SRX

Hi guys,

I would like to ask for help solving some on first look - basic issue.
My friend got refurbished SRX 3400. Since that firewall was part of a cluster in the past, we have disabled the clustering and loaded factory default configuration. After reload, basic conifig is added and current topology is like this:

|SRX3400| <=== (zone MGMT) ===> |EX3300 as L2 switch| <======> |MX960|

*SRX config atached.
*host inbound traffic --- enabled

Problem:
Unable to establish any kind of communication between MX960 and SRX (ping, telnet, ssh..). "monitor traffic interface" on MX960 shows arp request from SRX and ARP reply from MX. On SRX, counters on interface are increasing, but no ARP records are learned nor icmp works. Tried with adding static ARP on interface, but ping still doesn't work. Tried with telnet/ssh, but no answer. For me it looks just like the SRX does not process the packets.
I'm accessing remotely through a console server.
It would be great if someone could help me to find out why this communication does not work.
I have been working with SRX650 in the past, but never with high-end SRX series.

Thanks in advance!
Marko

Attachment(s)

config_srx.txt   3 KB 1 version

Hi smicker,

thanks for your reply.

How do you mean "non-existent interface"? There is ae0.10 interface assigned to MGMT zone.

root@SRX3400-DC> show security zones detail

Security zone: MGMT
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ae0.10

-----------------------------------------------------------------------------

root@SRX3400-DC> show configuration interfaces ae0
description EX3300;
vlan-tagging;
mtu 9192;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
minimum-links 1;
}
unit 10 {
vlan-id 10;
family inet {
address 10.100.10.20/28 {
arp 10.100.10.17 mac 78:fe:3d:a1:57:c2;
}
}
}

Here is config of MX960 interface:

root@MX960-re0> show configuration interfaces ae2
description EX3300;
flexible-vlan-tagging;
mtu 9192;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
minimum-links 1;
lacp {
active;
}
}
unit 10 {
description MGMT;
vlan-id 10;
family inet {
address 10.100.10.17/28;
}
}

----------------------------------------------------------

-interface on EX toward MX:

root@EX3300> show configuration interfaces ae2
description MX960_ae2;
mtu 9192;
aggregated-ether-options {
minimum-links 1;
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members MGMT;
}
}
}

-Interface on EX toward SRX:

root@EX3300> show configuration interfaces ae0 

description to_SRX3400_ae0;
mtu 9192;
aggregated-ether-options {
minimum-links 1;
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members MGMT;
}
}
}

I've created L3 interface on EX in vlan MGMT (10.100.10.18) and ping works between MX and EX.

when I try ping from SRX (10.100.10.20) to MX (10.100.10.17), I see ping requests coming on MX:

root@MX960>monitor traffic interface ae2.10

11:14:34.901290 In IP 10.100.10.20 > 10.100.10.17: ICMP echo request, id 5145, seq 32, length 64
11:14:34.901315 Out IP truncated-ip - 34 bytes missing! 10.100.10.17 > 10.100.10.20: ICMP echo reply, id 5145, seq 32, length 64
11:14:35.902671 In IP 10.100.10.20 > 10.100.10.17: ICMP echo request, id 5145, seq 33, length 64
11:14:35.902699 Out IP truncated-ip - 34 bytes missing! 10.100.10.17 > 10.100.10.20: ICMP echo reply, id 5145, seq 33, length 64
11:14:36.932513 In IP 10.100.10.20 > 10.100.10.17: ICMP echo request, id 5145, seq 34, length 64
11:14:36.932544 Out IP truncated-ip - 34 bytes missing! 10.100.10.17 > 10.100.10.20: ICMP echo reply, id 5145, seq 34, length 64
11:14:37.904466 In IP 10.100.10.20 > 10.100.10.17: ICMP echo request, id 5145, seq 35, length 64
11:14:37.904495 Out IP truncated-ip - 34 bytes missing! 10.100.10.17 > 10.100.10.20: ICMP echo reply, id 5145, seq 35, length 64

....

On SRX  interface ae0.10 counters are increasing, but no ping reply!

root@SRX3400-DC> show interfaces ae0.10
Logical interface ae0.10 (Index 67) (SNMP ifIndex 501)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2
Statistics Packets pps Bytes bps
Bundle:
Input : 281 0 24840 0
Output: 485 0 47958 0
Security: Zone: MGMT
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip r2cp
Protocol inet, MTU: 9174
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.100.10.16/28, Local: 10.100.10.20,
Broadcast: 10.100.10.31
Protocol multiservice, MTU: Unlimited

------------------------------------------------------------------------------

I did flow trace - please find it attached.

Attachment(s)

fow_debug.txt   58 KB 1 version

Hi,

I found what was the problem.

SRX does not support: encapsulation flexible-ethernet-services

When I deleted that command from interface ae0, traffic started to work. I don't know why SRX allows me to configure it without any warning.

Regards,

Marko