So it would appear that changing the MTU essentially deleted and added the interface based on this type of logging you got.
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: iff_handle_ifa_delete: deletion of address on IFL reth8 has resulted in the removal of primary source address
Not a nice surprise at all. I would not have expected that.
This depeneds on where you change MTU, for example if you chnage it on physical interface level (set interfaces ge-0/0/4 mtu 1500 ), all sessions will be cleared but if its on logical interface level (set interfaces ge-0/0/4 unit 0 family inet mtu 1500 ), existing sessions wont be cleared.
Hi rsuraj,
May i know whether have some url as reference as evidence? Because one of my customer always want evidence / doc.
Thanks and appreciate your help.
Hi rsuraj,
If i have multiple logical interface then i'm need to change on physical MTU right instead on logical. Because if i'm not change on physical then whether i'm change on logical it not have effect on MTU right because physical still not jumbo frame.
Please correct if i wrong.
Hi folks,
I have a topology with 2 devices running NAT shown below
the PC is double NAT before outgoing to the INTERNET.
After that, the PC can not access a Web server on the Internet. I have ping test IP's Web Server and DNS 8.8.8.8, it works. Then, testing packet capture via Wireshark, the result does not see any DNS response from DNS server (only see DNS query from PC)
Can anyone explain the reason for the case above?
Regards,
Hoang Nguyen Huy
Hi,
I am trring to test some new security policies and have configured new zones and VRs.... but the Junos SRX seems to handle it different to the old ScreenOS....
So I cretaed 2 x new VR labelled as Green-VR and Customer-VR.... I then created 2 x zones labelled as Green-DMZ and Customer-Network.... I then applied interface ge-0/0/2 to the Green side and interface ge-0/04 to the Customer side.
Okay, all good so far and committed okay....
So, then I complete the following command:
set interfaces ge-0/02 unit0 family iso
Commit okay
set protocols isis interface ge-0/0/2.0
And I get the following error:
[edit protocols isis]
'interface ge-0/0/2.0'
IS-IS: interface is not in this instance
error: configuration check-out failed
Presumably because ISIS does not know about the new VR and needs to know about it... but how? I can't find any documenttion about this...
The SRX config is very simple:
set version 15.1X49-D110.4
set system root-authentication encrypted-password "$5$z0x/bUE1$7a0.XL.aD8Tj4HrTCLYWvinpjKFmI79nFjbCJF8HXj4"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$Qx1BnOI.$haJ9bhIUBcROyvUpibcE4UkYuYSuB8qTIMufMaaA7q9"
set system login user Jim uid 2003
set system login user Jim class super-user
set system login user Jim authentication encrypted-password "$5$2jd10ZcZ$WH.lj5bRlh7P4qV3tEDJnM2hwkAiT3OAADRi3j5Wqb8"
set system login user Lee uid 2002
set system login user Lee class super-user
set system login user Lee authentication encrypted-password "$5$EGzUTmfP$9ySV5xu4jyoPAno2qfRCjjDsAg1r9hreOFSu7luLXE/"
set system login user Oliver uid 2004
set system login user Oliver class super-user
set system login user Oliver authentication encrypted-password "$5$nHRTwAfF$O.7LJxttsI8Rgb8Qd/n0oEszEKk4CsE3GyLpyVcl5y/"
set system login user Stephen uid 2001
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$okr6bMjJ$bRThHm0wAqEB6T.QmSlbv.VRx31GvaNPhlC4K.0tHmD"
set system services ssh
set system services xnm-clear-text
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-complaint
set security log mode stream
set security log report
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone trust interfaces xe-0/0/16.0
set security zones security-zone trust interfaces xe-0/0/17.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
set security zones security-zone Customer-Network interfaces ge-0/0/4.0
set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
set interfaces ge-0/0/1 unit 0 family inet
set interfaces ge-0/0/2 unit 0 description TO-THW-RADIUS-SERVER
set interfaces ge-0/0/2 unit 0 family inet address 172.16.16.39/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.2/24
set interfaces ge-0/0/4 unit 0 family iso
set interfaces xe-0/0/16 unit 0 description Group-ae2
set interfaces xe-0/0/16 unit 0 family inet
set interfaces xe-0/0/17 unit 0 family inet
set interfaces xe-0/0/18 unit 0 description Group-ae2
set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family iso
set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
set interfaces lo0 unit 0 family inet address 195.80.0.3/32
set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0003.00
set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
set protocols isis export export_statics
set protocols isis level 1 authentication-key "$9$sxYJD.mT3/t5QtOIcvM-VwYaZDikPTz"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$Yo2ZjmPQn9pTzpBRSMWdbs2JGjHqfQF"
set protocols isis level 2 authentication-type md5
set protocols isis interface ae2.0
set protocols isis interface lo0.0 passive
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface ge-0/0/4.0
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
Thanks
Hello,
Please try
set routing-instances Green-VR protocols isis interface ge-0/0/2.0
HTH
Thx
Alex
Hi,
Yes, I kind of thought that. I managed to find that command after hunting and also thank you for posting here.
I have entered the command into the VRs (both as you have suggested). I committed and then completed a :
run show route
To see what the result would be and there is still no route to the required networks (and it is directly connected)..... I know that ping is not currently enabled but there is also a "No route to host" showing..... Very weird
Hello,
It looks You don't have NET in this VR and hence no ISIS adjacency.
Please add these lines:
set interfaces lo0.100 family iso address <NET>
set interfaces lo0.100 family inet set routing-instances Custom-VR interfaces lo0.100 set routing-instances Custom-VR protocols isis interface lo0.100
As to why You cannot ping to directly-connected IP - please make sure You issue ping command with "routing-instance" option.
HTH
Thx
Alex
Hi,
has anybody some experience on failover duration ?
I have a SRX-550M cluster, connected on donwlink side to a (HPE) L3 Switch cluster, in a 'square' architecture :
| |
SRX1--SRX2
| |
SW1--SW2
Each SRX is connected to its SW via 8 aggregated links.
Routing is made with secondary routes : on the SW cluster, one default route to SRX1 and one route with lower priority to SRX2. On the SRX cluster, routes to SW1 and routes with lower priority to SW2.
RG0 and RG1 are configured for uplink interconnexion.
I tried 4 config , combiantions of :
- static or dynamic LAGs,
- BFD to supervise routes in order to accelerate secondary routes activation in case of loss of chassis #1 or interfaces on chassis #1.
I run traffic crossing the whole chain, and measure traffic interruption when I perform a manual failover (by CLI), here are the results :
1. without lacp and without bfd : traffic interruption ~ 1s : very good
2. with lacp and without bfd : traffic interruption ~ 18s
3. without lacp and with bfd : traffic interruption ~ 22s
4. with lacp and with bfd : traffic interruption ~ 28s : very bad
Is that 'normal' , compare to the SRX , to have such high duration as soon as I add protocols ? Or do you think they is a 'problem somewhere' ?
The only clue I found at Juniper is :
(https://www.juniper.net/documentation/en_US/junos/topics/concept/chassis-cluster-redundancy-group-failover-manual-understanding.html)
Caution: Be cautious and judicious in your use of redundancy group 0 manual failovers. A redundancy group 0 failover implies a Routing Engine failover, in which case all processes running on the primary node are killed and then spawned on the new master Routing Engine. This failover could result in loss of state, such as routing state, and degrade performance by introducing system churn.
Thanks for your advices !
Hi all,
Have got a setup whereby a sattelite site is connected via an IPSEC VPN, routes are exchanged via BGP, the sattelite site has a local internet breakout (Web/Email/DNS traffic picked up by a firewall filter and sent to a separate routing instance) to save VPN bandwidth.
For the most part, everything is working fine, but I've got a corner case that's failing.
Our public IP space is at the main site, and a device on the sattelite has a Static NAT set at the main site on one of the public IPs.
When trying to use this, all traffic is failing if originating from off the network, but sessions from the target device outwards pickup the public IP correctly. Have checked flow traces and it's not a security policy issue on either SRX, it's a routing issue at the sattelite site, flow traces are failing with an incorrect route lookup and the interface invalid route counter is increasing.
Clearly I've missed something somewhere but can't work out for the life of me what it is.
