vSRX

  • 1.  vSRX - Cluster | Any config change results ALL traffic being dropped

    Posted 08-04-2020 06:01

    Hey all, 

     

    I've got a pair of vSRX 3.0 VMs on the recommended firmware in ESXi where any configuration change results in ALL traffic being dropped.

     

    I've verified it is not an ESXi or environment  problem by putting the VMs on the same host. 

     

    Is there a particular config issue where this can happen? Do I have something wrong by chance? 

     

    Is there a PCAP of sorts I could run will show what is happening? 

     



  • 2.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

     
    Posted 08-04-2020 07:30
    Can you share your current config?
    Also, is the drop happening while commit is in progress?
    You can also try applying a flow traces to check the reason for drops.


    Juniper Business Use Only


  • 3.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

    Posted 08-04-2020 08:46

    Nope.

     

    The drop happens after the commit is set, usually within 2 seconds. 

     

    set groups CustomerTemplate security policies from-zone <*> to-zone SharedResources policy Permit match source-address any
    set groups CustomerTemplate security policies from-zone <*> to-zone SharedResources policy Permit match destination-address any
    set groups CustomerTemplate security policies from-zone <*> to-zone SharedResources policy Permit match application any
    set groups node0 interfaces fab0 fabric-options member-interfaces ge-0/0/0
    set groups node0 interfaces fab1 fabric-options member-interfaces ge-7/0/0
    set groups node1 interfaces fab0 fabric-options member-interfaces ge-0/0/0
    set groups node1 interfaces fab1 fabric-options member-interfaces ge-7/0/0
    set groups Permit-Any security policies from-zone <*> to-zone <*> policy permit-all match source-address any
    set groups Permit-Any security policies from-zone <*> to-zone <*> policy permit-all match destination-address any
    set groups Permit-Any security policies from-zone <*> to-zone <*> policy permit-all match application any
    set groups Permit-Any security policies from-zone <*> to-zone <*> policy permit-all then permit
    set apply-groups node0
    set apply-groups node1
    set system login user admin uid 2000    
    set system login user admin class super-user
    set system login user admin authentication encrypted-password "$6$XAuu0B20$.U6Z6XB4pzzpVMsqYFkRShWRGEcb8J4TE0kF.eKv1axE03hFPfzGHltKo3lvunS4isXzV3BrJTLLN3bJbyScN/"
    set system login user backup uid 2001
    set system login user backup class read-only
    set system login user backup authentication encrypted-password "$6$4z7hH27n$V496k727EDnAqoCLJnnsvtp8Y4lZDsD4GngaTlvQK9NVAsiik8QjKqpo0KPQp/BA0aN6ATuph/FPBIFyT.0gD/"
    set system login user readonly uid 2002
    set system login user readonly class read-only
    set system login user readonly authentication encrypted-password "$6$f5XLWfzN$yYF1edIFdUXSMEG5NNDNlSMyrtBF6FR.84GTiQQNVFQBDc3Kg1CP1rBLvPrbcFr1e.RBgsGgc1pDBptEPql3I."
    set system root-authentication encrypted-password "$6$DU4NXDOF$IrqRSVzCsu2rh1D31oMc/3id3dgg4ifltU3NHSqSrKsPqn4kffu65wEsFN9Ur1MjnHavcSjBHtbyxtqTg5UCg1"
    set system services ssh root-login allow
    set system services web-management http interface fxp0.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface fxp0.0
    set system time-zone US/Mountain
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set chassis cluster reth-count 4
    set chassis cluster redundancy-group 0 node 0 priority 200
    set chassis cluster redundancy-group 0 node 1 priority 100
    set chassis cluster redundancy-group 1 node 0 priority 200
    set chassis cluster redundancy-group 1 node 1 priority 100
    set security flow traceoptions file dnat.log
    set security flow traceoptions flag basic-datapath
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set Global-Nat-Out from routing-instance Customer
    set security nat source rule-set Global-Nat-Out to zone WAN
    set security nat source rule-set Global-Nat-Out rule A match source-address 0.0.0.0/0
    set security nat source rule-set Global-Nat-Out rule A match destination-address 0.0.0.0/0
    set security nat source rule-set Global-Nat-Out rule A match application any
    set security nat source rule-set Global-Nat-Out rule A then source-nat interface
    set security nat destination pool Customer-address 172.25.3.5/32
    set security nat destination pool Customer-address port 3389
    set security nat destination pool Customer address 172.25.3.10/32
    set security nat destination pool Customer-address 10.4.3.6/32
    set security nat destination rule-set NAT-In-Hosted from zone WAN
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP match destination-address 
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP match destination-port 3389
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP match destination-address WAN
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP match destination-port 3839
    set security nat destination rule-set NAT-In-Hosted rule Customer-RDP then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-389 match destination-address WAN
    set security nat destination rule-set NAT-In-Hosted rule Customer-389 match destination-port 389
    set security nat destination rule-set NAT-In-Hosted rule Customer-389 match protocol udp
    set security nat destination rule-set NAT-In-Hosted rule Customer-389 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-389 then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-888 match destination-address
