set interfaces fab1 fabric-options member-interfaces ge-5/0/2
    set interfaces fab1 fabric-options member-interfaces ge-5/0/3
    
    
    root@SRX1> show chassis cluster information detail 
    node0:
    --------------------------------------------------------------------------
    Redundancy mode:
        Configured mode: active-active
        Operational mode: active-active
    Cluster configuration:
        Heartbeat interval: 1000 ms
        Heartbeat threshold: 3
        Control link recovery: Disabled
        Fabric link down timeout: 66 sec
    Node health information:
        Local node health: Healthy
        Remote node health: Healthy
    
    Redundancy group: 0, Threshold: 255, Monitoring failures: none
        Events:
            Dec  5 12:47:31.582 : hold->secondary, reason: Hold timer expired
            Dec  5 12:47:35.531 : secondary->primary, reason: Better priority (100/1)
    
    Redundancy group: 1, Threshold: 255, Monitoring failures: none
        Events:
            Dec  5 12:47:31.623 : hold->secondary, reason: Hold timer expired
    
            Dec  5 12:47:37.002 : secondary->primary, reason: Remote yield (0/0)
    Control link statistics:                
        Control link 0:                     
            Heartbeat packets sent: 606     
            Heartbeat packets received: 564 
            Heartbeat packet errors: 0      
            Duplicate heartbeat packets received: 0
        Control recovery packet count: 0    
        Sequence number of last heartbeat packet sent: 606
        Sequence number of last heartbeat packet received: 594
    Fabric link statistics:                 
        Child link 0                        
            Probes sent: 794                
            Probes received: 792            
        Child link 1                        
            Probes sent: 789                
            Probes received: 788            
    Switch fabric link statistics:          
        Probe state : DOWN                  
        Probes sent: 0                      
        Probes received: 0                  
        Probe recv errors: 0
        Probe send errors: 0
        Probe recv dropped: 0
        Sequence number of last probe sent: 0
        Sequence number of last probe received: 0
    
    Chassis cluster LED information:
        Current LED color: Green
        Last LED change reason: No failures
    Control port tagging:
        Disabled
    
    Cold Synchronization:
        Status:
            Cold synchronization completed for: N/A
            Cold synchronization failed for: N/A
            Cold synchronization not known for: N/A
            Current Monitoring Weight: 0
      Progress:
            CS Prereq               1 of 1 SPUs completed
               1. if_state sync          1 SPUs completed
               2. fabric link            1 SPUs completed
               3. policy data sync       1 SPUs completed
               4. cp ready               1 SPUs completed
               5. VPN data sync          1 SPUs completed
               6. IPID data sync         1 SPUs completed
               7. All SPU ready          1 SPUs completed
               8. AppID ready            1 SPUs completed
               9. Tunnel Sess ready      1 SPUs completed
            CS RTO sync             1 of 1 SPUs completed
            CS Postreq              1 of 1 SPUs completed
                                            
        Statistics:                         
            Number of cold synchronization completed: 0
            Number of cold synchronization failed: 0
                                            
        Events:                             
            Dec  5 12:49:03.508 : Cold sync for PFE  is RTO sync in process
            Dec  5 12:49:03.576 : Cold sync for PFE  is Completed
    
    Loopback Information:
    
        PIC Name        Loopback        Nexthop     Mbuf
        -------------------------------------------------
                        Success         Success     Success    
    
    Interface monitoring:
        Statistics:
            Monitored interface failure count: 0
    
        Events:
            Dec  5 12:49:06.839 : Interface ge-0/0/4 monitored by rg 1, changed state from Down to Up
            Dec  5 12:49:07.016 : Interface ge-0/0/5 monitored by rg 1, changed state from Down to Up
    
    Fabric monitoring:
        Status:
            Fabric Monitoring: Enabled
            Activation status: Active
            Fabric Status reported by data plane: Up
            JSRPD internal fabric status: Up
                                            