Will post up configs and route-tables in a sec once I've cleared out the identifiable info
Config at the sattelite is as follows (all sensitive info replaced with letters)
system {
<hidden>
}
syslog {
<hidden>
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
archival {
<hidden>
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
<hidden>
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address X.X.X.Z/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.130.0.2/29;
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
filter {
input fbf;
}
address 10.130.1.1/26;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input protect-re;
}
address B.B.B.B/32;
}
}
}
st0 {
unit 0 {
family inet {
address A.A.A.B/31;
}
}
}
}
snmp {
<hidden>
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
static {
route 0.0.0.0/0 next-hop X.X.X.Z;
route 10.130.0.128/26 next-hop 10.130.0.3;
}
aggregate {
route 10.130.0.0/16 policy aggregate-sattelite;
}
rib-groups {
fbf-group {
import-rib [ inet.0 wan-route-table.inet.0 vpn-route-table.inet.0 ];
}
}
router-id A.A.A.B;
autonomous-system xxxxx;
}
protocols {
bgp {
group IBGP {
type internal;
local-address A.A.A.B;
advertise-inactive;
import hub-to-spoke;
export spoke-to-hub;
neighbor A.A.A.A {
description hub;
}
}
}
stp;
}
policy-options {
prefix-list ntp-servers {
<hidden>
}
policy-statement aggregate-sattelite {
from {
protocol direct;
route-filter 10.130.0.0/16 orlonger;
}
then accept;
}
policy-statement sattelite-to-hub {
term local {
from {
protocol aggregate;
route-filter 10.130.0.0/16 exact;
}
then accept;
}
}
policy-statement hub-to-sattelite {
term bgp {
from protocol bgp;
then accept;
}
}
}
security {
ssh-known-hosts {
<hidden>
}
ike {
<hidden>
}
ipsec {
<hidden>
}
address-book {
<hidden>
}
flow {
inactive: traceoptions {
file flow-trace-vpn size 5m files 3;
flag all;
packet-filter f0 {
source-prefix 10.130.1.18/32;
destination-prefix <hidden>/32;
}
packet-filter f1 {
source-prefix <hidden>/32;
destination-prefix 10.130.1.18/32;
}
}
}
screen {
<hidden>
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy trust-vpn-cfgr {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust-cfgr {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone vpn {
policy vpn-trust-cfgr {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy openvpn {
match {
source-address any;
destination-address any;
application openvpn;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/7.0;
ge-0/0/2.0;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ike;
}
}
}
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
ping;
ike;
ssh;
}
protocols {
bgp;
}
}
interfaces {
st0.0;
}
}
}
}
firewall {
filter protect-re {
<hidden>
}
filter fbf {
term nat {
from {
destination-address {
10.128.0.0/9 except;
0.0.0.0/0;
}
destination-port [ 80 443 53 25 465 110 995 143 993 ];
}
then {
routing-instance wan-route-table;
}
}
term vpn {
from {
destination-address {
10.128.0.0/9 except;
0.0.0.0/0;
}
}
then {
inactive: syslog;
routing-instance vpn-route-table;
}
}
term default {
then {
inactive: syslog;
accept;
}
}
}
}
access {
address-assignment {
<hidden>
}
}
routing-instances {
vpn-route-table {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop A.A.A.A;
}
}
}
ttfb-route-table {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop X.X.X.Z;
}
}
}
}
applications {
<hidden>
}
Route table/routing instances are as follows
inet.0: 22 destinations, 23 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 3w6d 10:53:08
> to X.X.X.Z via ge-0/0/0.0
[BGP/170] 1w6d 21:03:02, MED 0, localpref 100, from C.C.C.C
AS path: 39326 I> to X.X.X.Z via ge-0/0/0.0
10.128.0.0/16 *[BGP/170] 1w6d 21:03:02, localpref 100
AS path: I> to A.A.A.A via st0.0
A.A.A.A/31 *[Direct/0] 1w6d 21:03:06> via st0.0
A.A.A.B/32 *[Local/0] 22w2d 05:43:15
Local via st0.0
10.129.0.0/16 *[BGP/170] 1w6d 21:03:02, localpref 100
AS path: I> to A.A.A.A via st0.0