    set security nat destination rule-set NAT-In-Hosted rule Customer-888 match destination-port 888
    set security nat destination rule-set NAT-In-Hosted rule Customer-888 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-888 then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-3391 match destination-address 
    set security nat destination rule-set NAT-In-Hosted rule Customer-3391 match destination-port 3391
    set security nat destination rule-set NAT-In-Hosted rule Customer-3391 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-3391 then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match destination-address 
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match destination-port 443
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-80 match destination-address WAN 
    set security nat destination rule-set NAT-In-Hosted rule Customer-80 match destination-port 80
    set security nat destination rule-set NAT-In-Hosted rule Customer-80 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-80 then destination-nat pool Customer-RDP
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match source-address 0.0.0.0/0
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match destination-address WAN
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match destination-port 443
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-443 then destination-nat pool Customer
    set security nat destination rule-set NAT-In-Hosted rule Customer-4115 match source-address 0.0.0.0/0
    set security nat destination rule-set NAT-In-Hosted rule Customer-4115 match destination-address WAN
    set security nat destination rule-set NAT-In-Hosted rule Customer-4115 match destination-port 4115
    set security nat destination rule-set NAT-In-Hosted rule Customer-4115 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule MCustomerE-4115 then destination-nat pool Customer
    set security nat destination rule-set NAT-In-Hosted rule Customer-22 match source-address 0.0.0.0/0
    set security nat destination rule-set NAT-In-Hosted rule Customer-22 match destination-address WAN
    set security nat destination rule-set NAT-In-Hosted rule Customer-22 match destination-port 22
    set security nat destination rule-set NAT-In-Hosted rule Customer-22 match protocol tcp
    set security nat destination rule-set NAT-In-Hosted rule Customer-22 then destination-nat pool Customer
    set security policies from-zone WAN to-zone Customer policy Permit-Resources match source-address any
    set security policies from-zone WAN to-zone Customer policy Permit-Resources match destination-address any
    set security policies from-zone WAN to-zone Customer policy Permit-Resources match application Customer
    set security policies from-zone WAN to-zone Customer policy Permit-Resources then permit
    set security policies from-zone Customer to-zone Shared-Resources policy Permit-All match source-address any
    set security policies from-zone Customer to-zone ShareCustomer-Resources policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-All match application any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-All then permit
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-Resources match source-address any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-Resources match destination-address Shared-Resources
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-Resources match application any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-Resources then permit
    set security policies from-zone Customer to-zone Customer policy Permit-All match source-address any
    set security policies from-zone Customer to-zone Customer policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone Customer policy Permit-All match application any
    set security policies from-zone Customer to-zone Customer policy Permit-All then permit
    set security policies from-zone Customer to-zone Customer policy Permit-All match source-address any
    set security policies from-zone Customer to-zone Customer policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone Customer policy Permit-All match application any
    set security policies from-zone Customer to-zone Customer policy Permit-All then permit
    set security policies from-zone Customer to-zone WAN policy Permit-All match source-address any
    set security policies from-zone Customer to-zone WAN policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone WAN policy Permit-All match application any
    set security policies from-zone Customer to-zone WAN policy Permit-All then permit
    set security policies from-zone Customer to-zone Shared-Resources policy Permit-Resources match source-address any
    set security policies from-zone Customer to-zone Shared-Resources policy Permit-Resources match destination-address Shared-Resources
    set security policies from-zone Customer to-zone Shared-Resources policy Permit-Resources match application any
    set security policies from-zone Customer to-zone Shared-Resources policy Permit-Resources then permit
    set security policies from-zone WAN to-zone Customer policy Permit-Customer-Resources match source-address any
    set security policies from-zone WAN to-zone Customer policy Permit-Customer-Resources match destination-address any
    set security policies from-zone WAN to-zone Customer policy Permit-Customer-Resources match application Customer