    Fabric link events:                     
            Dec  5 12:49:02.415 : Child ge-5/0/2 of fab1 is up
            Dec  5 12:49:04.402 : Fabric link fab1 is up
            Dec  5 12:49:04.413 : Child ge-5/0/3 of fab1 is up
            Dec  5 12:49:05.203 : Child link-0 of fab1 is up, pfe notification
            Dec  5 12:49:05.267 : Fabric link fab0 is up
            Dec  5 12:49:05.278 : Child ge-0/0/3 of fab0 is up
            Dec  5 12:49:05.572 : Child link-0 of fab0 is up, pfe notification
            Dec  5 12:49:06.578 : Fabric link up, link status timer
            Dec  5 12:49:07.577 : Child link-1 of fab0 is up, pfe notification
            Dec  5 12:49:07.692 : Child link-1 of fab1 is up, pfe notification
    
    Control link status: Up
        Server information:
            Server status : Connected
            Server connected to 130.16.0.1/52245
        Client information:
            Client status : Inactive
            Client connected to None
    Control port tagging:
        Disabled
    
    Control link events:
            Dec  5 12:45:30.155 : Control link fxp1 is down
            Dec  5 12:45:40.609 : Control link fxp1 is down
            Dec  5 12:46:04.491 : Control link fxp1 is up
            Dec  5 12:47:35.535 : Control link fxp1 is up
            Dec  5 12:47:41.507 : Control link fxp1 is up
            Dec  5 12:47:57.520 : Control link fxp1 is up
            Dec  5 12:47:57.581 : Control link fxp1 is up
            Dec  5 12:48:35.337 : Control link fxp1 is up
            Dec  5 12:48:41.302 : Control link fxp1 is up
            Dec  5 12:48:41.464 : Control link fxp1 is up
                                            
    Hardware monitoring:                    
        Status:                             
            Activation status: Enabled      
            Redundancy group 0 failover for hardware faults: Enabled
            Hardware redundancy group 0 errors: 0
            Hardware redundancy group 1 errors: 0
    
    Schedule monitoring:
        Status:
            Activation status: Disabled
            Schedule slip detected: None
            Timer ignored: No
    
        Statistics:
            Total slip detected count: 1
            Longest slip duration: 3(s)
    
        Events:
            Dec  5 12:45:56.819 : Detected schedule slip
            Dec  5 12:46:56.950 : Cleared schedule slip
    
    Configuration Synchronization:
        Status:
            Activation status: Enabled
            Last sync operation: Auto-Sync
            Last sync result: Not needed    
            Last sync mgd messages:         
                                            
        Events:                             
            Dec  5 12:47:36.095 : Auto-Sync: Not needed.
                                            
    Cold Synchronization Progress:          
        CS Prereq               1 of 1 SPUs completed
           1. if_state sync          1 SPUs completed
           2. fabric link            1 SPUs completed
           3. policy data sync       1 SPUs completed
           4. cp ready               1 SPUs completed
           5. VPN data sync          1 SPUs completed
           6. IPID data sync         1 SPUs completed
           7. All SPU ready          1 SPUs completed
           8. AppID ready            1 SPUs completed
           9. Tunnel Sess ready      1 SPUs completed
        CS RTO sync             1 of 1 SPUs completed
        CS Postreq              1 of 1 SPUs completed
    
    node1:                                  
    --------------------------------------------------------------------------
    Redundancy mode:
        Configured mode: active-active
        Operational mode: active-active
    Cluster configuration:
        Heartbeat interval: 1000 ms
        Heartbeat threshold: 3
        Control link recovery: Disabled
        Fabric link down timeout: 66 sec
    Node health information:
        Local node health: Healthy
        Remote node health: Healthy
    
    Redundancy group: 0, Threshold: 255, Monitoring failures: none
        Events:
            Dec  5 12:43:54.036 : hold->secondary, reason: Hold timer expired
    
    Redundancy group: 1, Threshold: 255, Monitoring failures: none
        Events:
            Dec  5 12:43:55.246 : hold->secondary, reason: Hold timer expired
    Control link statistics:
        Control link 0:
            Heartbeat packets sent: 595     
            Heartbeat packets received: 573 
            Heartbeat packet errors: 0      
            Duplicate heartbeat packets received: 0
        Control recovery packet count: 0    
        Sequence number of last heartbeat packet sent: 595
        Sequence number of last heartbeat packet received: 607
    Fabric link statistics:                 
        Child link 0                        
            Probes sent: 795                
            Probes received: 794            
        Child link 1                        
            Probes sent: 793                
            Probes received: 789            
    
