Hello there!

I have a simple question for expert administrator's, but for me it's very hard.

We have this net scheme - simple view:

We have changed ISP, and new ISP gived to us two external IP addresses:

217.22.xxx.162/30 with gateway 217.22.xxx.162

62.213.yyy.86/30 with gateway 62.213.yyy.85

I configured Juniper as previous configuration, but configuration of ports for WAN to pfSense was missed.

This config ports:

This config static routing:

I trying different configs for ports, NAT, etc. in Juniper, but WAN on a pfSense still not working.

Which parametres on Juniper i must set up for working?

I can ping ISP GW 2 from Juniper, but i can't ping it from pfSense over WAN - this is logical

LAN works perfectly both for user stations and pfSense.

But we need external IP on pfSense for OpenVPN.

Tell me. please, at least in what direction to look.

Thank you.

Hello,

---

 wrote:

We have changed ISP, and new ISP gived to us two external IP addresses:

217.22.xxx.162/30 with gateway 217.22.xxx.162

62.213.yyy.86/30 with gateway 62.213.yyy.85

 

 

 

---

Are these two /30 subnets:

1/ on the same port and same VLAN (tagged/untagged) ?

2/ on different ports and different VLANs (tagged/untagged) ?

3/ on same port but different VLANs (tagged) ?

If Your use case is (2) or (3),  then You can configure a VPLS instance on SRX and pass-through the SRX the 62.213.yyy.86 IP straight to pfSense.

If Your use case is (1) then the simplest way would be to address Your pfSense with private IP and statically NAT that IP to 62.213.yyy.86.

HTH

Thx

Alex

Hi All,

I have an SRX240H2 connected directly to the internet. I have an interface configured for a couple of addresses. I want to be able to reach the internet from this device, from a particular subnet, so I configured that subnet for primary preferred on the interface:

ge-7/0/0 {
    unit 0 {
        family inet {
            no-redirects;
            sampling {
                input;
                output;
            }
            address 1.1.1.1/30;
            address 2.2.2.2/29 {
                primary;
                preferred;
            }
            address 2.2.2.3/29
            address 2.2.2.4/29
}

When I try to ping 8.8.8.8, I am unable to receive a response:

PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

However, when I ping it from the address configured as primary and preferred it works:

ping 8.8.8.8 source 2.2.2.2
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=2.272 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=1.912 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.912/2.092/2.272/0.180 ms

It looks like my "Primary" configuration on the device is not working properly.  Am I missing something?

Thanks,

If you don't specify a source, then it will be sourced with the IP on the interface outbound to the Internet. Which interface is that?

The interface is the one I provided: ge-7/0/0. 

I had expected the primary configuration to kick in and if there is no source specified, then traffic destined to the internet will be using that primary IP address. 

It appears that is not happening.

It should work as you say.

Can you check what address is being used when you don's specify source argument?

One way to check is to run ping to 8.8.8.8 in one console window and in another run

show security flow session destination-prefix 8.8.8.8/32

Regards, Wojtek

Hi Wojtek,

It appears to be using the 

1.1.1.1/30

IP, not my primary address. 

Thomas

Session ID: 40431, Policy name: self-traffic-policy/1, State: Active, Timeout: 56, Valid
In: 1.1.1.1/4 --> 8.8.8.8/11024;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/11024 --> 1.1.1.1/4;icmp, If: ge-7/0/0.0, Pkts: 0, Bytes: 0

Hi Support

I have a SRX210 with VDSL2-A MPIM installed. The current firmware of the MPIM is 2.10 which doesn's support VDSL vectoring. would it be possible to supply a download link for firmware that contains the 2.16 firmware update. 

Regards David.

Hello

Need help with debugging ospf connection between srx and mikrotik. There is ipsec tunnel and gre tunnel over ipsec, ping is working bothways but ospf is stuck in init state, is it mtu issue or somthing else?

