SRX

Expand all | Collapse all

IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

Jump to Best Answer
  • 1.  IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

    Posted 12-13-2019 06:26

    I configured 2 ipsec vpn tunnels to AWS. Bofh tunnels are UP, but there's a problem with communicating with hosts in AWS:

     

    After enabling traceoptions I see errors:

     

     

    CID-1:RT:'external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.
    

     

     

    My current configuration indeed put lo0.1 in different routing-instance (vr1) and different security zone (vpn-aws) than ge-5/0/12.0 which is current interface to reaach the Internet on master routing-instance and in untrust zone.

     

    root@SRX1# show security zones security-zone untrust    
    host-inbound-traffic {
        system-services {
            ping;
        }
        protocols {
            bgp;
        }
    }
    interfaces {
        ge-0/0/12.0;
        ge-5/0/12.0;
    }
    
    {primary:node0}[edit]
    root@SRX1# show security zones security-zone vpn-aws    
    host-inbound-traffic {
        system-services {
            ike;
            ping;
        }
    }
    interfaces {
        st0.2;
        st0.1;
        lo0.1;
    }
    
    root@SRX1# show routing-instances 
    vr1 {
        instance-type virtual-router;
        interface lo0.1;
        interface st0.1;
        interface st0.2;
        routing-options {
            static {
                route 10.1.0.0/16 next-hop [ st0.1 st0.2 ];
            }
         }
    }
    

    I tried to move interface lo0.1 from security-zone vpn-aws to untrust to resolve the issue, but it's not possible:

     

    [edit security zones security-zone untrust]
      'interfaces lo0.1'
        Interface lo0.1 must be in the same routing instance as other interfaces in the zone
    error: configuration check-out failed
    

    So I have no idea what to do. I can't have bofh interfaces in different security zones, but in the same time I can't have bofh interfaces in the same security zone because of using different routing instances.



  • 2.  RE: IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

    Posted 12-13-2019 07:17

    It is an expected behavior. If the loopback interface was chosen as the external interface in the IKE gateway, the interface had to be in the same zone as the outgoing interface. Otherwise, packets were dropped because the packets could not be routed.

    Why do you want lo0.1 as external interface? is its ip address configured as peer ip in AWS?
    If yes, try "local-address <ip-address of lo0.1> " in ike configuration and configure external interface as ge-5/0/12

     

     



  • 3.  RE: IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

    Posted 12-13-2019 07:36

    Thank you for your reply.

     

    Yes, lo0.1 has the IP address used as a peer for AWS-VPN and it's used as external-interface in IKE configuration.

     

    We have BGP multi-homing here, so  ge-5/0/12 or  ge-0/0/12 can be external interface depenending on bgp routing.

     

    What should I do in that situation?



  • 4.  RE: IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.
    Best Answer

    Posted 12-13-2019 08:24

    Can't you assign the IP to lo0.0 interface?

     

     



  • 5.  RE: IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

     
    Posted 12-14-2019 00:10

    Hi Gabriel,

     

    This KB addresses your issue - https://kb.juniper.net/InfoCenter/index?page=content&id=KB22129

     

    Loopback and external interface need to be in same routing-instance and zone.

     

    You can have everything in the default routing-instance inet.0. Is there any reason for using a seperate routing-instance?

    Default route from ISPs should not conflict with the specfic route to the st0.0/st0.1

     

    delete routing-instances vr1
    set routing-options static route 10.1.0.0/16 next-hop st0.0
    set routing-options static route 10.1.0.0/16 next-hop st0.1
    delete security zone security-zone vpn-aws interfaces lo0.1
    set security zone security-zone untrust interfaces lo0.1

     

    Regards,

     

    Nelumbo



  • 6.  RE: IPSEC VPN issue no chassic cluster - external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

    Posted 12-16-2019 00:38

    Nelumbo,

     

    In a chassis cluster deployment, it is possible to have only lo0.0 in single / main routing instance.

     

    My lo0.0 was already taken, so lo0.1 had to be configured somewhere else.

     

    Anyway, I freed lo0.0 and used it at the end, because I couldn't resolve the problem an a different way.