SRX

Hi Juniper Gurus,

I'm very new to Juniper and I'm trying to learn it and bough a used SRX 210H ge-0/0/1 with IP 192.168.50.51/24 which is connected to my home network 192.168.50.0/24. I have also a virtual box with a vSRX1 with IP 192.168.50.81/24. I'm trying to setup OSPF but the physical SRX (security enabled) and virtual SRX1 (mpls mode) are not forming any adjacencies. When i do show ospf neighbor i get nothing. Do I need to Delete the physical SRX to remove the security and change it to mpls, but i want to keep the security for learning purposes?

-I can ping / traceroute both ways SRX 210H 192.168.50.51  to vSRX1 192.168.50.81

-vSRX can ping OSPF 224.0.0.5 but physical SRX 210H cannot ping OSPF 224.0.0.5

My question is since ping is working, but my OSPF adjacency is not forming, im only seeing Hello Sent but nothing received. However, if I do vSRX1 vSRX2 & vSRX3 (all virtual VMs) there is no issue with OSPF and it works. But I want physical connecting to my virtual vSRX

Could you kindly advise if there is anything wrong that I'm doing or if this physical and virtual will not work with OSPF and BGP?

A) PHYSICAL SRX configuration - IP 192.168.50.51/24

[edit protocols ospf]
chris@core1# run show configuration
## Last commit: 2020-05-11 03:05:43 UTC by chris
version 12.1X46-D40.2;
system {
host-name core1;
time-zone toronto;
root-authentication {
encrypted-password
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user chris {
uid 2009;
class super-user;
authentication {
encrypted-password 
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.50.51/24;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.50.1;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0 {
interface-type p2p;
}
}
}
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
https;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
poe {
interface all;
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

[edit protocols ospf]

[edit]
chris@core1# run show ospf overview
Instance: master
Router ID: 192.168.50.51
Route table index: 0
LSA refresh time: 50 minutes
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 0
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 2
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed

[edit]
chris@core1# run show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *192.168.50.51 192.168.50.51 0x80000001 2459 0x22 0xd028 36

=====================

vSRX1 - IP 192.168.50.71/24

root> show configuration
## Last commit: 2020-05-10 05:59:48 UTC by root
version 12.1X47-D15.4;
system {
root-authentication {
encrypted-password 
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.50.81/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.50.71/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 3.3.3.3/24;
address 33.33.33.33/24;
}
}
}
}
routing-options {
router-id 192.168.50.81;
}
protocols {
ospf {
traceoptions {
file OSPFLAB1 size 10000000;
flag all;
}
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/2.0;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}

root>

root> show ospf overview
Instance: master
Router ID: 192.168.50.81
Route table index: 0
LSA refresh time: 50 minutes
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 0
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 4
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed

Looks like on the physical SRX you are overriding the zone settings for host-inbound-traffic and only letting some services and nothing under protocols.  You will need to allow ospf under protocols here.

It also looks like you are treating the loopback and vlan interfaces as normal ospf interfaces.  Those should specify the unit number and be labeled as passive interfaces.

Hi Steve/Juniper Gurus,

Thank you very much for your help and your prompt response. I have changed the IPs of the physical and virtual vSRX to start fresh but still not working. I can ping both ways and added the security zones for ospf per interface and passive. Would you be so kind what i'm missing here why no ospf adjacencies with physical and virtual SRX?

Physical SRX FE-0/0/2 - 192.168.50.41/24;

chris@core1> show configuration
## Last commit: 2020-05-13 19:36:36 UTC by chris
version 12.1X46-D40.2;
system {
host-name core1;
time-zone toronto;
root-authentication {
encrypted-password "$1$U.eGDp4L$QZnHxpl6kkNB7xW5N3O0g0"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user chris {
uid 2009;
class super-user;
authentication {
encrypted-password "$1$AbbN5ka3$9l6CwHdvvRbBnIL0pFKFk/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.50.51/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 192.168.50.41/24;
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.1/24;
address 11.11.11.11/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.50.1;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0 {
interface-type p2p;
}
interface lo0.0 {
passive;
}
interface vlan.0 {
passive;
}
interface fe-0/0/2.0;
}
}
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
ping;
https;
telnet;
ssh;
}
protocols {
all;
ospf;
bfd;
dvmrp;
bgp;
nhrp;
igmp;
pgm;
pim;
vrrp;
router-discovery;
ldp;
}
}
interfaces {
vlan.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
https;
telnet;
ssh;
}
protocols {
all;
}
}
}
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
https;
telnet;
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
poe {
interface all;
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

