SRX

Hi,

 

An update to my last Draytek question.

 

I have now narrowed the issue down to the routing on the SRX340.

 

I have placed a static route on the SRX340 inet6.0 routing table to the Draytek IPv6 LAN DHCPv6-PD interface. Here is what is happening:

 

IPv6 ping to CPE WAN address - Successful

IPv6 Ping from CPE to Facebook IPv6 address - Successful

IPv6 ping from SRX340 to CPE LAN Global address - Failure

 

So, when looking at the routing table for the CPE LAN Global address it see it going to the default and out of the wrong interface. Even though I have told it to go to the CPE WAN Address for the next-hop, and that address is working fine.

 

This is why I cannot ping facebook IPv6 address from a laptop connected to the CPE but I CAN ping it from the CPE itself.

 

The SRX340 does not know about the route so sends it out the default.

 

Any ideas?

Easier way to explain:

 

Why, if I put a static route in for the CPE LAN IPv6 address on the SRX340 to go out of ge-0/0/4 and then complete a show route, does the SRX show that address routed via default to ge-0/0/15.10?

 

This does not make sense.....

What are the results of the interface setup and static routes actually active?

show interface terse

show route protocol static

 

And what addres and mask is on the Draytek?

 

Interface terse result:

ge-0/0/4.0              up    up   inet     195.80.23.17/30
                                                 inet6    36a2:d840:60:ff45::2/126
                                                              fe80::32b6:4fff:fe2f:cfc5/64

 

ge-0/0/15               up    up
ge-0/0/15.10         up    up   inet      10.10.1.2/30
                                                 inet6    36a2:d840:70::1/126
                                                               fe80::32b6:4f00:a2f:cfd0/64

 

Show route protocol static:

inet6.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Static/5] 5d 21:31:45
> to 36a2:d840:70::2 via ge-0/0/15.10

 

I know this is where the issue is..... There is no route to the destination.

 

So, the LAN at the other side of the CPE has the following route on the SRX340:

set routing-options rib inet6.0 static route 36a2:d840:0060:ff46::1/128 next-hop 36a2:d840:0060:ff45::2

 

The LAN is the ONLY prefix not able to communicate. As I mentioned before, getting to the internet is fine from the CPE WAN interface. The SRX340 does not know how to get bakc to the CPE LAN prefix.

Hello there,

 

---

@adgwytc wrote:

Interface terse result:

ge-0/0/4.0              up    up   inet     195.80.23.17/30
                                                 inet6    36a2:d840:60:ff45::2/126
                                                              fe80::32b6:4fff:fe2f:cfc5/64

 

 

<skip>

 

set routing-options rib inet6.0 static route 36a2:d840:0060:ff46::1/128 next-hop 36a2:d840:0060:ff45::2

  

The nexthop for Your static /128 route is SRX own address (SRX itself).

JUNOS does not allow static routes with own IP/IPv6 as nexthop.

Please double-check and re-enter the correct nexthop for this static to become "active".

HTH

Thx
Alex

Hi Alex,

 

Yes, I have tried that as well.

 

Apologies, I should have mentioned that I tried both addresses. The far end (CPE WAN) and the local and it makes no difference. It still wants to send the route via the default to the wrong interface.

 

set routing-options rib inet6.0 static route 36a2:d840:60:ff46::1/128 next-hop 36a2:d840:0060:ff45::1 (ge-0/0/4 interface exit to CPE WAN)

 

user@ethernet-test-340# run show route 36a2:d840:60:ff46::1

inet6.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Static/5] 5d 22:29:02
> to 36a2:d840:70::2 via ge-0/0/15.10

 

As an add on, I have now tested that the internal LAN Can ping the CPE WAN address. What makes this even more weird is the following:

 

CPE WAN ping to SRX340 ge-0/0/4 Interface - Success

CPE WAN to Facebook IPv6 address - Success

Laptop internal LAN ping to CPE WAN - Success

Laptop internal LAN ping to SRX340 CPE ge-0/0/4 interface - failure

 

How the hell can I ping the CPE WAN interface from the laptop but NOT the SRX340 ge-0/0/4 interface when the CPE WAN itself can? Sorry, I've answered this question myself, because there is no route back for the internal LAN....

