Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Possible Routing issue - Traffic Logging Query

    Posted 08-24-2021 22:55
    I have setup a simple network where we have BGP running between WAN port and ISP . We are learning default route from ISP and advertising all 10 routes to ISP . 

    The problem I am experiencing is for single subnet 172.22.234.0/24 that I am leaning from another BGP neighbor connected on  a LAN port. I am able to successfully reach this subnet and traceroute also takes me to that but customer who is on a different local subnet is unable to reach that 172.22.234.0/24 . Customer's trace is stopping at my Juniper router. 

    There are two things that I want to implement 
    1) logging how do  I enable traffic log to/from a source to destination to see if there is any hit on Juniper and whether its stopping it? Do I just create a local file and enable all traffic logs please can someone advise.

    2) How do I troubleshoot this further as my trace is reaching that subnet fine

    Trace from Juniper 
    PLL049-A# run traceroute 172.22.234.1 source 10.80.32.44
    traceroute to 172.22.234.1 (172.22.234.1) from 10.80.32.44, 30 hops max, 40 byte packets
    1 10.80.32.36 (10.80.32.36) 2.140 ms 1.402 ms 1.246 ms
    2 10.80.47.12 (10.80.47.12) 4.176 ms 2.061 ms 1.904 ms

    routing table on Juniper 

    PLL049-A# run show route


    Routing table on my 
    0.0.0.0/0 *[BGP/170] 3d 03:14:23, localpref 100
    AS path: 65509 65509 I, validation-state: unverified
    > to 172.31.255.101 via ge-0/0/15.0
    10.80.32.0/20 *[Static/5] 8w0d 10:40:03
    > to 10.80.32.33 via ge-0/0/0.0
    10.80.32.32/28 *[Direct/0] 8w0d 10:40:03
    > via ge-0/0/0.0
    10.80.32.44/32 *[Local/0] 10w5d 06:32:19
    Local via ge-0/0/0.0
    10.80.32.46/32 *[Local/0] 3d 03:14:19
    Local via ge-0/0/0.0
    10.127.0.76/30 *[Direct/0] 10w5d 06:32:16
    > via ge-0/0/15.0
    10.127.0.78/32 *[Local/0] 10w5d 06:32:18
    Local via ge-0/0/15.0
    172.16.0.0/24 *[Static/5] 8w0d 10:40:03
    > to 10.80.32.36 via ge-0/0/0.0
    172.22.174.144/28 *[BGP/170] 1w0d 08:03:21, localpref 100
    AS path: 65401 65400 ?, validation-state: unverified
    > to 172.31.255.101 via ge-0/0/15.0
    [BGP/170] 3d 02:17:46, localpref 90
    AS path: 65401 65400 ?, validation-state: unverified
    > to 10.80.32.36 via ge-0/0/0.0
    172.22.234.0/24 *[BGP/170] 1w0d 07:22:43, localpref 90
    AS path: 65401 65400 I, validation-state: unverified
    > to 10.80.32.36 via ge-0/0/0.0
    172.22.250.0/24 *[Static/5] 5w0d 02:31:07
    > to 10.80.32.36 via ge-0/0/0.0
    [BGP/170] 1w0d 07:22:43, localpref 90
    AS path: 65401 65400 I, validation-state: unverified
    > to 10.80.32.36 via ge-0/0/0.0
    172.26.82.64/27 *[Static/5] 8w0d 10:40:03
    > to 10.80.32.33 via ge-0/0/0.0
    172.31.255.100/30 *[Direct/0] 10w5d 06:32:16
    > via ge-0/0/15.0
    172.31.255.102/32 *[Local/0] 10w5d 06:32:18
    Local via ge-0/0/15.0

    schematic attached


    ------------------------------
    junos sky
    ------------------------------


  • 2.  RE: Possible Routing issue - Traffic Logging Query

    Posted 08-25-2021 05:58
    Looks like the Juniper device is an SRX if you are running as a normal firewall in flow mode I think the first thing to check is the security policies at play.  These will be from the zone of the interface where initiating traffic comes in to the zone assigned the interface of the receiver.

    Live you can see if a session is created using
    show security flow session destination-prefix x.x.x.x/x

    Another check is if the return route for the sending subnet is covered on the far end to come back to the SRX for this traffic.  Perhaps the receiver has another path that they are sending this return traffic instead of back to your SRX.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Possible Routing issue - Traffic Logging Query

    Posted 08-25-2021 12:12
    @spuluka Many thanks for your reply.

    This is what I have now asked customer to provide routing table at remote end to see whats going on.

    Is there a way on Junipers to setup traffic logging to only see source and destination IP traffic to see if its even hitting Juniper at all ? I was thinking to put this traffic logging stats in a file on juniper and view this traffic by e.g show log traffic-logs etc?


    Thanks​

    ------------------------------
    junos sky
    ------------------------------



  • 4.  RE: Possible Routing issue - Traffic Logging Query

    Posted 08-25-2021 19:33
    Logs would be enabled on the policy level.  So these can be turned on targeting the flow that you are looking at and would record the same information you see in the show security flow operation live.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Possible Routing issue - Traffic Logging Query

    Posted 09-07-2021 08:56
    @spuluka thanks for getting back to me.
    I have checked this again and here are my policies

    set security policies from-zone external to-zone external policy allow match source-address any
    set security policies from-zone external to-zone external policy allow match destination-address any
    set security policies from-zone external to-zone external policy allow match application any
    set security policies from-zone external to-zone external policy allow then permit
    set security policies from-zone external to-zone customer policy allow match source-address any
    set security policies from-zone external to-zone customer policy allow match destination-address any
    set security policies from-zone external to-zone customer policy allow match application any
    set security policies from-zone external to-zone customer policy allow then permit
    set security policies from-zone customer to-zone external policy allow match source-address any
    set security policies from-zone customer to-zone external policy allow match destination-address any
    set security policies from-zone customer to-zone external policy allow match application any
    set security policies from-zone customer to-zone external policy allow then permit



    I can successfully reach subnet I am learning via BGP from customer however when customer is trying via their layer 3 switch they are unable to reach anywhere beyond junipers'

    run show route receive-protocol bgp 10.80.32.36

    inet.0: 14 destinations, 17 routes (14 active, 0 holddown, 1 hidden)
    Prefix Nexthop MED Lclpref AS path
    172.22.174.144/28 10.80.32.36
    * 172.22.234.0/24 10.80.32.36
    172.22.250.0/24 10.80.32.36

    Traceroute from Junipers:


    run traceroute 172.22.234.1 source 10.80.32.46
    traceroute to 172.22.234.1 (172.22.234.1) from 10.80.32.46, 30 hops max, 40 byte packets
    1 10.80.32.36 (10.80.32.36) 2.131 ms 1.742 ms 1.807 ms
    2 10.80.47.12 (10.80.47.12) 2.438 ms 2.520 ms 2.225 ms


    Traceroute from Customer CORE switch:


    lmr# traceroute 172.22.234.1

    traceroute to 172.22.234.1 ,

                  1 hop min, 30 hops max, 5 sec. timeout, 3 probes

    1  *  *  *

    2  *  *  *

    3  *  *  *

    4  *  *  *

    5  *  *  *

    6  *  *  *

    7  *  *  *

    8  *  *  *

    9  *  *  *

    10  *  *  *

    11  *  *  *

    12  *  *  *

    13  *  *  *

    14  *  *  *

    15  *  *  *

    16  *  *  *

    17  *  *  *

    18  *  *  *

    19  *  *  *

    20  *  *  *

    21  *  *  *

    22  *  *  *



















    ------------------------------
    junos sky
    ------------------------------