SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX345 blocks/drops/ignores traffic after link goes down and back up

This thread has been viewed 3 times
  • 1.  SRX345 blocks/drops/ignores traffic after link goes down and back up

    This message was posted by a user wishing to remain anonymous
    Posted 05-31-2022 14:56
    This message was posted by a user wishing to remain anonymous

    I have an SRX345 that needs to do something very simple: provide internet to a bunch of users via NAT and DHCP.

    I got this working (NAT and DHCP) on one port. But when I used ethernet-switching to give access to multiple ports, the firewall started misbehaving: if connect a computer to an ethernet-switch port, "it works" (e.g. I can ping the FW). But if I unplug the etherent cable connecting the computer to the SRX, and then one second later reconnect the cable, "it doesn't work". DHCP provides an address but something somewhere prevents me from pinging the FW.

    I can get it to work again if I change the IP address on the computer (away from the DHCP-assigned address) and then change it back to DHCP.

    "it works": Workstations with DHCP assigned addressess 192.168.111.10-100 can ping SRX at 192.168.111.1

    "it doesn't work: Same workstations can no longer ping 192.168.111.1

    Strangely, if I put an unmanaged switch between the computers and the SRX, the problem frequency is reduced.

    My config:

    version 20200423.125841_builder.r1104050;
    system {
        host-name xxxxxxxx;
        root-authentication {
            encrypted-password "$6$xxx."; ## SECRET-DATA
        }
        login {
            user admin {
                uid 2000;
                class super-user;
                authentication {
                    encrypted-password "$6$xxx."; ## SECRET-DATA
                }
            }
        }
        services {
            ftp;
            ssh {
                root-login allow;
                protocol-version v2;
                connection-limit 5;
                rate-limit 5;
            }
            telnet;
            xnm-clear-text;
            dhcp-local-server {
                group lan {
                    interface irb.0;
                }
            }
        }
        domain-name ascendantps.com;
        time-zone gmt;
        ports {
            console {
                log-out-on-disconnect;
                type vt100;
            }
        }
        name-server {
            8.8.8.8;
        }
    }
    security {
        address-book {
            global {
                address lan 192.168.111.0/24;
            }
        }
        alg {
            dns disable;
            ftp disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            rsh disable;
            rtsp disable;
            sccp disable;
            sip disable;
            sql disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        nat {
            source {
                rule-set int {
                    from zone lan;
                    to zone internet;
                    rule 1 {
                        match {
                            source-address 192.168.111.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone lan to-zone internet {
                policy OK {
                    match {
                        source-address lan;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            default-policy {
                permit-all;
            }
        }
        zones {
            security-zone lan {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone internet {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/8.0;
                    ge-0/0/0.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description LAN;
            unit 0 {
                description xxxxxxxx;
                bandwidth 1g;
                family inet {
                    address 76.54.32.1/30;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        ge-0/0/8 {
            description WAN;
            speed 1g;
            mtu 9010;
            link-mode full-duplex;
            gigether-options {
                no-loopback;
            }
            unit 0 {
                description xxxxxxxx;
                bandwidth 1g;
                family inet {
                    address 123.45.67.186/30;
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members lan;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.111.1/32;
                }
            }
        }
    }
    access {
        address-assignment {
            pool lan {
                family inet {
                    network 192.168.111.0/24;
                    range subnet1 {
                        low 192.168.111.10;
                        high 192.168.111.100;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            192.168.111.1;
                        }
                    }
                }
            }
        }
    }
    vlans {
        lan {
            vlan-id 100;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 123.45.67.185;
        }
        graceful-restart;
    }​


  • 2.  RE: SRX345 blocks/drops/ignores traffic after link goes down and back up

     
    Posted 06-01-2022 12:13
    Your irb.0 address is wrong -- it should be 192.168.111.1/24.