Tunnel between SRX's not passing traffic

October 20, 2019, 1:48 pm

≫ Next: Re: Tunnel between SRX's not passing traffic

≪ Previous: Re: test config terminal syntax error on }

Hello everyone!!

I have a SRX210 here in my office, and I just setup a cluster of SRX340's at a client network. I setup a tunnel between them, using a working config example, and the IKE and IPSEC security associations come 'UP' and show good, but no traffic will go across the tunnel. I cannot ping either side from either side. I have the host-inbound with ping, and tracerout, but still nothing (and no routing across it). I can look at the ST interfaces and see that (during ping operations) the outbound packets count is going up, but on my 210 at MY end, no session builds, and no traffic passes. I have been pouring over the config all day, and am tired of looking at it. It should just work. Any ideas? help? whatever you can see?

Here is the config of both sides (in set statements):

My SRX 210:
set interfaces st0 unit 102 description "Tunnel to Client Network"
set security ike policy ike-pol-Client-Network mode main
set security ike policy ike-pol-Client-Network proposal-set standard
set security ike policy ike-pol-Client-Network pre-shared-key secret
set security ike gateway ike-gate-Client-Network ike-policy ike-pol-Client-Network
set security ike gateway ike-gate-Client-Network address 2.2.2.2
set security ike gateway ike-gate-Client-Network external-interface lo0
set security ipsec policy ipsec-pol-Client-Network proposal-set standard
set security ipsec vpn ipsec-vpn-Client-Network bind-interface st0.102
set security ipsec vpn ipsec-vpn-Client-Network ike gateway ike-gate-Client-Network
set security ipsec vpn ipsec-vpn-Client-Network ike ipsec-policy ipsec-pol-Client-Network
set security ipsec vpn ipsec-vpn-Client-Network establish-tunnels immediately
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match source-address My-LAN
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match destination-address any
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match application any
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network then permit
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match source-address any
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match destination-address My-LAN
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match application any
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust then permit
set security zones security-zone Client-Network host-inbound-traffic system-services ping
set security zones security-zone Client-Network host-inbound-traffic system-services traceroute
set security zones security-zone Client-Network interfaces st0.102

set interfaces st0 unit 102 description "Tunnel to Client"
set interfaces st0 unit 102 family inet address 10.1.1.6/30

Remote SRX340 Cluster:
set security ike policy ike-pol-My-Network mode main
set security ike policy ike-pol-My-Network proposal-set standard
set security ike policy ike-pol-My-Network pre-shared-key ascii-text secret
set security ike gateway ike-gate-My-Network ike-policy ike-pol-My-Network
set security ike gateway ike-gate-My-Network address 1.1.1.1
set security ike gateway ike-gate-My-Network external-interface reth0
set security ipsec policy ipsec-pol-My-Network proposal-set standard
set security ipsec vpn ipsec-vpn-My-Network bind-interface st0.10
set security ipsec vpn ipsec-vpn-My-Network ike gateway ike-gate-My-Network
set security ipsec vpn ipsec-vpn-My-Network ike ipsec-policy ipsec-pol-My-Network
set security ipsec vpn ipsec-vpn-My-Network establish-tunnels immediately
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match source-address any
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match destination-address My-LAN
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match application any
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network then permit
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match source-address My-LAN
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match destination-address any
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match application any
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust then permit
set security zones security-zone My-Network host-inbound-traffic system-services ping
set security zones security-zone My-Network host-inbound-traffic system-services traceroute
set security zones security-zone My-Network interfaces st0.10
set interfaces st0 unit 10 description "Tunnel to My Network"

set interfaces st0 unit 10 family inet address 10.1.1.5/30

The 210 is:

Model: srx210he2
JUNOS Software Release [12.1X46-D40.2]

The 340 cluster:

node0:
--------------------------------------------------------------------------
Hostname: MDF-SRX340-0
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

node1:
--------------------------------------------------------------------------
Hostname: MDF-SRX340-1
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

Any help would be greatly appreciated!

