Hello ,
I have got a new requiremnt from my manager saying that i have to allow two vlans from the same interface pointing to the firewall . How should i proceed further in this type of situation . I should allow vlan 50 and vlan 53 in the firewaal .Can i use router on a stick concept like in cisco ASA.
Hello,
Yes. You can. Sample configuration of the SRX device interface that connects to switch is as below:
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 50 vlan-id 50
set interfaces ge-0/0/0 unit 50 family inet address 1.1.1.1/24 <--------- ge-0/0/0.50 can be default gateway (or static route next-hop) for vlan 50
set interfaces ge-0/0/0 unit 53 vlan-id 53
set interfaces ge-0/0/0 unit 53 family inet address 2.2.2.1/24 <--------- ge-0/0/0.53 can be default gateway (or static route next-hop) for vlan 53
You will need to assign security zones to both of these interfaces and if different should have security policies configured.
Regards,
Rushi
Hello,
I have the following setup:
My network at Location A (Juniper SRX5800) advertises IP Pool #1 after which the downlink traffic for IP Pool #1 is routed to my Location B (Mikrotik) via GRE Tunnel between Juniper & Mikrotik. But the network uplink traffic from Location B flows via seperate ISP directtly connected to Mikrotik router and not via Location A(Juniper). So this is an example of Asymmetric routing.
Now the problem is,
When I try to visit some websites, they do not open. But if I manually change MTU from default 1500 to 1460 for windows PC connected to mikrotik router at Location B, the websites opens up just fine.
Please help me where am I going wrong. Thanks a lot. !
Hello,
When you access websites from Location B, is it suppossed to go directly to ISP at location B while reply is first coming to location A & then over GRE to Location B?
Or is it that http traffic to and from various sites goes out and comes in directly on Location B without any involvement of location A?
In your setup lower MTU frames might be getting passed as it is whie MTU of 1500 might be causing packet drops or fragmentation.
Regards,
Rushi
When you access websites from Location B, is it suppossed to go directly to ISP at location B while reply is first coming to location A & then over GRE to Location B?
Yes, this is my case.
Hello,
Ok. In the case MTU related explanation may be a good explanation why smaller packets are allowed while larger once are fragmented/dropped.
Note:- Even GRE encapsulation causes an overhead of few bytes increasing the size of the packet.
Regards,
Rushi
So what do you think ? how can I solve this situation. I have tried increasing MTU size to 1524, df-bit removal, path-mtu-discovery. Nothing worked !
Hello,
If your setup tends to drop/fragment packets when MTU is 1500 (due to encapsulation, overhead etc.) you will have to reduce the packet size so that packets can travel end to end without getting fragmented or dropped.
I do not see this as an issue unless a device is incorrectly dropping the traffic or fragmenting it which can be found out using packet captures on the devices in the path.
Regards,
Rushi
Please view in a fixed-width font such as Courier.
+---------------------------------+ +-------------------+ +----------+
| | | | | |
| Juniper Location A SRX5800 +----|Location B Mikrotik|---|INTERNET |
| | | | | |
+---------------------------------+ +---------+---------+ +----------+
|
|
+--------------+-----------------+
| MTU from def|ult 1500 to 1460 |
| |
+--------------------------------+
Please let me know if the connectivity is correct? If so, we may need to check the MTU in the segment between A and B.
To add, please find the KB for the same,
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19477
To get round this problem, you may find it helpful to implement Baby Jumbo Frames that will allow for encapsulation.
I have found that using BJF, browsing the internet is smoother, faster and less frenetic. This does involve making sure all devices have their MTUs set appropriately. If the connection from the Mikrotik to the Internet is PPPoE, that is more framing. Don't forget to set MSS on the SRX (1350).
How is BJF set in SRX5800 for GRE?
I have enabled the jumbo frames, i.e set MTU as 9192.
Still no effect.
anush3070 wrote:I have enabled the jumbo frames, i.e set MTU as 9192.
Still no effect.
I have -
workstations --> switch --> SRX300 --> modem(PPPoE) --> FTTC cabinet --> Internet
I have to adjust MTU differently on all these different types of device as more encapsulation occurs at each stage, and each type of device has different capabilities as far as maximum MTU is concerned.
Critically, I had to discover if my Fibre cabinet (and its Exchange connection) had been upgraded to accept BJF (yes, it had to full Jumbo frames), then I had to check the maximum MTU the modem could handle, then the maximum that PPPoE would pass through, and so on back to the switch and workstation.
SO the MTU increases as packets pass from workstation to the internet, matching the increase in packet size. Simply adjusting the size on one device in isolation is not sufficient.
I use
admin@MartyMcFly#set security flow tcp-mss all-tcp mss 1350
as a starting point.
When you have it right you know because web pages "snap" rather than dawdle. But it all depends on the specific equipment and how the internet provider has configured your connection, and the ability of the modem to work with different frame sizes. So it would be misleading for me to give you my sizes, because they are not universally applicable. If one device is a bottleneck all the devices connecting to it have to be adjusted.
A lot of people have blogged about this.
Ensure MTU settings in router & PC (if you ever changed it) are 1500.
ping with
ping -f -l nnnn bbc.co.uk
Find largest nnnn for which it doesn't need fragmentation.
Then add 28 to get MTU.
Vigor 130 is RFC 4638 compliant (Baby Jumbo Frames) MTU = 1508
BT uses (VLAN) tag 101
therefore, PC Ethernet interface is set to 1500
My result 1464 + 28 = 1492 (Workstation IPv4 Ethernet MTU is 1500) where are the missing 8 bytes? PPPoE encapsulation.
Assume MTU is 1508, then 1464 + 8 + 28 = 1504 (??4 bytes for VLAN tag??)
Calculation
MTU = PPPoEWrapper + MSSOverhead + MSS
1508 = 4 + 40 + 1464
Hi
Fairly new to srx and asa!
I have an srx to asa vpn which seems to work ok until the vpn is logged out on the asa, the srx sees it as still established and so wont re-establish it till the below is run
clear security ike security-associations
clear security ipsec security-associations
All works ok if the srx vpn is logged out, the asa re-establishes
its route based to asa policy based
can provide config if required
thanks
nick
Not working for me. I'm root and still get operation not permitted.
Hello,
The kay here is to check if Cisco ASA is sending the Delete Notification to SRX when it is tearing down the tunnel.
This can be checked by 'crypto debugs' and 'packet captures' on the ASA.
As a workaround can you try to set idle-timeout none on Cisco ASA so that I does not drop VPN tunnel when there is no traffic for specific time.
This will not stop rekey & rekey will continue to happen at the expiry of lifetime.
Regards,
Rushi
Hi Folks,
Please find the below KB article on the same,
https://kb.juniper.net/InfoCenter/index?page=content&id=KB12880&actp=METADATA
I am showing hundreds of logs showing the following:
RT_FLOW: FLOW_REASSEMBLE_FAIL: FCB ageout before all fragments arrive, source 5.6.7.8 destination 1.2.3.4 ipid 7700
The destination address is our public IP but the source is always different suggesting a possible DDOS attack. Can anyone explain what this log means including the "ipid"?
Thank you for sharing,
few I know might be helpful
request pfe execute command “show sfp list” target fpc0
request pfe execute command “show nvram” target fpc0
request pfe execute command “show syslog messages” target fpc0