    Switch fabric link statistics:          
        Probe state : DOWN                  
        Probes sent: 0                      
        Probes received: 0                  
        Probe recv errors: 0                
        Probe send errors: 0                
        Probe recv dropped: 0               
        Sequence number of last probe sent: 0
        Sequence number of last probe received: 0
    
    Chassis cluster LED information:
        Current LED color: Green
        Last LED change reason: No failures
    Control port tagging:
        Disabled
    
    Cold Synchronization:
        Status:
            Cold synchronization completed for: N/A
            Cold synchronization failed for: N/A
            Cold synchronization not known for: N/A
            Current Monitoring Weight: 0
    
        Progress:
            CS Prereq               1 of 1 SPUs completed
               1. if_state sync          1 SPUs completed
               2. fabric link            1 SPUs completed
               3. policy data sync       1 SPUs completed
               4. cp ready               1 SPUs completed
               5. VPN data sync          1 SPUs completed
               6. IPID data sync         1 SPUs completed
               7. All SPU ready          1 SPUs completed
               8. AppID ready            1 SPUs completed
               9. Tunnel Sess ready      1 SPUs completed
            CS RTO sync             1 of 1 SPUs completed
            CS Postreq              1 of 1 SPUs completed
                                            
        Statistics:                         
            Number of cold synchronization completed: 0
            Number of cold synchronization failed: 0
    
        Events:                             
            Dec  5 12:45:21.592 : Cold sync for PFE  is RTO sync in process
            Dec  5 12:45:23.176 : Cold sync for PFE  is Post-req check in process
            Dec  5 12:45:25.173 : Cold sync for PFE  is Completed
                                            
    Loopback Information:
    
        PIC Name        Loopback        Nexthop     Mbuf
        -------------------------------------------------
                        Success         Success     Success    
    
    Interface monitoring:
        Statistics:
            Monitored interface failure count: 0
    
        Events:
            Dec  5 12:45:25.361 : Interface ge-0/0/4 monitored by rg 1, changed state from Down to Up
            Dec  5 12:45:25.531 : Interface ge-0/0/5 monitored by rg 1, changed state from Down to Up
    
    Fabric monitoring:
        Status:
            Fabric Monitoring: Enabled
            Activation status: Active
            Fabric Status reported by data plane: Up
            JSRPD internal fabric status: Up
                                            
    Fabric link events:                     
            Dec  5 12:45:20.932 : Child ge-5/0/2 of fab1 is up
            Dec  5 12:45:22.920 : Fabric link fab1 is up
            Dec  5 12:45:22.924 : Fabric link fab1 is up
            Dec  5 12:45:22.929 : Child ge-5/0/3 of fab1 is up
            Dec  5 12:45:23.707 : Child link-0 of fab1 is up, pfe notification
            Dec  5 12:45:23.793 : Fabric link fab0 is up
            Dec  5 12:45:23.797 : Fabric link fab0 is up
            Dec  5 12:45:23.801 : Child ge-0/0/3 of fab0 is up
            Dec  5 12:45:24.710 : Fabric link up, link status timer
            Dec  5 12:45:26.207 : Child link-1 of fab1 is up, pfe notification
            Dec  5 12:45:24.710 : Fabric link up, link status timer
            Dec  5 12:45:26.207 : Child link-1 of fab1 is up, pfe notification
                                            
    Control link status: Up
        Server information:                 
            Server status : Inactive        
            Server connected to None        
        Client information:                 
            Client status : Connected       
            Client connected to 129.16.0.1/62845
    Control port tagging:
        Disabled
    
    Control link events:
            Dec  5 12:41:51.953 : Control link fxp1 is down
            Dec  5 12:42:01.142 : Control link fxp1 is down
            Dec  5 12:42:24.600 : Control link fxp1 is up
            Dec  5 12:44:00.131 : Control link fxp1 is up
            Dec  5 12:44:10.167 : Control link fxp1 is up
    
    Hardware monitoring:
        Status:
            Activation status: Enabled
            Redundancy group 0 failover for hardware faults: Enabled
            Hardware redundancy group 0 errors: 0
            Hardware redundancy group 1 errors: 0
    
    Schedule monitoring:
        Status:
            Activation status: Disabled
            Schedule slip detected: None
            Timer ignored: No               
                                            
        Statistics:                         
            Total slip detected count: 2    
            Longest slip duration: 7(s)     
                                            