    set security policies from-zone WAN to-zone Customer policy Permit-Customer-Resources then permit
    set security policies from-zone Customer to-zone WAN apply-groups Permit-Any
    set security policies from-zone Customer to-zone Customer policy permit-all match source-address any
    set security policies from-zone Customer to-zone Customer policy permit-all match destination-address any
    set security policies from-zone Customer to-zone Customer policy permit-all match application any
    set security policies from-zone Customer to-zone Customer policy permit-all then permit
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-All match source-address any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-All match application any
    set security policies from-zone Customer to-zone Customer-Resources policy Permit-All then permit
    set security policies from-zone Customer to-zone Customer policy Permit-All match source-address any
    set security policies from-zone Customer to-zone Customer policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone Customer policy Permit-All match application any
    set security policies from-zone Customer to-zone Customer policy Permit-All then permit
    set security policies from-zone Customer to-zone WAN policy Permit-All match source-address any
    set security policies from-zone Customer to-zone WAN policy Permit-All match destination-address any
    set security policies from-zone Customer to-zone WAN policy Permit-All match application any
    set security policies from-zone Customer to-zone WAN policy Permit-All then permit
    set security zones security-zone Customer host-inbound-traffic system-services ping
    set security zones security-zone Customer host-inbound-traffic protocols bgp
    set security zones security-zone Customer interfaces reth0.2066
    set security zones security-zone Customer interfaces reth1.2066
    set security zones security-zone Customer interfaces reth2.2066
    set security zones security-zone Shared-Resources address-book address Customer-SDG-Handoff 10.200.0.1/32
    set security zones security-zone Shared-Resources address-book address Customer-Shared-Subnet 10.67.6.0/24
    set security zones security-zone Shared-Resources address-book address Customer-SDG2-Handoff 10.201.0.1/32
    set security zones security-zone Shared-Resources address-book address-set Shared-Resources address Customer-SDG-Handoff
    set security zones security-zone Shared-Resources address-book address-set Shared-Resources address Customer-Shared-Subnet
    set security zones security-zone Customer-Resources address-book address-set Shared-Resources address Customer-SDG2-Handoff
    set security zones security-zone Customer-Resources host-inbound-traffic system-services ping
    set security zones security-zone Customer-Resources host-inbound-traffic protocols bgp
    set security zones security-zone Customer-Resources interfaces reth0.676
    set security zones security-zone Customer-Resources interfaces reth0.2000
    set security zones security-zone Customer-Resources interfaces reth1.660
    set security zones security-zone Customer-Resources interfaces reth0.660
    set security zones security-zone Customer-Resources interfaces reth1.670
    set security zones security-zone Customer-Resources interfaces reth0.670
    set security zones security-zone Customer-Resources interfaces reth1.2000
    set security zones security-zone Customer host-inbound-traffic system-services ping
    set security zones security-zone Customer host-inbound-traffic protocols bgp
    set security zones security-zone Customer interfaces reth0.2001
    set security zones security-zone Customer interfaces reth1.2001
    set security zones security-zone Customer interfaces reth2.2001
    set security zones security-zone WAN host-inbound-traffic system-services ping
    set security zones security-zone WAN host-inbound-traffic system-services ssh
    set security zones security-zone WAN interfaces reth0.679
    set security zones security-zone WAN interfaces reth0.678
    set security zones security-zone Customer host-inbound-traffic system-services ping
    set security zones security-zone Customer host-inbound-traffic system-services ssh
    set security zones security-zone Customer host-inbound-traffic system-services snmp
    set security zones security-zone Customer interfaces reth0.677
    set security zones security-zone Customer host-inbound-traffic system-services ping
    set security zones security-zone Customer host-inbound-traffic protocols bgp
    set security zones security-zone Customer interfaces reth0.2048
    set security zones security-zone Customer interfaces reth1.2048
    set security zones security-zone Customer interfaces reth2.2048
    set interfaces ge-0/0/1 gigether-options redundant-parent reth0
    set interfaces ge-0/0/2 gigether-options redundant-parent reth1
    set interfaces ge-0/0/3 gigether-options redundant-parent reth2
    set interfaces ge-7/0/1 gigether-options redundant-parent reth0
    set interfaces ge-7/0/2 gigether-options redundant-parent reth1
    set interfaces ge-7/0/3 gigether-options redundant-parent reth2
    set interfaces reth0 flexible-vlan-tagging
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 660 disable
    set interfaces reth0 unit 660 vlan-id 660
    set interfaces reth0 unit 660 family inet address 10.66.0.101/24
    set interfaces reth0 unit 667 disable
    set interfaces reth0 unit 667 vlan-id 667
    set interfaces reth0 unit 667 family inet address 10.66.7.250/24