 

When I look on the SRX340, the route shows correct for the CPE WAN out of interface ge-0/0/4. This proven by being able to ping facebook via the CPE WAN.... Very strange issue.... it's like the SRX just cannot see the CPE WAN interface and therefore installs no routes but it must do because of the CPE WAN ping'ing the internet.... 

 

Very frustrating.

 

 

Hello,

Are You sure that 36a2:d840:0060:ff45::1 is Your CPE WAN address?

I highly doubt so unless You assigned it manually to this CPE. Typically, IPv6 address has last 64 bits that look random.

Next - it it is indeed 36a2:d840:0060:ff45::1 do You have ND resolved for this address?

Please supply the following printout from SRX:

 

 

show route 36a2:d840:0060:ff45::1 | no-more
show ipv6 neighbor | no-more

Then - from the laptop connected to the CPE WAN (from where You can ping FB), go to https://www.whatismyip.org/my-ip-address and You should see the global IPv6 address that is being used by Your laptop. The first 64 bits should be 36a2:d840:0060:ff45 (unless Your CPE does NAT64 but again I highly doubt that) . If not then Your CPE has different IPv6 prefix and CPE' IPv6 address is definitely NOT 36a2:d840:0060:ff45::1.  

Finally, did You try configure Your IPv6 route using CPE link-local address as nexthop?

HTH

Thx
Alex

 

Hi Alex,

 

You are correct. The CPE WAN address is manually assigned as this is the ethernet core side and there is no RADIUS assigment here. We have the one connection into the core and therefore assign VLANs to the downstream provider who will provide layer 2 switching to the customer site where the SRX340 NTE will be placed.

 

We will manually configure the CPE and NTE and these will then be sent to the customer site.

 

user@ethernet-test-340# run show route 36a2:d840:60:ff45::1 | no-more

inet6.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

36a2:d840:60:ff45::/126
*[Direct/0] 01:31:05
> via ge-0/0/4.0  -  Correct interface

 

user@ethernet-test-340# run show ipv6 neighbors | no-more
IPv6 Address                        Linklayer Address              State              Exp           Rtr    Secure         Interface
36a2:d840:60:ff45::1          00:1d:aa:5c:0f:62              stale              849           no        no            ge-0/0/4.0
36a2:d840:70::2                  7c:e2:ca:bf:eb:ef               stale               836           yes      no            ge-0/0/15.10
fe80::21d:aaff:fe5c:f62       00:1d:aa:5c:0f:62              stale              122           no        no            ge-0/0/4.0
fe80::7ee2:ca00:abf:ebef   7c:e2:ca:bf:eb:ef               stale              936            yes      no             ge-0/0/15.10

 

The fact they are all "Stale" does not help, but this does not explain why it works from the CPE WAN interface????

 

user@ethernet-test-340# run ping inet6 36a2:d840:60:ff45::1
PING6(56=40+8+8 bytes) 36a2:d840:60:ff45::2 --> 36a2:d840:60:ff45::1
16 bytes from 36a2:d840:60:ff45::1, icmp_seq=0 hlim=64 time=2.710 ms
16 bytes from 36a2:d840:60:ff45::1, icmp_seq=1 hlim=64 time=1.469 ms
16 bytes from 36a2:d840:60:ff45::1, icmp_seq=2 hlim=64 time=1.173 ms

 

36a2:d840:60:ff45::1 00:1d:aa:5c:0f:62 reachable 9 no no ge-0/0/4.0

 

Hi Alex,

 

As an add on, I'll never be able to get to the web address mentioned as from the laptop I cannot get beyond the NTE (SRX340).... I have tried configuring the SRX340 with a qualified-next-hop to the link-local address with no success either as per below:

 

set routing-options rib inet6.0 static route 36a2:d840:60:ff46::0/64 qualified-next-hop fe80::21d:aaff:fe5c:f62 interface ge-0/0/4.0

 

No luck. Still does not work.....

Okay..... we're getting there slowly.... 🙂

 

I can now ping the CPE LAN interface from the SRX340 using the qualified-next-hop address of the CPE WAN interface.....

 

Now I am left with the final issue and I think this will then start working.....

 

When I try and ping the Laptop from the SRX340 I am getting, I believe, to be a loop from the ge-0/0/15 interface address.... This is because the internal address range (beyond the Draytek LAN address) is not accessible and routes to the default. 

 

So, at a guess, the last pqrt of this must be the assignment of addressing with the Draytek itself?