        Events:                             
            Dec  5 12:42:16.242 : Detected schedule slip
            Dec  5 12:43:16.420 : Cleared schedule slip
            Dec  5 12:45:42.538 : Detected schedule slip
            Dec  5 12:46:42.717 : Cleared schedule slip
    Configuration Synchronization:
        Status:                             
            Activation status: Enabled      
            Last sync operation: Auto-Sync  
            Last sync result: Succeeded
    
        Events:
            Dec  5 12:44:23.885 : Auto-Sync: In progress. Attempt: 1
            Dec  5 12:45:35.952 : Auto-Sync: Clearing mgd. Attempt: 1
            Dec  5 12:45:42.530 : Auto-Sync: Succeeded. Attempt: 1
    
    Cold Synchronization Progress:
        CS Prereq               1 of 1 SPUs completed
           1. if_state sync          1 SPUs completed
           2. fabric link            1 SPUs completed
           3. policy data sync       1 SPUs completed
           4. cp ready               1 SPUs completed
           5. VPN data sync          1 SPUs completed
           6. IPID data sync         1 SPUs completed
           7. All SPU ready          1 SPUs completed
           8. AppID ready            1 SPUs completed
           9. Tunnel Sess ready      1 SPUs completed
        CS RTO sync             1 of 1 SPUs completed
        CS Postreq              1 of 1 SPUs completed
    
    

     

     

     


    0 0

    Thanks ! 

     

    I just added the firewall and still the node 1 (primary)is up for me -(Node 0 was faulty ,which is replaced)... Cluster status is also fine.

    So the commit on node1 (the primary  now) will replicate in Node 0 with updated config?

     

    Because

    > request routing-engine login node 0        is not allowing me  to enter the node0(which came up now)  with node1 credentials

    Cluster status is showing fine.

     

    Thanks & Regards,

    SS

     


    0 0

    Yes, if the cluster is UP with "show chassis cluster status" showing priority as "Non-Zero". Config should be in sync between node1 and node0.

     


    0 0

    THanks Rahul!

     

    My issue is  request routing-engine login node 0 to connect node 0 is not allowing ;

    I suspect the config is not sync.

     

    I am planning to commit the node 1 (primary now) . this will push the existing configuration to node 0 ?

    Or it is done already?

    Attached the cluster status

     

    THanks & Regards,

    SS


    0 0

    It works! Thanks.


    0 0

    Hi all,

     

    Currently setting up a new pair of SRX 1500's, and running into an issue where the reth16 interface binded to xe-0/0/16 and xe-7/0/16 is not showing as up. Having the exact same issue with the reth17 interface binded to xe-0/0/17 and xe-7/0/17.

     

    The reth interfaces seem like they're not working at all, cant ping them, cant use them as gateway, and i can also not ping anything from the firewall to IP's behind these interfaces.

     

    My relevant config:

    set chassis cluster redundancy-group 1 interface-monitor xe-0/0/16 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-0/0/17 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-0/0/18 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-0/0/19 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-7/0/16 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-7/0/17 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-7/0/18 weight 255
    set chassis cluster redundancy-group 1 interface-monitor xe-7/0/19 weight 255
    
    set interfaces xe-0/0/16 gigether-options redundant-parent reth16
    set interfaces xe-0/0/17 gigether-options redundant-parent reth17
    set interfaces xe-0/0/18 gigether-options redundant-parent reth18
    set interfaces xe-0/0/19 gigether-options redundant-parent reth19
    set interfaces xe-7/0/16 gigether-options redundant-parent reth16
    set interfaces xe-7/0/17 gigether-options redundant-parent reth17
    set interfaces xe-7/0/18 gigether-options redundant-parent reth18
    set interfaces xe-7/0/19 gigether-options redundant-parent reth19
    
    set security zones security-zone trust interfaces reth16.0
    set security zones security-zone trust interfaces reth17.0
    set security zones security-zone trust interfaces reth18.0
    set security zones security-zone trust interfaces reth19.0
    
    set interfaces xe-0/0/16 gigether-options redundant-parent reth16
    set interfaces xe-0/0/17 gigether-options redundant-parent reth17
    set interfaces xe-0/0/18 gigether-options redundant-parent reth18
    set interfaces xe-0/0/19 gigether-options redundant-parent reth19
    set interfaces xe-7/0/16 gigether-options redundant-parent reth16
    set interfaces xe-7/0/17 gigether-options redundant-parent reth17
    set interfaces xe-7/0/18 gigether-options redundant-parent reth18
    set interfaces xe-7/0/19 gigether-options redundant-parent reth19
    