    set interfaces reth0 unit 670 disable   
    set interfaces reth0 unit 670 vlan-id 670
    set interfaces reth0 unit 670 family inet address 10.67.0.101/24
    set interfaces reth0 unit 671 vlan-id 671
    set interfaces reth0 unit 671 family inet address 10.67.1.5/24
    set interfaces reth0 unit 671 family inet address 10.67.1.3/24
    set interfaces reth0 unit 676 disable
    set interfaces reth0 unit 676 description DShared
    set interfaces reth0 unit 676 vlan-id 676
    set interfaces reth0 unit 677 vlan-id 677
    set interfaces reth0 unit 677 family inet address 10.67.7.5/24
    set interfaces reth0 unit 678 vlan-id 678
    set interfaces reth0 unit 678 family inet address WAN
    set interfaces reth0 unit 679 disable
    set interfaces reth0 unit 679 vlan-id 679
    set interfaces reth0 unit 679 family inet address WAN primary
    set interfaces reth0 unit 679 family inet address WAN preferred
    set interfaces reth0 unit 679 family inet address WAN
    set interfaces reth0 unit 679 family inet address WAN
    set interfaces reth0 unit 2000 disable
    set interfaces reth0 unit 2000 description DEN-SDG-2
    set interfaces reth0 unit 2000 vlan-id 2000
    set interfaces reth0 unit 2000 family inet address 10.200.0.1/24
    set interfaces reth0 unit 2001 disable  
    set interfaces reth0 unit 2001 vlan-id 2001
    set interfaces reth0 unit 2001 family inet address 10.200.1.1/24
    set interfaces reth0 unit 2048 disable
    set interfaces reth0 unit 2048 vlan-id 2048
    set interfaces reth0 unit 2048 family inet address 10.200.48.1/24
    set interfaces reth0 unit 2066 disable
    set interfaces reth0 unit 2066 vlan-id 2066
    set interfaces reth0 unit 2066 family inet address 10.200.66.1/24
    set interfaces reth1 disable
    set interfaces reth1 vlan-tagging
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 660 vlan-id 660
    set interfaces reth1 unit 660 family inet address 10.66.0.102/24
    set interfaces reth1 unit 670 vlan-id 670
    set interfaces reth1 unit 670 family inet address 10.67.0.102/24
    set interfaces reth1 unit 2000 vlan-id 2000
    set interfaces reth1 unit 2000 family inet address 10.201.0.1/24
    set interfaces reth1 unit 2001 vlan-id 2001
    set interfaces reth1 unit 2001 family inet address 10.201.1.1/24
    set interfaces reth1 unit 2048 vlan-id 2048
    set interfaces reth1 unit 2048 family inet address 10.201.48.1/24
    set interfaces reth1 unit 2066 vlan-id 2066
    set interfaces reth1 unit 2066 family inet address 10.201.66.1/24
    set interfaces reth2 flexible-vlan-tagging
    set interfaces reth2 redundant-ether-options redundancy-group 1
    set interfaces reth2 unit 2001 disable
    set interfaces reth2 unit 2001 description Customer-HandOff
    set interfaces reth2 unit 2001 vlan-id 2001
    set interfaces reth2 unit 2001 family inet address 10.4.3.1/29
    set interfaces reth2 unit 2048 vlan-id 2048
    set interfaces reth2 unit 2048 family inet address 10.4.2.17/28
    set interfaces reth2 unit 2066 disable
    set interfaces reth2 unit 2066 vlan-id 2066
    set interfaces reth2 unit 2066 family inet address 172.25.3.1/24
    set policy-options policy-statement Default term A from instance master
    set policy-options policy-statement Default term A from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement Default term A from route-filter 10.200.0.1/32 exact
    set policy-options policy-statement Default term A from route-filter 192.168.238.55/24 exact
    set policy-options policy-statement Default term A then accept
    set policy-options policy-statement Default term B then reject
    set policy-options policy-statement Customer-Resources from interface reth2.2048
    set policy-options policy-statement Customer-Resources then accept
    set policy-options policy-statement Customer-Resources term A from interface reth2.2066
    set policy-options policy-statement Customer-Resources term A then accept
    set policy-options policy-statement Customer-Resources term B then reject
    set policy-options policy-statement Customer-Resources term A from interface reth2.2001
    set policy-options policy-statement Customer-Resources term A then accept
    set policy-options policy-statement Customer-Resources term B then reject
    set policy-options policy-statement WAN-LoanBalance then load-balance per-packet
    set routing-instances Customer instance-type virtual-router
    set routing-instances Customer interface reth0.2048
    set routing-instances Customer interface reth1.2048
    set routing-instances Customer interface reth2.2048
    set routing-instances Customer routing-options instance-import Default
    set routing-instances Customer protocols bgp group Customer type external
    set routing-instances Customer protocols bgp group Customer local-address 10.200.48.1
    set routing-instances Customer protocols bgp group Customer export Customer-Resources
    set routing-instances Customer protocols bgp group Customer peer-as 64515
    set routing-instances Customer protocols bgp group Customer local-as 64512
    set routing-instances Customer protocols bgp group Customer neighbor 10.200.48.2
    set routing-instances Customer protocols bgp group Customer-N1 type external
    set routing-instances Customer protocols bgp group Customer-N1 local-address 10.201.48.1
    set routing-instances Customer protocols bgp group Customer-N1 export Customer-Resources
    set routing-instances Customer protocols bgp group Customer-N1 peer-as 64515
    set routing-instances Customer protocols bgp group Customer-N1 local-as 64512