*** ospf.log ***
Jun 14 08:48:44.287741 OSPF Interface event job created at restart phase 0.
Jun 14 08:48:44.288705 IFL st0.0 iflchange 0x0
Jun 14 08:48:44.288736 IFL lo0.0 iflchange 0x0
Jun 14 08:48:44.288757 IFL gr-0/0/0.0 iflchange 0x0
Jun 14 08:48:44.288778 IFL xe-2/2/0.0 iflchange 0x0
Jun 14 08:48:44.288797 IFL ge-2/1/0.0 iflchange 0x0
Jun 14 08:48:44.288816 IFL fxp0.0 iflchange 0x0
Jun 14 08:48:44.288836 IFL ge-2/0/0.0 iflchange 0x0
Jun 14 08:48:44.288857 IFL avs1.0 iflchange 0x0
Jun 14 08:48:44.288880 IFL lo0.16385 iflchange 0x0
Jun 14 08:48:44.288899 IFL lo0.16384 iflchange 0x0
Jun 14 08:48:44.288921 IFL em1.0 iflchange 0x0
Jun 14 08:48:44.288946 IFL em0.0 iflchange 0x0
Jun 14 08:48:44.289134 IFL fxp0.0 addr (10.200.200.1) ifachange 0x0
Jun 14 08:48:44.289236 IFL ge-2/0/0.0 addr (195.80.112.66) ifachange 0x0
Jun 14 08:48:44.289294 IFL ge-2/1/0.0 addr (192.168.3.253) ifachange 0x0
Jun 14 08:48:44.289340 IFL xe-2/2/0.0 addr (195.90.100.10) ifachange 0x0
Jun 14 08:48:44.289379 IFL gr-0/0/0.0 addr (zero-len) ifachange 0x0
Jun 14 08:48:44.289426 IFL gr-0/0/0.0 addr (192.168.1.1) ifachange 0x0
Jun 14 08:48:44.289470 IFL lo0.0 addr (10.255.7.97) ifachange 0x0
Jun 14 08:48:44.289512 IFL st0.0 addr (zero-len) ifachange 0x0
Jun 14 08:48:44.289620 Interface gr-0/0/0.0 area 1.1.1.1 event NeighborChange
Jun 14 08:48:44.289632 OSPF Interface event job processed 1 events.
Jun 14 08:48:44.289638 OSPF Interface event job deleted.
Jun 14 08:48:44.289951 ppmd_ospf_intf_auth_key_select : interface gr-0/0/0.0
Jun 14 08:48:44.290026  OSPF authentication key with key-id 1 active (gen_time : 0, now : 1528966124)
Jun 14 08:48:44.290071 OSPF updated PPM interface IFL 73, addr 0.0.0.0, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0
Jun 14 08:48:44.290162 OSPF couldn't find PPM interface IFL 73, addr 192.168.1.1, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0 for deletion
Jun 14 08:48:44.290551 OSPF neighbor 192.168.88.1 (IFL 73, area 1.1.1.1, rtbl idx 0) set, 40 0
Jun 14 08:48:44.290593 OSPF programmed periodic xmit from (null) to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0) interval 10       0
Jun 14 08:48:44.290649 OSPF cannot stop xmit from 192.168.1.1 to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0)
Jun 14 08:48:44.290681 OSPF programmed periodic xmit from (null) to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0) interval 10       0
Jun 14 08:48:44.533677 IFL gr-0/0/0.0 addr (192.168.1.1) ifachange 0x104
Jun 14 08:48:44.533694 Delete interface gr-0/0/0.0 area 1.1.1.1
Jun 14 08:48:44.535281 OSPF couldn't find PPM interface IFL 73, addr 192.168.1.1, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0 for deletion
Jun 14 08:48:44.536647 OSPF cannot stop xmit from 192.168.1.1 to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0)
Jun 14 08:48:44.537388 IFL gr-0/0/0.0 iflchange 0x1000
Jun 14 08:48:44.537404 Interface gr-0/0/0.0 (zero-len) area 1.1.1.1: mtu changed 1350 -> 9168
Jun 14 08:48:44.537495 OSPF Interface event job created at restart phase 0.
Jun 14 08:48:44.537552 IFL gr-0/0/0.0 iflchange 0x8000
Jun 14 08:48:44.537586 Interface gr-0/0/0.0 area 1.1.1.1 event Down
Jun 14 08:48:44.537720 Interface gr-0/0/0.0 area 1.1.1.1 event Up
Jun 14 08:48:44.537848 OSPF Interface event job processed 2 events.
Jun 14 08:48:44.537857 OSPF Interface event job deleted.
Jun 14 08:48:44.539990 OSPF neighbor 192.168.88.1 (IFL 73, area 1.1.1.1, rtbl idx 0) deleted
Jun 14 08:48:44.541403 IFL gr-0/0/0.0 addr (192.168.1.1) ifachange 0x2
Jun 14 08:48:44.541435 Interface gr-0/0/0.0 (192.168.1.1) area 1.1.1.1: speed changed 0 -> 800000000
Jun 14 08:48:44.541447 OSPF Interface event job created at restart phase 0.
Jun 14 08:48:44.541466 Add interface gr-0/0/0.0 area 1.1.1.1
Jun 14 08:48:44.543517 OSPF programmed periodic xmit from (null) to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0) interval 10       0
Jun 14 08:48:44.543550 OSPF couldn't find PPM interface IFL 73, addr 192.168.1.1, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0 for deletion
Jun 14 08:48:44.543588 OSPF cannot stop xmit from 192.168.1.1 to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0)
Jun 14 08:48:44.543618 Interface gr-0/0/0.0 area 1.1.1.1 event Up
Jun 14 08:48:44.543694 Interface gr-0/0/0.0 area 1.1.1.1 event Up
Jun 14 08:48:44.543703 OSPF Interface event job processed 2 events.
Jun 14 08:48:44.543709 OSPF Interface event job deleted.
Jun 14 08:48:44.544693 OSPF cannot stop xmit from 192.168.1.1 to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0)
Jun 14 08:48:51.971605 OSPF neighbor 192.168.88.1 (IFL 73, area 1.1.1.1, rtbl idx 0) set, 40 0
Jun 14 08:48:51.971756 OSPF programmed periodic xmit from (null) to 224.0.0.5 (IFL 73, area 1.1.1.1, ID 0.0.0.0, rtbl idx 0) interval 10       0