    set interfaces reth16 mtu 9192
    set interfaces reth16 redundant-ether-options redundancy-group 1
    set interfaces reth16 unit 0 family inet address 10.18.18.254/24
    set interfaces reth17 mtu 9192
    set interfaces reth17 redundant-ether-options redundancy-group 1
    set interfaces reth17 unit 0 family inet address 10.18.11.254/24
    set interfaces reth18 redundant-ether-options redundancy-group 1
    set interfaces reth18 unit 0
    set interfaces reth19 redundant-ether-options redundancy-group 1
    set interfaces reth19 unit 0
    > show interfaces terse    
    Interface               Admin Link Proto    Local                 Remote
    ge-0/0/0                up    up
    ge-0/0/0.0              up    up   aenet    --> reth0.0
    gr-0/0/0                up    up
    ip-0/0/0                up    up
    lt-0/0/0                up    up
    ge-0/0/1                up    up
    ge-0/0/1.0              up    up   aenet    --> reth1.0
    ge-0/0/2                up    up
    ge-0/0/2.0              up    up   aenet    --> fab0.0
    ge-0/0/3                up    down
    ge-0/0/3.0              up    down aenet    --> reth3.0
    ge-0/0/4                up    down
    ge-0/0/4.0              up    down aenet    --> reth4.0
    ge-0/0/5                up    down
    ge-0/0/5.0              up    down aenet    --> reth5.0
    ge-0/0/6                up    down
    ge-0/0/6.0              up    down aenet    --> reth6.0
    ge-0/0/7                up    down
    ge-0/0/7.0              up    down aenet    --> reth7.0
    ge-0/0/8                up    down
    ge-0/0/8.0              up    down aenet    --> reth8.0
    ge-0/0/9                up    down
    ge-0/0/9.0              up    down aenet    --> reth9.0
    ge-0/0/10               up    down
    ge-0/0/10.0             up    down aenet    --> reth10.0
    ge-0/0/11               up    down
    ge-0/0/11.0             up    down aenet    --> reth11.0
    ge-0/0/12               up    down
    ge-0/0/12.0             up    down aenet    --> reth12.0
    ge-0/0/13               up    down
    ge-0/0/13.0             up    down aenet    --> reth13.0
    ge-0/0/14               up    down
    ge-0/0/14.0             up    down aenet    --> reth14.0
    ge-0/0/15               up    down
    ge-0/0/15.0             up    down aenet    --> reth15.0
    xe-0/0/16               up    up
    xe-0/0/16.0             up    up   aenet    --> reth16.0
    xe-0/0/17               up    up
    xe-0/0/17.0             up    up   aenet    --> reth17.0
    xe-0/0/18               up    down
    xe-0/0/18.0             up    down aenet    --> reth18.0
    xe-0/0/19               up    down
    xe-0/0/19.0             up    down aenet    --> reth19.0
    ge-7/0/0                up    up
    ge-7/0/0.0              up    up   aenet    --> reth0.0
    ge-7/0/1                up    up
    ge-7/0/1.0              up    up   aenet    --> reth1.0
    ge-7/0/2                up    up
    ge-7/0/2.0              up    up   aenet    --> fab1.0
    ge-7/0/3                up    down
    ge-7/0/3.0              up    down aenet    --> reth3.0
    ge-7/0/4                up    down
    ge-7/0/4.0              up    down aenet    --> reth4.0
    ge-7/0/5                up    down
    ge-7/0/5.0              up    down aenet    --> reth5.0
    ge-7/0/6                up    down
    ge-7/0/6.0              up    down aenet    --> reth6.0
    ge-7/0/7                up    down
    ge-7/0/7.0              up    down aenet    --> reth7.0
    ge-7/0/8                up    down
    ge-7/0/8.0              up    down aenet    --> reth8.0
    ge-7/0/9                up    down
    ge-7/0/9.0              up    down aenet    --> reth9.0
    ge-7/0/10               up    down
    ge-7/0/10.0             up    down aenet    --> reth10.0
    ge-7/0/11               up    down
    ge-7/0/11.0             up    down aenet    --> reth11.0
    ge-7/0/12               up    down
    ge-7/0/12.0             up    down aenet    --> reth12.0
    ge-7/0/13               up    down
    ge-7/0/13.0             up    down aenet    --> reth13.0
    ge-7/0/14               up    down
    ge-7/0/14.0             up    down aenet    --> reth14.0
    ge-7/0/15               up    down
    ge-7/0/15.0             up    down aenet    --> reth15.0
    xe-7/0/16               up    up
    xe-7/0/16.0             up    up   aenet    --> reth16.0
    xe-7/0/17               up    up
    xe-7/0/17.0             up    up   aenet    --> reth17.0
    xe-7/0/18               up    down
    xe-7/0/18.0             up    down aenet    --> reth18.0
    xe-7/0/19               up    down
    xe-7/0/19.0             up    down aenet    --> reth19.0
    dsc                     up    up
    em0                     up    up
    em0.0                   up    up   inet     129.16.0.1/2    
                                                143.16.0.1/2    
                                       tnp      0x1100001       
    em1                     up    up
    em1.32768               up    up   inet     192.168.1.2/24  
    em2                     up    up
    fab0                    up    up
    fab0.0                  up    up   inet     30.17.0.200/24  
    fab1                    up    up
    fab1.0                  up    up   inet     30.18.0.200/24  
    fxp0                    up    up
    fxp0.0                  up    up   inet     10.18.1.254/24  
                                                192.168.1.1/24  
    gre                     up    up
    ipip                    up    up
    irb                     up    up
    lo0                     up    up
    lo0.16384               up    up   inet     127.0.0.1           --> 0/0
    lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                                10.0.0.16           --> 0/0
                                                128.0.0.1           --> 0/0
                                                128.0.0.4           --> 0/0
                                                128.0.1.16          --> 0/0
    lsi                     up    up
    mtun                    up    up
    pimd                    up    up
    pime                    up    up
    pp0                     up    up
    ppd0                    up    up
    ppe0                    up    up
    reth0                   up    up
    reth0.0                 up    up   inet     10.18.24.254/23 
    reth1                   up    up        
    reth1.0                 up    up   inet     xxx.xxx.xxx/26
    st0                     up    up
    st0.0                   up    up   inet     10.10.11.1/24   
    swfab0                  up    up
    swfab1                  up    up
    tap                     up    up
    vlan                    up    down
    vtep                    up    up