    set routing-instances Customer protocols bgp group Customer-N1 neighbor 10.201.48.2
    set routing-instances Customer instance-type virtual-router
    set routing-instances Customer interface reth0.2066
    set routing-instances Customer interface reth1.2066
    set routing-instances Customer interface reth2.2066
    set routing-instances Customer protocols bgp group Customer-0 type external
    set routing-instances Customer protocols bgp group Customer-0 local-address 10.200.66.1
    set routing-instances HI Customer protocols bgp group Customer-0 export Customer-Resources
    set routing-instances Customer protocols bgp group Customer-0 peer-as 64514
    set routing-instances Customer protocols bgp group Customer-0 local-as 64512
    set routing-instances Customer protocols bgp group Customer-0 neighbor 10.200.66.2
    set routing-instances Customer protocols bgp group Customer-1 type external
    set routing-instances Customer protocols bgp group Customer-1 local-address 10.201.66.1
    set routing-instances Customer protocols bgp group Customer-1 export Customer-Resources
    set routing-instances Customer protocols bgp group Customer-1 peer-as 64514
    set routing-instances Customer protocols bgp group Customer-1 local-as 64512
    set routing-instances Customer protocols bgp group Customer-1 neighbor 10.201.66.2
    set routing-instances Customer instance-type virtual-router
    set routing-instances Customer interface reth0.677
    set routing-instances Customer routing-options static route 0.0.0.0/0 next-hop 10.67.7.1
    set routing-instances Customer instance-type virtual-router
    set routing-instances Customer interface reth0.2001
    set routing-instances Customer interface reth1.2001
    set routing-instances Customer interface reth2.2001
    set routing-instances Customer routing-options instance-import Default
    set routing-instances Customer protocols bgp group Customer-N0 type external
    set routing-instances Customer protocols bgp group Customer-N0 local-address 10.200.1.1
    set routing-instances Customer protocols bgp group Customer-N0 export Customer-Resources
    set routing-instances Customer protocols bgp group Customer-N0 peer-as 64513
    set routing-instances Customer protocols bgp group Customer-N0 local-as 64512
    set routing-instances Customer protocols bgp group Customer-N0 neighbor 10.200.1.2
    set routing-instances Customer protocols bgp group Customer-N1 type external
    set routing-instances Customer protocols bgp group Customer-N1 local-address 10.201.1.1
    set routing-instances Customer protocols bgp group Customer-N1 export Customer-Resources
    set routing-instances Customer protocols bgp group Customer-N1 peer-as 64513
    set routing-instances Customer protocols bgp group Customer-N1 local-as 64512
    set routing-instances Customer protocols bgp group Customer-N1 neighbor 10.201.1.2
    set applications application Customer-RDP protocol tcp
    set applications application Customer-RDP destination-port 3839
    set applications application Customer-RDP protocol tcp
    set applications application Customer-RDP destination-port 3389
    set applications application Customer-389-UDP protocol udp
    set applications application Customer-389-UDP destination-port 389
    set applications application Customer-389-TCP protocol tcp
    set applications application Customer-389-TCP destination-port 389
    set applications application Customer-888 protocol tcp
    set applications application Customer-888 destination-port 888
    set applications application Customer-3391 protocol tcp
    set applications application Customer-3391 destination-port 3391
    set applications application Customer-443 protocol tcp
    set applications application Customer-443 destination-port 443
    set applications application Customer-80 protocol tcp
    set applications application Customer-80 destination-port 80
    set applications application Customer-3389 protocol tcp
    set applications application Customer-3389 destination-port 3389
    set applications application Customer-443 protocol tcp
    set applications application Customer-443 destination-port 443
    set applications application Customer-4115 protocol tcp
    set applications application Customer-4115 destination-port 4115
    set applications application Customer-22 protocol tcp
    set applications application Customer-22 destination-port 22
    set applications application Customer-22 protocol tcp
    set applications application Customer-22 destination-port 22
    set applications application-set Customer application Customer-RDP
    set applications application-set Customer  application Customer-3391
    set applications application-set Customer application Customer-389-TCP
    set applications application-set Customer application Customer-389-UDP
    set applications application-set Customer application Customer-443
    set applications application-set Customer application Customer-80
    set applications application-set Customer application Customer-888
    set applications application-set Customer application Customer-3389
    set applications application-set Customer application Customer-22
    set applications application-set Customer application Customer-4115
    set applications application-set Customer application Customer-443
    set routing-options static route 0.0.0.0/0 next-hop RTR
    set routing-options static route 0.0.0.0/0 next-hop RTR
    set routing-options forwarding-table export WAN-LoanBalance
    