10.130.0.0/16 *[Aggregate/130] 22w2d 05:43:55
Reject
10.130.0.0/29 *[Direct/0] 22w2d 05:43:01> via ge-0/0/2.0
B.B.B.B/32 *[Direct/0] 22w2d 05:43:42> via lo0.0
10.130.0.2/32 *[Local/0] 22w2d 05:43:05
Local via ge-0/0/2.0
10.130.0.128/26 *[Static/5] 22w2d 05:43:01> to D.D.D.D via ge-0/0/2.0
10.130.1.0/26 *[Direct/0] 3w6d 12:02:49> via ge-0/0/7.0
10.130.1.1/32 *[Local/0] 22w2d 05:43:05
Local via ge-0/0/7.0
C.C.C.C/22 *[BGP/170] 1w6d 21:03:02, localpref 100
AS path: I> to A.A.A.A via st0.0
X.X.X.X/24 *[Direct/0] 3w6d 10:53:08> via ge-0/0/0.0
X.X.X.Y/32 *[Local/0] 22w2d 05:43:06
Local via ge-0/0/0.0
vpn-route-table.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 1w6d 21:03:06
> to A.A.A.A via st0.0
A.A.A.A/31 *[Direct/0] 1w6d 21:03:06> via st0.0
A.A.A.B/32 *[Local/0] 1w6d 21:03:06
Local via st0.0
10.130.0.0/29 *[Direct/0] 22w2d 05:43:01> via ge-0/0/2.0
10.130.0.1/32 *[Direct/0] 22w2d 05:43:42> via lo0.0
10.130.0.2/32 *[Local/0] 22w2d 05:43:01
Local via ge-0/0/2.0
10.130.1.0/26 *[Direct/0] 3w6d 12:02:49> via ge-0/0/7.0
10.130.1.1/32 *[Local/0] 3w6d 12:02:49
Local via ge-0/0/7.0
X.X.X.X/24 *[Direct/0] 3w6d 10:53:08> via ge-0/0/0.0
X.X.X.Y/32 *[Local/0] 3w6d 10:53:08
Local via ge-0/0/0.0
wan-route-table.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 3w6d 10:53:08
> to X.X.X.Z via ge-0/0/0.0
A.A.A.A/31 *[Direct/0] 1w6d 21:03:06> via st0.0
A.A.A.B/32 *[Local/0] 1w6d 21:03:06
Local via st0.0
10.130.0.0/29 *[Direct/0] 22w2d 05:43:01> via ge-0/0/2.0
10.130.0.1/32 *[Direct/0] 22w2d 05:43:42> via lo0.0
10.130.0.2/32 *[Local/0] 22w2d 05:43:01
Local via ge-0/0/2.0
10.130.1.0/26 *[Direct/0] 3w6d 12:02:49> via ge-0/0/7.0
10.130.1.1/32 *[Local/0] 3w6d 12:02:49
Local via ge-0/0/7.0
X.X.X.X/24 *[Direct/0] 3w6d 10:53:08> via ge-0/0/0.0
X.X.X.Y/32 *[Local/0] 3w6d 10:53:08
Local via ge-0/0/0.0
And the appropriate flow trace is here (the IP doing the WAN side testing has been replaced with N.N.N.N)
Dec 1 14:21:58 14:21:57.613943:CID-0:RT:flow_ipv4_rt_lkup_reroute: Route Lookup for dest route. Src_ip 10.130.1.18 Dst_ip N.N.N.N protocal 1
Dec 1 14:21:58 14:21:57.613943:CID-0:RT:flow_rt_lkup in VR-id: 0
Dec 1 14:21:58 14:21:57.613943:CID-0:RT:flow_rt_lkup: Found route entry 0x49212080,nh id 0x561, out if 0x49
Dec 1 14:21:58 14:21:57.613943:CID-0:RT:flow_rt_lkup: nh word 0xe0010
Dec 1 14:21:58 14:21:57.613943:CID-0:RT:flow_ipv4_rt_lkup success 88.97.28.171, iifl 0x0, oifl 0x49
Dec 1 14:21:58 14:21:57.613943:CID-0:RT: route lookup failed: dest-ip N.N.N.N orig ifp st0.0 output_ifp ge-0/0/0.0 fto 0x45754ca8 orig-zone 8 out-zone 7 vsd 0
Hi,
Thanks for the response. Yes, I enterred all of that configuration.... I did not ping from the routing-instance.... that is probably the issue then.... I will do that.... thank you.
Why would I use lo0.100 ? Is this so I can seperate the same physical interface across multiple VRs... i.e lo0.100 to Custom-vr1 , lo0.200 Custom-vr2 , lo0.300 trust-vr and so on?
Hello,
adgwytc wrote:
Why would I use lo0.100 ? Is this so I can seperate the same physical interface across multiple VRs... i.e lo0.100 to Custom-vr1 , lo0.200 Custom-vr2 , lo0.300 trust-vr and so on?
The best practice is to have lo0.0 in global table and lo0.X (where X>0) in custom routing instances, one unique lo0.X per instance.
Apart from providing a stable interface to have Your router-id advertised from, they usually have CoPP filters assigned which can vary by instance (i.e. if You don't have DHCP server/client enabled in routing-instance, then no point allowing DHCP into Your control plane via that instance, etc)
Also, the lo0.0 or lo0.X is the best place to have ISO NET assigned.
You can have NET assigned to ge-0/0/2.0 if You have only 1 logical subinterface in Your custom VR.
HTH
Thx
Alex
Is there a way to improve the detection of a link failure? If I manually disconnect a fiber, I see the link led up for a second (after the disconnection) and then goes down.
Thanks