     

    show interfaces reth0    
    Physical interface: reth0  , Enabled, Physical link is Up
      Interface index: 128, SNMP ifIndex: 603
      Link-level type: Ethernet, MTU: 9192, Speed: 1Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
      Minimum links needed: 1, Minimum bandwidth needed: 1bps
      Device flags   : Present Running
      Interface flags: SNMP-Traps Internal: 0x4000
      Current address: 00:10:db:ff:10:00, Hardware address: 00:10:db:ff:10:00
      Last flapped   : 2019-12-04 17:43:57 UTC (21:29:29 ago)
      Input rate     : 37352 bps (22 pps)
      Output rate    : 40992 bps (25 pps)
    
      Logical interface reth0.0 (Index 66) (SNMP ifIndex 604)
        Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
        Statistics        Packets        pps         Bytes          bps
        Bundle:
            Input :        959515         22     127600796        37352
            Output:       1147108         23     644972889        36256
        Adaptive Statistics:
            Adaptive Adjusts:          0
            Adaptive Scans  :          0
            Adaptive Updates:          0
        Security: Zone: trust
        Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http
        https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp webapi-clear-text
        webapi-ssl tcp-encap sdwan-appqoe
        Protocol inet, MTU: 9178
          Flags: Sendbcast-pkt-to-re
          Addresses, Flags: Is-Preferred Is-Primary
            Destination: 10.18.24/23, Local: 10.18.24.254, Broadcast: 10.18.25.255
    