run show ospf neighbor
Address          Interface              State     ID               Pri  Dead
192.168.1.2      gr-0/0/0.0             Init      192.168.88.1       1    38


run show ospf statistics
Packet type             Total                  Last 5 seconds
                   Sent      Received        Sent      Received
   Hello           1032           525           1             0
     DbD              0             0           0             0
   LSReq              0             0           0             0
LSUpdate              0             0           0             0
   LSAck              0             0           0             0

DBDs retransmitted     :                    0, last 5 seconds :          0
LSAs flooded           :                    0, last 5 seconds :          0
LSAs flooded high-prio :                    0, last 5 seconds :          0
LSAs retransmitted     :                    0, last 5 seconds :          0
LSAs transmitted to nbr:                    0, last 5 seconds :          0
LSAs requested         :                    0, last 5 seconds :          0
LSAs acknowledged      :                    0, last 5 seconds :          0

Flood queue depth      :               0
Total rexmit entries   :               0
db summaries           :               0
lsreq entries          :               0

Receive errors:
  None



run show ospf interface
Interface           State   Area            DR ID           BDR ID          Nbrs
gr-0/0/0.0          PtToPt  1.1.1.1         0.0.0.0         0.0.0.0            1

Setting ignore mtu mismatch for OSPF is generally a good idea when doing interop.  It is almost always needed.

The trace also seems to indicate you don't have a router id set under routing options.

If the file you need is not posted in the downloads area, you need to open a JTAC support case to request the it.

https://www.juniper.net/support/downloads/

Where should i add the command to ignore mtu mismatch? Also router id is specified under routing-options.

Il add the config of both devices (lab environment and both routers are directly connected).

SRX:

version 15.1X49-D120.3;
system {
    host-name SRX1;
    root-authentication {
        encrypted-password "..."; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http;
        }
    }
}
security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "juniper"; ## SECRET-DATA
        }
        gateway gw-vpn {
            ike-policy ike-phase1-policy;
            address 195.90.100.12;
            no-nat-traversal;
            local-identity inet 195.90.100.10;
            remote-identity inet 195.90.100.12;
            external-interface xe-2/2/0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway gw-vpn;
                proxy-identity {
                    local 10.255.7.97/32;
                    remote 10.255.7.98/32;
                    service any;
                }
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone Sise {
            interfaces {
                ge-2/1/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Uplink {
            interfaces {
                xe-2/2/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
                lo0.0;
                gr-0/0/0.0;
            }
        }
    }
}
interfaces {
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 10.255.7.97;
                destination 10.255.7.98;
            }
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-2/1/0 {
        description Sisev6rk;
        unit 0 {
            family inet {
                address 192.168.3.253/24 {
                    vrrp-group 1 {
                        virtual-address 192.168.3.1;
                        priority 200;
                        preempt;
                        accept-data;
                    }
                }
            }
        }
    }
    xe-2/2/0 {
        unit 0 {
            family inet {
                address 195.90.100.10/29;
            }
        }
    }
    fxp0 {
        description Management;
        unit 0 {
            family inet {
                address 10.200.200.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.255.7.97/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.255.7.98/32 next-hop st0.0;
        route 192.168.88.0/24 next-hop gr-0/0/0.0;
    }
    router-id 192.168.3.1;
}
protocols {
    ospf {
        traceoptions {
            file ospf.log;
            flag error;
            flag database-description;
            flag event;
            inactive: flag hello detail;
        }
        area 1.1.1.1 {
            interface gr-0/0/0.0 {
                authentication {
                    md5 1 key "juniper"; ## SECRET-DATA
                }
            }
        }
    }
}