  • 4.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

    Posted 08-04-2020 08:47

    having some interfaces / reths admin down shouldn't cost this problem, should it?

     

     



  • 5.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

     
    Posted 08-04-2020 09:07
    Can you change the fab config to global config instead of groups? Never seen this config and not sure if its contributing for some reason
    delete groups node0 interfaces fab0
    delete groups node0 interfaces fab1

    set interfaces fab0 fabric-options member-interfaces ge-0/0/0

    set interfaces fab1 fabric-options member-interfaces ge-7/0/0

    set interfaces fab0 fabric-options member-interfaces ge-0/0/0

    set interfaces fab1 fabric-options member-interfaces ge-7/0/0
    commit


    Also , I am not sure if the traceoption is applied to troubleshoot this issue, if so, please add a packet filter to trace specific flow otherwise it will capture all traffic and result in high CPU usage.


    set security flow traceoptions file dnat.log

    set security flow traceoptions flag basic-datapath


    Regarding interfaces in admin down state, it should not cause this issue.



    Juniper Business Use Only


  • 6.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

    Posted 08-04-2020 12:41

    Hey!

     

    I tried deleing the groups, but no dice. 

     

    I'm going to bring the reth interfaces up tonight and test again just to see.

     

    Thank you! 



  • 7.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

    Posted 08-04-2020 13:28

    Thinking out loud here... wondering if the security policies done via apply-groups could create the behaviour you are experiencing.

     

    As a test, may I suggest that you convert your policies via apply-groups to global policies as that would accomplish your goal with the permit-any apply-group.

     

    The global policy will be evaluated after zone-specific policies, so don't put a deny any-any in the bottom there as you would hit that deny before reaching global policies.

    set security policies global policy allow-to-wan match source-address any
    set security policies global policy allow-to-wan match destination-address any
    set security policies global policy allow-to-wan match application any
    set security policies global policy allow-to-wan match from-zone any
    set security policies global policy allow-to-wan match to-zone WAN
    set security policies global policy allow-to-wan then permit
    

     

    Let us know how your tests goes.



  • 8.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped

    Posted 08-05-2020 08:03

    I deleted the only reference that that permit any "apply-groups" was being used.

     

    Any ideas? 



  • 9.  RE: vSRX - Cluster | Any config change results ALL traffic being dropped
    Best Answer

    Posted 08-14-2020 07:15

    Code bug; 

     

    Deployed a 20.1 RS and this problem does not exist.