    > show interfaces reth16   
    error: device reth16 not found
    > show route 
    
    inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 21:31:29
                        > to 194.165.164.65 via reth1.0
                          via st0.0
    10.10.11.0/24      *[Direct/0] 21:29:26> via st0.0
    10.10.11.1/32      *[Local/0] 21:29:26
                          Local via st0.0
    10.18.1.0/24       *[Direct/0] 21:34:53> via fxp0.0
    10.18.1.254/32     *[Local/0] 21:34:53
                          Local via fxp0.0
    10.18.24.0/23      *[Direct/0] 21:31:27> via reth0.0
    10.18.24.254/32    *[Local/0] 21:34:53
                          Local via reth0.0
    172.24.0.0/16      *[Static/5] 21:29:26> via st0.0
    192.168.1.0/24     *[Direct/0] 21:34:53> via fxp0.0
    192.168.1.1/32     *[Local/0] 21:34:53
                          Local via fxp0.0
    xxx.xxx.xxx/26  *[Direct/0] 21:31:29> via reth1.0
    xxx.xxx.xxx/32  *[Local/0] 21:34:53
                          Local via reth1.0

    Any idea why it's doing this?


    0 0
    0 0

    Hello,

     

    Please add this line into Your config:

     

    set chassis cluster reth-count 20

     

    - then re-test and report back.

    Reference https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/chassis-edit-reth-count.html

    HTH

    Thx

    Alex


    0 0

    Correct..

     

    I can confirm this as I've just deployed it.

     

    If one of the users is the user you are using to make this change, you'll obviously have to log out and log back in again for the new changes to take effect.

     

    Keep a local admin user in the `super-user` group though, just incase.


    0 0

    Thank you! That fixed it.

     

    Cheers!


    0 0

    Hi, Guys,

     

    Three infrastructures modes ( standalone SRX345, SRX345 HA active-standby, SRX345 HA active-active ) are tested ( with different Junos versions ). Two infrastructures get normal response of RTT results, except the HA active-standby mode, the issue is shown as below:

     


    RPM configurations:
    set services rpm probe WTT_Line_Test test HK-ISP_TEST probe-type icmp-ping
    set services rpm probe WTT_Line_Test test HK-ISP_TEST target address 18.25.21.29
    set services rpm probe WTT_Line_Test test HK-ISP_TEST probe-count 2
    set services rpm probe WTT_Line_Test test HK-ISP_TEST probe-interval 5
    set services rpm probe WTT_Line_Test test HK-ISP_TEST test-interval 5
    set services rpm probe WTT_Line_Test test HK-ISP_TEST destination-interface reth1.110
    set services rpm probe WTT_Line_Test test HK-ISP_TEST hardware-timestamp
    set services rpm probe WTT_Line_Test test HK-ISP_TEST next-hop 18.25.21.29

     


    The traceoption results ( normal ):

    Dec 6 04:35:17 PING_TEST_COMPLETED: pingCtlOwnerIndex = WTT_Line_Test, pingCtlTestName = HK-ISP_TEST
    Dec 6 04:35:17 RTM_CHANGE gencfg for probe WTT_Line_Test, test HK-ISP_TEST to state PASS
    Dec 6 04:35:17 rmop_calc_jitter: rdiff: 5014077, sdiff: 5009520, jitter: 4557
    Dec 6 04:35:17 rmop_calc_jitter: rdiff: 1003183, sdiff: 1004120, jitter: -937
    Dec 6 04:35:17 rmop_calc_jitter: rdiff: 1002873, sdiff: 1004119, jitter: -1246
    Dec 6 04:35:17 rmop_calc_jitter: rdiff: 1037034, sdiff: 1004116, jitter: 32918
    Dec 6 04:35:17 test_done: sent 2, test 810

     

    ISSUE :

    root@13FwS345Prd1> show service rpm history-results owner WTT_Line_Test
    Owner, Test Probe                       Sent Probe                                     received              Round trip time

    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:34:57 2019 Fri Dec 6 04:35:02 2019 Request timed out
    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:35:02 2019 Fri Dec 6 04:35:07 2019 Request timed out
    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:35:07 2019 Fri Dec 6 04:35:12 2019 Request timed out
    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:35:12 2019 Fri Dec 6 04:35:17 2019 Request timed out
    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:35:17 2019 Fri Dec 6 04:35:22 2019 Request timed out
    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:35:22 2019 Fri Dec 6 04:35:27 2019 Request timed out
    WTT_Line_Test, HK-ISP_TEST Fri Dec 6 04:35:27 2019 Fri Dec 6 04:35:32 2019 Request timed out

     

     

     

    Any reason the result of the comand " show service rpm history-result" can not show the RTT results ?

     

    Thanks