Mikrotik:

/interface bridge
add fast-forward=no name=Lo0
add fast-forward=no name=sise
/interface ethernet
set [ find default-name=ether2 ] comment=Sise
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment="V\E4lis"
/interface gre
add allow-fast-path=no clamp-tcp-mss=no !keepalive local-address=10.255.7.98 \
    name=gre-tunnel1 remote-address=10.255.7.97
/interface list
add name=Discovery
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc name=proposal1
/routing ospf area
set [ find default=yes ] disabled=yes
/routing ospf instance
set [ find default=yes ] disabled=yes router-id=192.168.88.1
add name=ospf1 router-id=192.168.88.1
/routing ospf area
add area-id=1.1.1.1 instance=ospf1 name=area1
/interface bridge port
add bridge=sise interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=Discovery
/interface list member
add interface=ether2 list=Discovery
/ip address
add address=192.168.88.1/24 interface=sise network=192.168.88.0
add address=195.90.100.12/29 interface=sfp-sfpplus1 network=195.90.100.8
add address=10.255.7.98 interface=Lo0 network=10.255.7.98
add address=192.168.1.2/24 interface=gre-tunnel1 network=192.168.1.0
/ip cloud
set update-time=no
/ip ipsec peer
add address=195.90.100.10/32 dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-128 lifetime=30m nat-traversal=no secret=juniper
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.255.7.97/32 proposal=proposal1 sa-dst-address=\
    195.90.100.10 sa-src-address=195.90.100.12 src-address=10.255.7.98/32 \
    tunnel=yes
/ip route
add distance=1 dst-address=10.255.7.97/32 gateway=Lo0
add distance=1 dst-address=192.168.3.0/24 gateway=gre-tunnel1
/routing ospf interface
add authentication=md5 authentication-key=juniper interface=gre-tunnel1 \
    network-type=broadcast
/routing ospf network
add area=area1 network=192.168.1.0/24
/system logging
add topics=debug
/system routerboard settings
set silent-boot=no

---

 wrote:

Setting ignore mtu mismatch for OSPF is generally a good idea when doing interop.

---

No, setting ignore MTU mismatch is not a good idea. There is a reason OSPF refuses to bring up an adjacency by default if there is an MTU mismatch. If you mask this by ignoring the mismatch, you could end up in a situation where DBDs can not be successfully exchanged if they are too big. This is a difficult problem to troubleshoot as the adjacency will appear to be functional, but your LSDBs will be inconsistent.

The correct solution is to make the MTUs at both ends of the tunnel match. This can be set manually on the SRX side; you'll have to check Mikrotic documentation to see if this can be done on the other end.

Hi,

Ospf network type is not matching at both ends. SRX side it is point-to-point and Microtik side it is broadcast. Change it to point-to-point at Microtik side. Remove authentication for troubleshooting purpose and add it later once the neighborship is up.  Share the results if OSPF is not coming up

run show ospf interface
Interface           State   Area            DR ID           BDR ID          Nbrs
gr-0/0/0.0          PtToPt  1.1.1.1         0.0.0.0         0.0.0.0            1

/routing ospf interface
add authentication=md5 authentication-key=juniper interface=gre-tunnel1 \
    network-type=broadcast

Hello I'm having the following problem when I try to commit changes after configuring any kind of  NAT or while  trying  to modify any Interface. 

Any help would be greatly appreciated 

self-traffic-policy/1, 

Seems this it doesnt has policy for untrust. 
Is this interacfe binded to any security zone and also does it has policy ? 

Because in flow session it showing that you traffic is going out from .local..0 instead it show go from ge-7/0/0.0. 

Can you please share your secondary (2.2.2.2 ) flow for 8.8.8.8 ? 

I can confirm that the interface ge-7/0/0 is in a security zone, and there are policies in place for the zone. 

See the session flow:

Session ID: 11790, Policy name: self-traffic-policy/1, State: Active, Timeout: 2, Valid
  In: 2.2.2.2/16 --> 8.8.8.8/12633;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 8.8.8.8/12633 --> 2.2.2.2/16;icmp, If: ge-7/0/0.0, Pkts: 1, Bytes: 84

As the error message says the certificate validation is failing and hence it is not allowing you to commit the config. Most often it is related to the date and timestamp  mentioned in "Not-Before" and "Not-After" section of the certificate.

From CLI, please share the outputs of the following command:

> show version

> show system uptime

> show security pki ca-certificate detail

> show security pki local-certificate detail

> show configuration security pki | display set

Thanks,

Kinshuk