Thank you!

Sean Garland

Garland Tech, Inc.

↧

Re: Tunnel between SRX's not passing traffic

October 20, 2019, 4:12 pm

≫ Next: Re: HSRP Feeds from ISP to clustered SRX 240 pair

≪ Previous: Tunnel between SRX's not passing traffic

Well it's fixed. Added one line to the config, which may or may not have done anything. Added the following to the ike gateway information, which wasn't necessary on any other connection:

set security ike gateway ike-gate-Client-Network local-address 1.1.1.1 (the actual address of MY side)

Not sure if because I'm using a loopback routed interface with a different actual direct connected subnet, that was the case or what. But it's up now..

Very strange issue that would be interesting to recreate in the lab to check on.

Thanks!

↧

Re: HSRP Feeds from ISP to clustered SRX 240 pair

October 20, 2019, 5:34 pm

≫ Next: SRX300 firmware upgrade error

≪ Previous: Re: Tunnel between SRX's not passing traffic

There is a configuration example for the current SRX versions in the 2019 Junos Cookbook

Connecting an SRX Cluster to a VRRP Router

Download a free pdf copy on the forums here.

https://forums.juniper.net/t5/Day-One-Books/Day-One-Juniper-Ambassadors-Cookbook-for-2019/ba-p/460309

↧

SRX300 firmware upgrade error

October 20, 2019, 8:16 pm

≫ Next: Re: SRX300 firmware upgrade error

≪ Previous: Re: HSRP Feeds from ISP to clustered SRX 240 pair

Hi SRX users,

I just upgrade from junos-15.1X49-D150 to junos-18.2R3. after upgrade & boot. I get this boot error message:

Mounted junos package on /dev/md1...

Automatic reboot in progress...

Verified jboot signed by PackageProductionEc_2019 method ECDSA256+SHA256

Verified junos signed by PackageProductionEc_2019 method ECDSA256+SHA256

veriexec: cannot update veriexec for /var/jailetc/php_mod.ini: No such file or directory

veriexec: cannot update veriexec for /var/jailetc/mime.types: No such file or directory

veriexec: cannot update veriexec for /usr/lib/libpsu.so.3: Too many links

veriexec: cannot update veriexec for /usr/lib/libyaml.so.3: Too many links

veriexec: cannot update veriexec for /usr/lib/libext_db.so.3: Too many links

veriexec: cannot update veriexec for /usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory

Verified junos-18.2R3-S1.7 signed by PackageProductionEc_2019 method ECDSA256+SHA256

And the SRX300 have a lot of the configure issue. Any idea how to fix it !?

↧

Re: SRX300 firmware upgrade error

October 20, 2019, 8:20 pm

≫ Next: Re: SRX300 firmware upgrade error

≪ Previous: SRX300 firmware upgrade error

Thereafter I found out that the error message, I would like to downgrade, here are the error message during the downgrade.

root> ... add no-copy /var/tmp/junos-srxsme-15.1X49-D190.2-domestic.tgz

NOTICE: Validating configuration against junos-srxsme-15.1X49-D190.2-domestic.tgz.

NOTICE: Use the 'no-validate' option to skip this if desired.

Formatting alternate root (/dev/da0s1a)...

/dev/da0s1a: 2510.1MB (5140780 sectors) block size 16384, fragment size 2048

using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.

super-block backups (for fsck -b #) at:

32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,

3384608, 3760672, 4136736, 4512800, 4888864

Checking compatibility with configuration

Initializing...

cp: /var/etc/extensions.allow: No such file or directory

cp: /var/db/certs/common/local/*: No such file or directory

cp: /var/db/certs/common/key-pair/*: No such file or directory

veriexec: cannot update veriexec for /var/v/c/junos/var/jailetc/php_mod.ini: No such file or directory

veriexec: cannot update veriexec for /var/v/c/junos/var/jailetc/mime.types: No such file or directory

veriexec: cannot update veriexec for /var/v/c/junos/usr/lib/libpsu.so.3: Too many links

veriexec: cannot update veriexec for /var/v/c/junos/usr/lib/libyaml.so.3: Too many links

veriexec: cannot update veriexec for /var/v/c/junos/usr/lib/libext_db.so.3: Too many links

veriexec: cannot update veriexec for /var/v/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory

Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256

Using junos-15.1X49-D190.2-domestic from /altroot/cf/packages/install-tmp/junos-15.1X49-D190.2-domestic

Copying package ...

Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256

Hardware Database regeneration succeeded

Validating against /config/juniper.conf.gz

/config/juniper.conf:57 Smiley Sad 21) syntax error at 'rfc-compliant'

[edit system phone-home]

'rfc-compliant;'

syntax error

Validation failed

ERROR: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-15.1X49-D190.2-domestic

ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-15.1X49-D190.2-domestic

Any idea how to fix it !?

↧

Re: SRX300 firmware upgrade error

October 20, 2019, 10:09 pm

≫ Next: SRX650 Upgrade Path

≪ Previous: Re: SRX300 firmware upgrade error

Hello,

wrote:
Thereafter I found out that the error message,
/config/juniper.conf:5721) syntax error at 'rfc-compliant'
[edit system phone-home]
'rfc-compliant;'
syntax error
Validation failed
ERROR: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-15.1X49-D190.2-domestic
ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-15.1X49-D190.2-domestic
Any idea how to fix it !?

edit
delete system phone-home rfc-compliant
commit

- should fix that particular error but please re-run "request system software add..." command with "validate" option to catch more possible errors like that.

For the historical record, the root cause is that "rfc-compliant" knob is not supported in the SW release You are trying to load. There could be more knobs like that hence reading JUNOS release notes and testing in the lab is highly recommended.

HTH

Thx

Alex

↧

SRX650 Upgrade Path

October 21, 2019, 12:46 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: Re: SRX300 firmware upgrade error

HI, I am trying to upgrade a dual site SRX650 A/P cluster from 12.1x44-d35.5 to 12.3x48-d85 and would like some advice on the incremental steps required? Any help geatly appreciated.

↧

Re: SRX650 Upgrade Path

October 21, 2019, 2:48 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: SRX650 Upgrade Path

You can directly upgrade in this path and there are two basic options.

ISSU which generally will have no downtime but does have some caveats and risks as outlined in the procedural kb article.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB20959

Or the minimal downtime method that does have a reboot and outage.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17947

As with any Junos upgrade be sure to review the new version release notes for the list of known issues prior to the upgrade.

↧

Re: SRX650 Upgrade Path

October 21, 2019, 3:30 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: Re: SRX650 Upgrade Path

Thanks Steve,

So just to be clear there is no requirement to incrementally upgrade in steps?

↧

Re: SRX650 Upgrade Path

October 21, 2019, 4:04 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: Re: SRX650 Upgrade Path

Correct, you can jump up to three major Junos versions in one step.

The major version is the first number.

↧

Re: SRX650 Upgrade Path

October 21, 2019, 4:24 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: Re: SRX650 Upgrade Path

Quick note: SRX branch series (SRX100 -> SRX650) does not support ISSU upgrades. You can do "ICU" which limits your downtime to roughly 30 seconds.

More information regarding ICU is found here:

https://www.juniper.net/documentation/en_US/junos/topics/task/operational/chassis-cluster-upgrading-and-aborting-backup-and-primary-device-with-icu.html

↧

Re: SRX650 Upgrade Path

October 21, 2019, 6:44 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: Re: SRX650 Upgrade Path

Thanks all,

Looking at the support page for the SRX650 it does show 12.3X48 as the recommended release but in the Software is shows JunOS 18.1 listed. Should I be updating to 18.1 to remain current?

↧

Re: SRX650 Upgrade Path

October 21, 2019, 7:13 am

≫ Next: Re: SRX650 Upgrade Path

≪ Previous: Re: SRX650 Upgrade Path

This looks like an error in the documentation. Junos 18.1 is not supported on the SRX650 device. Please go with Junos 12.3X48 which is the only currently supported Junos train on SRX650.

↧

Re: SRX650 Upgrade Path

October 21, 2019, 7:18 am

≫ Next: SRX clustering over layer 2 network on CIsco 6500s

≪ Previous: Re: SRX650 Upgrade Path

Thanks Jonas - much appreciated

↧

SRX clustering over layer 2 network on CIsco 6500s

October 21, 2019, 10:40 am

≫ Next: Re: SRX clustering over layer 2 network on CIsco 6500s

≪ Previous: Re: SRX650 Upgrade Path

We have a pair of SRX4600s, and I can cluster them when directly connected, but they fail with the clustering is a layer 2 network carried over Cisco 6500 switches. The configuration looks like

SRX4600 <-> Cisco6500 <-> CIsco6500 <-> Cisco6500 <-> SRX4600

The links for the contol and fabric are dedicated layer 2 VLANs (4 total). The CIsco to SRX links are access VLAN from the Ciscos. The links between Ciscos are 4x10G (LACP) trunking multiple VLANs. The SRX cluster seems to be partialy up, the control link status in 'show chassis cluster interfaces' shows up but the fabric interfaces ate down and only show the interfaces on the same SRX, not showing the other SRX's interfaces. A 'show chassid fpc' shows the fpcs online on the primary and Empty on the secondary. If I reboot the primary the secondary detacts that and becomes primary and then it's fpc go online, and when the old primary finishes it is secondary and it's fpcs show empty. Something must be gettin blocked on the control interfaces, bit I can't tell what specifically. On the CIscos I have disabled cdp, lldp, and doing portfast and bpdufiltering. I also diasbled spanning tree on the VLANs, and disabled mls verify ip length consistent and mls verify ip checksum. The MTU is 9216 end to end.

I seem to be at a dead end, but wanted to check if anyone else something like this working and saw anything I was missing.

↧

Re: SRX clustering over layer 2 network on CIsco 6500s

October 21, 2019, 11:14 am

≫ Next: Re: test config terminal syntax error on }

≪ Previous: SRX clustering over layer 2 network on CIsco 6500s

Hi,

Did you make sure IGMP snooping is disabled on the switches?

Please also share:

> show chassis cluster status> show chassis cluster information detail (this is a hidden command)

When the Fab interfaces show as down, are the physical interfaces (child interfaces) up?

Try this, if you havent:

Set both SRXs to standalone mode and delete their configuration while in standalone mode:

# delete
# set root-authentication plain-text-password
#commit

After that, configure them in cluster mode again. Once they are up, copy the configuration from the primary node to the secondary node and reboot the secondary node.

↧

Re: test config terminal syntax error on }

October 21, 2019, 11:18 am

≫ Next: Re: SRX clustering over layer 2 network on CIsco 6500s

≪ Previous: Re: SRX clustering over layer 2 network on CIsco 6500s

Yeah, Mac iterm2 seems to have an option in Edit > Paste Special > Paste Slowly, maybe I'll try that. Weird it worked the other day without doing this. Meanwhile, I can't really tell which } it doesn't like, so I've identified and isolated the code blocks I want to updated in a separate window, and will just try to manually change them when I get onsite to the unit I'm testing.

I have a shelf spare unit on my test bench where I test code, then go to the production site and try to upload/commit code. When the upload/commit option on the GUI fails, I drop to the terminal to try to make it work. I figured some kind of encoding was causing problems in translation.

Is there some online way to test candidate configs to check for errors before pushing to a real box?

↧

Re: SRX clustering over layer 2 network on CIsco 6500s

October 21, 2019, 11:35 am

≫ Next: Re: (No) traffic through Dynamic VPN. Sometimes

≪ Previous: Re: test config terminal syntax error on }

Could you take a port mirror on the Cisco switches to confirm if the traffic is crossing your switched network from side to side. This could help you to determine if the packets are actually dropped on the switching side or if the problem relies on the SRXs.

↧