Routing

Expand all | Collapse all

Unable to connect to Juniper secure connect using two isp's (we are using static routes)

Jump to Best Answer
  • 1.  Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 13 days ago
    Hi Team,

    we have implemented the juniper secure connect and since we use static routes for two isp and we cannot use two default routes at a time so we thought of doing destination nat on blaze 210--external firewall connected to internet
    I can see the nat is happening on the  210 but i can't see any traffic coming to our core firewall srx 340 . 


    loopback ip doesn't respond with any bytes even for icmp. are we supposed to deploy juniper secure connect only on reth interfaces?casue it's working fine for reth1

    we have assigned a zone to loopback ip 10.2.0.5/29 and allowed the inbound services as any and policies  as any but it doesn't work.

    can we connect to juniper secure connect on loopback ip ?

    ------------------------------
    Thank you in advance
    Scan Bake
    ------------------------------


  • 2.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    Hi Scan,

    Are the 340's or 240's in HA at all as you mention something working on reth1?

    Nick





  • 3.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    Hey Nick thank you for responding.

    Yeah the loopback ip is on srx 340 and it's in HA.  I think the main issue is i'm unable to ping the loopback ip from the external gateway (srx210) its a public ip

    ------------------------------
    Scan Bake
    ------------------------------



  • 4.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    OK so from the diagram the 340's are in HA with a single ip on 2 reth's  and the 240's are separate with an ip address each?

    So on the 340's one reth has .10/29 and the other reth has .2/29? I assume from each 240 you can ping .10?

    Are you able to redraw this logically showing interface details too?

    Nick

    ------------------------------
    Nick Ryce
    ------------------------------



  • 5.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    Hey i got confused here we have two different ip's for two reths  (we have two different isp's) and yeah 210s are separate with an ip address each.

    basically i want to ping from only from 10.2.0.1/29 because i'm trying to do a source nat if anyone from internet hits on loopback ip it should be getting nated to interface ip (10.2.0.1/29) and that should reach 10.2.0.5 (sorry  i messed the ip address of loopback above).


    i can see the session being formed in srx 210 but i don't see any session for loopback ip and can't even ping from my own srx 210

    ------------------------------
    Scan Bake
    ------------------------------



  • 6.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    Hi Scan,

    Thats ok.

    So to recap, outwith NAT, you are unable to ping 10.2.0.5 when sourcing the packet from 10.2.0.1?

    Nick


  • 7.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    yeah exactly tried to do a traceflow session  source as interface ip 10.2.0.1 and destination as loopback ip 10.2.0.5 but it's the same nothing in the log just empty

    ------------------------------
    Scan Bake
    ------------------------------



  • 8.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    .5 is the interface ip of the reth or the loopback ip?

    if its the reth interface of the 340, on the 210 do you see arp for .5?

    If it is an actual loopback have you enabled proxy arp for it?


  • 9.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    .5 is the loopback ip 0.2 is the reth

    you're right i can't see arp for .5 on 210

    that's the doubt i have -- do we need proxy arp for loopbacks ? i thought it's only request for destination nats

    although i have previously added the arp something like this but didn't work

    set security nat proxy-arp interface reth2.0 address 10.2.0.5/32

    ------------------------------
    Scan Bake
    ------------------------------



  • 10.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 8 days ago
    That should do it is reth2 is the correct reth

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785&actp=METADATA

    Nick


  • 11.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 7 days ago
    Hey Rick unfortunately that didn't work :(

    ------------------------------
    Scan Bake
    ------------------------------



  • 12.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 7 days ago
    does .5 now show in the arp table?

    If it doesnt, concentrate on getting that working as you may find all your other config on the 210's are correct and it's just this one last bit left.


  • 13.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 6 days ago
    yeah it still doesn't show in arp can we add a static arp entry?

    ------------------------------
    Scan Bake
    ------------------------------



  • 14.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)
    Best Answer

    Posted 6 days ago
    Yeah give https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/arp-static-configuring-qfx-series-cli.html a try


  • 15.  RE: Unable to connect to Juniper secure connect using two isp's (we are using static routes)

    Posted 4 days ago
    Hey Rick that worked like a charm.

    Thank you

    ------------------------------
    Scan Bake
    ------------------------------