 

 

Okay, after clearing up some IPv6 address issues I have the following issue:

 

Ping from Laptop to SRX340 ge-0/0/4 interface is now successful.

Ping from SRX340 to laptop unsuccessful - this is strange as the route does exist and must do for the laptop to get a response.

 

From the laptop I cannot ping any further than the ge-0/0/4 interface.....

 

I changed the IPv6 prefix's to /64 and it started working to the extent shown above...

 

So, I'm back ti thinking there is either an IPv6 problem still or the SRX340 is still producing strange routing results.....

Hi Alex,

 

If you have any ideas here, that would be perfect.... here is where I am now stuck:

 

From the Laptop I can ping the ge-0/0/4 interface on the SRX340.

From the SRX340 ge-0/0/4 interface I can ping facebook IPv6.

 

Here's the kicker though:

From the Laptop I CANNOT ping facebook IPv6 address.

 

Something is wrong on the SRX340 but I cannot find what it is..... 

 

Hello,

What is the SRX IPv6 forwarding mode? Please post the printout from SRX340:

show security flow status | no-more

HTH

Thx

Alex

Hi Alex,

 

Apologies for the delay in response. I have been out of the office for the week and only just got back. Here is the output you asked for...

 

user@ethernet-test-340# run show security flow status | no-more
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
    GTP-U distribution: Disabled
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

As an add on, if anyone has seen this behaviour on Windows before and what may affect it (I am trying to rule out the SRX340 from the troubleshooting process).....

 

For approximately 2 minutes, with a continuous ping, to the SRX340 address, the laptop prduces "General failure" the for about 2 minutes it is successful. This is a continuous occurence of every 2 minutes. I have looked for timers etc on the SRX340 but cannot find anything.

 

Thanks

 

Hello,

 

---

@adgwytc wrote:

 

For approximately 2 minutes, with a continuous ping, to the SRX340 address, the laptop prduces "General failure" the for about 2 minutes it is successful.

 

---

Run Wireshark on this laptop and make sure the pings are actually sent when "General failure" occurs.

HTH

Thx

Alex

Hello there,

Ok thanks for the printout.

Do You advertise 36a2:d840:60:ff46::/64 all the way through Your core to the wider internet? Or a less specific /48 perhaps that includes 36a2:d840:60:ff46::/64?

If You advertise any IPv6 route with netmask longer than 64, then it is likely it is going to be rejected at Your upstream because of too long netmask.

At the moment, 36a2:d840:60:ff46::1  is not found on global internet. I tried:

route-server.opentransit.net

NTT Looking Glass https://www.us.ntt.net/support/looking-glass/

Cogent Looking Glass http://www.cogentco.com/en/network/looking-glass

HTH

Thx

Alex

Hi Alex,

 

Many apologies. I have changed the prefix for security purposes. Please do not worry about the range being available. It is  🙂

 

I am advertsing our full IPv6 range which is a /29, which we can still simulate as being 3a05:d840:: /29

 

No other advertisment is being sent. 

 

I agree, this is the same as IPv4 where only specific ranges (/24 in IPv4) or less will be accepted by the upstream ISP.

 

In IPv6, yes, I believe it is /64.

 

I think I may be able to tie this down to either:

 

1: IPv6 PD allocation not working corerctly on the CPE --- (As this is manually configured and not RADIUS)

2: Windows issue of some sort.

 

The SRX340 now shows the route out of the correct port, although I am still unable to ping from the SRX beyond the WAN of the CPE to the laptop, hence me thinking this could be a windows issue.

Okay.

 

When there is a general failure there is no ping. So, I have now completed the following test:

 

When ping is being successful to gateway, test to facebook IPv6.... this failed.

 

A traceroute showed that the packets get as far as the SRX340 and then stop. So there is an issue there. I just need to find where it is.... We will get there 🙂

 

Further update.

 

I have finally found, with no help from the Draytek site, a small radio check button on the firewall section that states "Block externally initiated IPv6".... so, I unchecked that and I can now ping the laptop from the SRX340.

 

Here is the important part.... I can ping the laptop from both interfaces, that is, the CPE facing interface and the core facing interface.

 

So, the strange result is still this 2 minutes working and then 2 minutes failing issue. This also affect the ping from the SRX which fails when the laptop fails.