chris@core1>

chris@core1> show ospf neighbor

chris@core1> show ospf overview
Instance: master
Router ID: 1.1.1.1
Route table index: 0
LSA refresh time: 50 minutes
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 0
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 11
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed

chris@core1> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *1.1.1.1 1.1.1.1 0x8000000f 144 0x22 0x806b 84

chris@core1>

Ping to vSRX Virtual IP 192.168.50.82

chris@core1> ping 192.168.50.82
PING 192.168.50.82 (192.168.50.82): 56 data bytes
64 bytes from 192.168.50.82: icmp_seq=0 ttl=64 time=5.704 ms
64 bytes from 192.168.50.82: icmp_seq=1 ttl=64 time=5.688 ms
64 bytes from 192.168.50.82: icmp_seq=2 ttl=64 time=4.760 ms
64 bytes from 192.168.50.82: icmp_seq=3 ttl=64 time=5.431 ms
64 bytes from 192.168.50.82: icmp_seq=4 ttl=64 time=4.542 ms
^C
--- 192.168.50.82 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.542/5.225/5.704/0.484 ms

==================================

Virtual vSRX GE-0/0/0 = 192.168.50.82/24;

root> show configuration
## Last commit: 2020-05-13 20:00:53 UTC by root
version 12.1X47-D15.4;
system {
root-authentication {
encrypted-password "$1$nkMlPHBq$mk57yKMk19DbxbYPzhDET0"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.50.82/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.2/24;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}

root> show ospf neighbor

root> show ospf neighbor

root> show ospf overview
Instance: master
Router ID: 10.0.0.2
Route table index: 0
LSA refresh time: 50 minutes
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 0
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 3
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed

root> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *10.0.0.2 10.0.0.2 0x80000004 44 0x22 0x4635 36

Ping to physical SRX 192.168.50.41

root> ping 192.168.50.41
PING 192.168.50.41 (192.168.50.41): 56 data bytes
64 bytes from 192.168.50.41: icmp_seq=0 ttl=64 time=9.242 ms
64 bytes from 192.168.50.41: icmp_seq=1 ttl=64 time=5.762 ms
64 bytes from 192.168.50.41: icmp_seq=2 ttl=64 time=6.090 ms
64 bytes from 192.168.50.41: icmp_seq=3 ttl=64 time=6.031 ms
64 bytes from 192.168.50.41: icmp_seq=4 ttl=64 time=4.913 ms
^C
--- 192.168.50.41 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.913/6.408/9.242/1.478 ms

Hi Steve / Juniper Gurus,

Thank you so much for your help on this. I just went ahead and tried disabling my antivirus and it finally gave a ospf neighbor.. Now, i have to find a way of enabling the antivirus and but allowing the OSPF routing to work. Please let me know if you see anything that I should be fixing on my config.

Physical SRX FE-0/0/2 - 192.168.50.41/24;

chris@core1> show ospf neighbor
Address Interface State ID Pri Dead
192.168.50.82 fe-0/0/2.0 Full 10.0.0.2 128 10

chris@core1> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *1.1.1.1 1.1.1.1 0x80000011 80 0x22 0xa132 84
Router 10.0.0.2 10.0.0.2 0x80000006 81 0x22 0xa792 36
Network 192.168.50.82 10.0.0.2 0x80000001 81 0x22 0xb47b 32

==================================================================

Virtual vSRX GE-0/0/0 = 192.168.50.82/24;

root> show ospf neighbor

root> show ospf neighbor

root> show ospf neighbor

root> show ospf neighbor
Address Interface State ID Pri Dead
192.168.50.41 ge-0/0/0.0 Full 1.1.1.1 128 39

root> show ospf neighbor
Address Interface State ID Pri Dead
192.168.50.41 ge-0/0/0.0 Full 1.1.1.1 128 39

root> show ospf neighbor
Address Interface State ID Pri Dead
192.168.50.41 ge-0/0/0.0 Full 1.1.1.1 128 39

root> show ospf neighbor
Address Interface State ID Pri Dead
192.168.50.41 ge-0/0/0.0 Full 1.1.1.1 128 38

root> show ospf neighbor
Address Interface State ID Pri Dead
192.168.50.41 ge-0/0/0.0 Full 1.1.1.1 128 37

root> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 1.1.1.1 1.1.1.1 0x80000014 177 0x22 0x9b35 84
Router *10.0.0.2 10.0.0.2 0x80000009 176 0x22 0xa195 36
Network *192.168.50.82 10.0.0.2 0x80000002 176 0x22 0xb27c 32

root> show osfp
^
syntax error, expecting <command>.
root> show ospf overview
Instance: master
Router ID: 10.0.0.2
Route table index: 0
LSA refresh time: 50 minutes
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 1
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 6
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed