SRX

Expand all | Collapse all

SRX1500 - only passing traffic to/from some destinations

Jump to Best Answer
  • 1.  SRX1500 - only passing traffic to/from some destinations

    Posted 02-14-2019 01:39

    I have recently installed a pair of SRX1500 firewalls in a cluster. Running Junos 15.1X49-D150.2.

     

    I've discovered that the firewalls seem to be responsible for dropping tcp traffic to/from certain destinations on the Internet. At first I thought this was due to some kind of asymmetrical routing issue, but I think I've mostly ruled that out. Traffic between the firewall and the Internet always happen on the same reth interface, so asymmetric routing shouldn't be an issue afaik.

     

    ICMP works, so I think it's only tcp traffic that's affected. For example, a client on the inside can ping www.somedomain.com, but browsing (tcp 80/443 to the same domain just times out. Some other websites work, but seem a bit slow.

     

    Both firewalls are connected to an upstream switch. I have several other servers and firewalls directly connected to the same switch, all work flawlessly when communicating upstream with my routers. This points to a problem or misconfiguration in the SRX1500 cluster.

     

    I've run flow traceoptions, but there's a lot of info to read and I haven't found anything that looks suspicious.

     

    I've attached a diagram:

    Untitled Diagram.png

     

    Relevant config looks like this:

     

    version 15.1X49-D150.2;
    chassis {
        cluster {
            control-link-recovery;
            reth-count 5;
            redundancy-group 0 {
                node 0 priority 254;
                node 1 priority 1;
            }
            /* to-ex4200 */
            redundancy-group 1 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    xe-0/0/16 weight 255;
                    xe-7/0/16 weight 255;
                }
            }
            /* to-ex9200 */
            redundancy-group 5 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/12 weight 255;
                    ge-7/0/12 weight 255;
                }
            }
        }
    }
    security {
        address-book {
            global {
                address dc-hosts-v4nat-dbs 10.33.15.0/24;
            }
        }
        alg {
            dns disable;
        }
        nat {
            source {
                pool src-nat-pool {
                    address {
                        X.X.X.4/32 to X.X.X.30/32;
                    }
                    address-pooling paired;
                }
                rule-set vl-dbs-to-internet {
                    from zone vl-dbs;
                    to zone internet;
                    rule vl-dbs-nat {
                        match {
                            source-address-name dc-hosts-v4nat-dbs;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                pool {
                                    src-nat-pool;
                                }
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone vl-dbs to-zone internet {
                policy permit-any {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone internet {
                interfaces {
                    reth4.62 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                traceroute;
                            }
                        }
                    }
                }
            }
            security-zone vl-dbs {
                interfaces {
                    reth0.515 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                traceroute;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/12 {
            gigether-options {
                redundant-parent reth4;
            }
        }
        xe-0/0/16 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-7/0/12 {
            gigether-options {
                redundant-parent reth4;
            }
        }
        xe-7/0/16 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    xe-0/0/18;
                    xe-0/0/19;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    xe-7/0/18;
                    xe-7/0/19;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 192.168.22.240/32;
                }
            }
        }
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 515 {
                vlan-id 515;
                family inet {
                    address 10.33.15.1/24;
                }
            }
        }
        reth4 {
            description internet;
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 5;
            }
            unit 62 {
                description "Main Source NAT Pool";
                vlan-id 62;
                family inet {
                    address X.X.X.4/27;
                    address X.X.X.5/27;
                    address X.X.X.6/27;
                    address X.X.X.7/27;
                    address X.X.X.8/27;
                    address X.X.X.9/27;
                    address X.X.X.10/27;
                    address X.X.X.11/27;
                    address X.X.X.12/27;
                    address X.X.X.13/27;
                    address X.X.X.14/27;
                    address X.X.X.15/27;
                    address X.X.X.16/27;
                    address X.X.X.17/27;
                    address X.X.X.18/27;
                    address X.X.X.19/27;
                    address X.X.X.20/27;
                    address X.X.X.21/27;
                    address X.X.X.22/27;
                    address X.X.X.23/27;
                    address X.X.X.24/27;
                    address X.X.X.25/27;
                    address X.X.X.26/27;
                    address X.X.X.27/27;
                    address X.X.X.28/27;
                    address X.X.X.29/27;
                    address X.X.X.30/27;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop X.X.X.1;
        }
        router-id 192.168.22.240;
    }

     

    Any ideas? Smiley Happy



  • 2.  RE: SRX1500 - only passing traffic to/from some destinations

    Posted 02-14-2019 01:59

    My initial thought is actually MTU mismatch somewhere between the SRX1500 and your switches as ICMP works and some websites works... but slow - and some never loads. I would expect you can do the same test for DNS and that will probably also work.

     

    Could you validate MTU on the relevant interfaces? Both on the SRX, EX4200 and EX9200.



  • 3.  RE: SRX1500 - only passing traffic to/from some destinations

    Posted 02-14-2019 05:22

    I've checked all interfaces that I believe are relevant. There are some differences.

     

    Interfaces on EX9200 connected to the SRX1500:

     

    > show interfaces ge-4/3/0 | match mtu
    Link-level type: Ethernet, MTU: 1514
    Protocol eth-switch, MTU: 1514
    
    > show interfaces ge-5/3/0 | match mtu
    Link-level type: Ethernet, MTU: 1514
    Protocol eth-switch, MTU: 1514

     

    Interfaces on the EX4200 connected to the SRX1500:

     

    > show interfaces xe-0/1/0 | match mtu
    Link-level type: Ethernet, MTU: 1514
    > show interfaces xe-1/1/0 | match mtu Link-level type: Ethernet, MTU: 1514

     

    Interfaces on SRX1500 connected to the EX9200:

     

    > show interfaces ge-0/0/12 | match mtu
    Link-level type: Ethernet, MTU: 1518
    > show interfaces ge-7/0/12 | match mtu Link-level type: Ethernet, MTU: 1518
    > show interfaces reth4 | match mtu Link-level type: Ethernet, MTU: 1518
    > show interfaces reth4.62 | match mtu Protocol inet, MTU: 1500

     

    Interfaces on the SRX1500 connected to the EX4200:

     

    > show interfaces xe-0/0/16 | match mtu
    Link-level type: Ethernet, MTU: 1518
    > show interfaces xe-7/0/16 | match mtu Link-level type: Ethernet, MTU: 1518
    > show interfaces reth0 | match mtu Link-level type: Ethernet, MTU: 1518
    > show interfaces reth0.515 | match mtu Protocol inet, MTU: 1500

     

     



  • 4.  RE: SRX1500 - only passing traffic to/from some destinations
    Best Answer

     
    Posted 02-14-2019 06:31

    As you are tagging on reth4 I assume you are trunking on the 9200? That MTU should be 1518 instead of 1514. The 9200 does not automatically increase MTU by 4 on trunks, you need to add vlan-tagging.

     

    ge-4/3/0 {
        description trunk;
        vlan-tagging;
        unit 0 {                            
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members 62;
                }
            }
        }
    }
    


  • 5.  RE: SRX1500 - only passing traffic to/from some destinations

    Posted 02-14-2019 07:07

    Yes, seems to work now. Thank you. Smiley Happy