SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  VRRP on SRX- Both shows Master

    Posted 02-13-2012 11:52
      |   view attached

    Hello,

    I am trying to setup VRRP between an SRX-100 and SRX-240 box both running Junos 10.0R3.10.  When checking the vrrp status, both shows as MASTER. Attached is the interface configuation and the vrrp staus.

     

    Thanks in advance for help.

     

    MSC

     


    #VRRPSRX
    #10.0R3.10

    Attachment(s)

    txt
    SRX-VRRP.txt   3 KB 1 version


  • 2.  RE: VRRP on SRX- Both shows Master

    Posted 02-13-2012 12:25

    Hi,

     

    If you enable LO0 filter please make sure you enable vrrp on it.

    Another idea I am not sure it may cause problem but did u allow protocol vrrp under LAN Zone ?

     

    Regards,

     

    Mohamed Elhariry

     

    JNCIE-M/T # 1059, CCNP & CCIP

     

     

     

    ----------------------------------------------------------------------------------------------------------------------------------------

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 3.  RE: VRRP on SRX- Both shows Master

    Posted 02-13-2012 12:32

    I am running vrrp on two connected interfaces only so enable only of the fe and ge interface . Is it required to enable the vrrp protocol?

     

     

     



  • 4.  RE: VRRP on SRX- Both shows Master

    Posted 02-13-2012 12:57

    If you are applying LO0 filter u need to enable vrrp protocol on that filter also or the SRX will discard vrrp packets



  • 5.  RE: VRRP on SRX- Both shows Master

    Posted 02-13-2012 13:03

    Could  you please explaing what you mean by Loopback0 filter? Below is my security filter i applied on the interface using vrrp. I also notice that VRRP advertisements are being send but not received (see below)

     

     

    set security zones security-zone my-filter host-inbound-traffic system-services ping
    set security zones security-zone my-filter host-inbound-traffic system-services telnet
    set security zones security-zone my-filter host-inbound-traffic system-services ssh
    set security zones security-zone my-filter host-inbound-traffic system-services traceroute
    set security zones security-zone my-filter host-inbound-traffic system-services http
    set security zones security-zone my-filter host-inbound-traffic system-services snmp
    set security zones security-zone my-filter host-inbound-traffic system-services ntp
    set security zones security-zone my-filter host-inbound-traffic system-services all
    set security zones security-zone my-filter interfaces fe-0/0/0.0
    set security zones security-zone my-filter interfaces lo0.0
    set security zones security-zone my-filter interfaces fe-0/0/7.0
    set security zones security-zone my-filter interfaces fe-0/0/2.0
    set security zones security-zone my-filter interfaces fe-0/0/5.200
    set security zones security-zone my-filter interfaces fe-0/0/6.0
    set security zones security-zone my-filter interfaces fe-0/0/1.0
    set security policies default-policy permit-all

     

     

     

    ops@JSRX-100-E10# run show vrrp interface fe-0/0/1
    Interface: fe-0/0/1.0, Interface index :69, Groups: 1, Active :1
    Interface VRRP PDU statistics
    Advertisement sent :71817
    Advertisement received :0
    Packets received :0
    No group match received :0
    Interface VRRP PDU error statistics
    Invalid IPAH next type received :0
    Invalid VRRP TTL value received :0
    Invalid VRRP version received :0
    Invalid VRRP PDU type received :0
    Invalid VRRP authentication type received:0
    Invalid VRRP IP count received :0
    Invalid VRRP checksum received :0

    Physical interface: fe-0/0/1, Unit: 0, Address: 20.20.1.2/24
    Index: 69, SNMP ifIndex: 504, VRRP-Traps: enabled
    Interface state: up, Group: 1, State: master, VRRP Mode: Active
    Priority: 50, Advertisement interval: 1, Authentication type: none
    Delay threshold: 100, Computed send rate: 0
    Preempt: yes, Preempt hold time: 150
    Accept-data mode: yes, VIP count: 1, VIP: 20.20.1.99
    Advertisement Timer: 0.565s, Master router: 20.20.1.2
    Virtual router uptime: 05:31:47, Master router uptime: 02:07:03
    Virtual Mac: 00:00:5e:00:01:01
    Tracking: disabled
    Group VRRP PDU statistics
    Advertisement sent :71817
    Advertisement received :0
    Group VRRP PDU error statistics
    Bad authentication Type received :0
    Bad password received :0
    Bad MD5 digest received :0
    Bad advertisement timer received :0
    Bad VIP count received :0
    Bad VIPADDR received :0
    Group state transition statistics
    Idle to master transitions :0
    Idle to backup transitions :6
    Backup to master transitions :6
    Master to backup transitions :0

    [edit interfaces fe-0/0/1]



  • 6.  RE: VRRP on SRX- Both shows Master
    Best Answer

    Posted 02-13-2012 19:38
    Hi, Traffic sent but not received means vrrp traffic blocked. That's why each box consider it self master To enable vrrp on the zone you could try this command Set security zones security-zone my-filter host-inbound-traffic protocol vrrp Regarding lo0 filter What I meant by LO0 filter it is firewall filter applied in the input direction on LO0 to protect the routing-engine itself if u using this kind of firewall filter copy show from it Regards


  • 7.  RE: VRRP on SRX- Both shows Master

    Posted 02-14-2012 02:45

    Hi you need to enable the VRRP protocol in the zone where the interfaces are configured.

     

    set security zones security-zone ZONENAME host-inbound-traffic protocols vrrp

     

    Regards

     

    -John



  • 8.  RE: VRRP on SRX- Both shows Master

    Posted 02-15-2012 06:48

    Thanks Elhariry and John.  The issue is resolved after updating the filter.