 

So, now my issue is why the laptop cannot ping the facebook IPv6 address considering the following:

 

Laptop --> LAN CPE WAN --> SRX340 ge-0/0/4 --> SRX340 ge-0/0/15.10 --> xe-1/2/4.10 Core xe-1/2/5 --> Upstream provider

 

I can ping from laptop to SRX340 ge-0/0/15.10 interface.

I can ping facebook from the CPE.

 

Given those two comments I should be able to ping Facebook... but, it fails..... 

Finally I have a ping to facebook IPv6 address from the laptop.

 

I do still have the 2 minute issue, and I do not know what is causing that. A real conundrum, but I think I can close this call now that I eventually have the connectivity working. This must be a Windows issue as the routing looks good to me.

 

Thanks for your help guys.... 

Hi Alex,

 

Apologies. I have had to unmark this as a solution as the issue that is left is definitly not the Laptop.

 

I have tried a Linux machine too and the same issue occurs.

 

As this is exactly 2 minutes each time, it almost suggests to me that there is a timer somewhere that is switched on, that I have not configured, Does anybody know where I can look for any IPv6 timers that may be enabled on the SRX by default?

 

So, windows connect for 2 minutes, then disconnects for 2.

Linux does the same.

 

The major difference appears to be that the Draytek uses NDRA and the Technicolour (No issue) uses IANA. Could be a fundamental difference there.

I am really not sure exactly where this error is occuring.

 

I can safely say the following, from some wireshark traces and changinf addressing:

 

When the Laptop can ping facebook IPv6 address, then in wireshark I see all of the solicitation, advertisement and IPv6 ICMP packets, as I should do. The trace I completed also included the swap over from ping succes to ping failure while using the following command in dos:

 

ping -6 2a03:2880:f11a:86:face:b00c:0:50fb -t

 

In the wireshark trace, when the "general failure" occurs, there are zero (0) packets appearing in the trace. There also appears to be no indication as to why this failure occurs in the trace. It simply stops, with the last ICMP packet being a reply from IPv6 Facebook.

 

What makes me believe this is not a windows issue is that it also occurs on linux machines. So, could this be an IPv6 issue itself? 

 

I have also tried completely different prefix's and still see the same issue.

 

I am at a loss as to where to procedd now. Any ideas please?

Okay, I have completed one last test to confirm reachability.... and hopefully now, someone who is an IPv6 guru can help a little.... I've changed the addresses here for security....

 

On the SRX340 ge-0/0/4 CPE facing interface and the CPE WAN interface I have used the following addresses:

 

SRX340 ge-0/0/4 -  3a05:d840:0060:ff45::2/64

CPE WAN interface - 3a05:d840:0060:ff45::1/64

 

Route on the SRX340 to said address:

set routing-options rib inet6.0 static route 3a05:d840:0060:ff45::1/128 next-hop 3a05:d840:0060:ff45::2

 

Route back and default route on CPE WAN is to the SRX340 address shown above.

 

For the internal LAN on the CPE I have configured the following:

3a05:d840:80:1::/64

 

Here is the test:

From Laptop I ping IPv6 facebook address.... when the failure occurs on the laptop I run a ping directly from the CPE itself using the WAN address and this is successful.

 

This suggests that there is an inherent problem with either:

 

a: The address ranges I am manually setting for the internal LAN

b: There is an issue somewhere on the Draytek itself

 

I suspect option "a" above is the cause, but unsure why. Any help from IPv6 guru please?

Hooray, at last I have found the cause of the issue.

 

There is a small, hidden away section in the Draytek configuration regarding "Router Advertisement Configuration"... The default lifetime was set to 120 seconds, the only setting I could see that would equal the 2 minutes on/off I was seeing. I changed this, as a test, to 180 seconds and re-tested the ping and, sure enough, the ping now lasts 3 minutes before it fails.

 

So, that just leaves me 1 question:

 

There is a default preference of medium and a lifetime, now, of 180 seconds. Obviously this is not going to be good enough for a customer.... what is the recommended lifetime to set for this? Am I right to assume to just set it so high that it lasts a year or more?

 

Ignore the question asked above.

 

The settings are "minimum = 200 (normal for an RA)"Maximum = 600" and "Lifetime = 240" .... I am getting odd workings but I can iron those out now I know where to look for the issue...

 

Thanks for your patience and help.

 

I'm assuming that's is not wrong with the route then can be because show route for IPv6 generally shows the generic route.
Try show route exact .
You also can ganrantee that that will go out one determinated interface using ping source