SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX-300 with VRRP

    Posted 11-11-2021 19:05
    Hi,

    I am configuring two SRX300 routers to use VRRP, but I am facing an issue, that is not making any sense for me.

    Config:

    Router-01
    show configuration interfaces ge-0/0/0   
    unit 0 {
        description "CNX LAN";
        family inet {
            address 172.16.63.201/25 {
                vrrp-group 1 {
                    virtual-address 172.16.63.200;
                    priority 200;
                    preempt;
                    accept-data;
                }
            }
        }
    }

    Router-02

    show configuration interfaces ge-0/0/0   
    unit 0 {
        description "CNX LAN";
        family inet {
            address 172.16.63.202/25 {
                vrrp-group 1 {
                    virtual-address 172.16.63.200;
                    preempt;
                    accept-data;
                }
            }
        }
    }

    As you can see, the commands are very simple and there is no magic, but when I connect the interface in my Core Switch, the VRRP cannot establish the communication with the other router. Each router is running as Active. 

    From Router-01, I can ping Router-02 and vice-versa, but I cannot find what is the root cause that is avoiding the VRRP to work.

    I really need some help to understand this behavior.

    Regards,
    Morais

    ------------------------------
    Thiago Morais
    ------------------------------


  • 2.  RE: SRX-300 with VRRP

    Posted 11-12-2021 05:37
    Hi,
    Did you enable VRRP under host-inbound-traffic protocols of security-zone associated with ge-0/0/0?

    Thanks,


  • 3.  RE: SRX-300 with VRRP

     
    Posted 11-12-2021 05:38
    Have you allowed VRRP traffic on the interface security zones?

    set security zones security-zone INTERNAL host-inbound-traffic protocols vrrp




  • 4.  RE: SRX-300 with VRRP

    Posted 11-12-2021 14:49
    The SRX is running as a traditional router, that is, packet-based mode. In this mode, all security zones have been deleted as described in the Juniper KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461&cat=J_SERIES&actp=LIST.

    Regards,
    TM

    ------------------------------
    Thiago Morais
    ------------------------------



  • 5.  RE: SRX-300 with VRRP

    Posted 11-12-2021 14:49
    The SRX is running as a traditional router, that is, packet-based mode.

    There are no security zones in the packet-based mode to be manipulated.

    ------------------------------
    Thiago Morais
    ------------------------------



  • 6.  RE: SRX-300 with VRRP

     
    Posted 11-12-2021 14:49
    I see that you posted in the vSRX forum with additional details. Does it work if you create an RVI on the core switch for the VLAN in question and assign it an IP address? I seem to recall transit VRRP packets disappearing until I did this, even though there should be no reason to do so.


  • 7.  RE: SRX-300 with VRRP

    Posted 11-13-2021 05:56
    Hi smicker,

    The Switch already has a VLAN interface configured in the same subnet of the SRX, but the VRRP is not working, even though I have full connectivity between the devices.

    Switch

    unit 200 {
        family inet {
            address 172.16.63.254/25;
        }
    }

    Based on Juniper's documentation, the VLAN interface is an RVI interface, but I didn't find anything to justify this behavior.

    Regards,
    TM

    ------------------------------
    Thiago Morais
    ------------------------------