vSRX

 View Only
last person joined: 10 days ago 

Ask questions and share experiences with vSRX Virtual Firewall deployments and how to scale firewall protection.
Expand all | Collapse all

vSRX in eve-ng: No input packets on directly connected interfaces. No ping or OSPF peering either!

  • 1.  vSRX in eve-ng: No input packets on directly connected interfaces. No ping or OSPF peering either!

    Posted 10-29-2021 05:53
    I am really stuck. Need to fix this to keep my labbing going. Here's the problem,
    vSRX1 and 2 are directly connected on ge-0/0/0 (unit 0). IPs on same subnet, OSPF and Firewall configuration look good to me. But still they don't see each other.

    root@vSRX1# run show interfaces ge-0/0/0.0
    Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 524)
    Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
    Input packets : 0
    Output packets: 2872
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
    ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp
    tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh
    rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
    lsping ntp sip dhcpv6 r2cp webapi-clear-text webapi-ssl tcp-encap
    sdwan-appqoe high-availability
    Protocol inet, MTU: 1500
    Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 0,
    Curr new hold cnt: 0, NH drop cnt: 0
    Flags: Sendbcast-pkt-to-re, Is-Primary
    Addresses, Flags: Is-Preferred Is-Primary
    Destination: 12.0.0/24, Local: 12.0.0.1, Broadcast: 12.0.0.255

    [edit]
    root@vSRX1#

    root@vSRX2# run show interfaces ge-0/0/0.0
    Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 524)
    Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
    Input packets : 0
    Output packets: 2865
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
    ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp
    tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh
    rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
    lsping ntp sip dhcpv6 r2cp webapi-clear-text webapi-ssl tcp-encap
    sdwan-appqoe high-availability
    Protocol inet, MTU: 1500
    Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 0,
    Curr new hold cnt: 0, NH drop cnt: 0
    Flags: Sendbcast-pkt-to-re, Is-Primary
    Addresses, Flags: Is-Preferred Is-Primary
    Destination: 12.0.0/24, Local: 12.0.0.2, Broadcast: 12.0.0.255

    [edit]
    root@vSRX2#

    root@vSRX1# run show configuration | display set
    set version 21.2R1.10
    set system host-name vSRX1
    set system root-authentication encrypted-password "$6$iMrBL1eu$Mhw62RDF8pzXKB0irdaL54odMleWP0zgUN0R0oj8uM3rPLwf.KnUUl/.IDRnjWVYEfX7jBkRWtPteiwrKC2Da1"
    set system services ssh
    set system services web-management http interface fxp0.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface fxp0.0
    set system syslog file interactive-commands interactive-commands any
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set security forwarding-options family inet6 mode packet-based
    set security forwarding-options family mpls mode packet-based
    set security forwarding-options family iso mode packet-based
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set interfaces ge-0/0/0 unit 0 family inet address 12.0.0.1/24
    set interfaces fxp0 unit 0
    set interfaces lo0 unit 0 family inet address 1.1.1.1/32
    set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
    set protocols ospf area 0.0.0.0 interface lo0.0 passive
    set routing-options router-id 1.1.1.1

    [edit]
    root@vSRX1#

    root@vSRX2# run show configuration | display set
    set version 21.2R1.10
    set system host-name vSRX2
    set system root-authentication encrypted-password "$6$gApZnHVL$.w3HPuIEL9K5AQTyHS0rggi4.k5AJxv.5VNRHa8T787.mRXl13P9wb6BhprfeCm3oqkS7BThYcATkTWWQ0Hjt0"
    set system services ssh
    set system services web-management http interface fxp0.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface fxp0.0
    set system syslog file interactive-commands interactive-commands any
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set security forwarding-options family inet6 mode packet-based
    set security forwarding-options family mpls mode packet-based
    set security forwarding-options family iso mode packet-based
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set interfaces ge-0/0/0 unit 0 family inet address 12.0.0.2/24
    set interfaces fxp0 unit 0
    set interfaces lo0 unit 0 family inet address 2.2.2.2/32
    set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
    set protocols ospf area 0.0.0.0 interface lo0.0 passive
    set routing-options router-id 2.2.2.2

    [edit]
    root@vSRX2#

    Please help!!!

    ------------------------------
    SENTHILKUMAR MURUGESAN
    ------------------------------


  • 2.  RE: vSRX in eve-ng: No input packets on directly connected interfaces. No ping or OSPF peering either!

     
    Posted 11-01-2021 05:46

    I see that for your forwarding-options you are using packet based mode. Which means you are using your SRX as a routing device, however you have security zones and screen configured.
     

    To use SRX as router, remove the security configurations with packet mode.

    To use your SRX as a firewall, keep your security configurations but change the forwarding options to flow mode and reboot your device for it to take effect.

    cheers!



    ------------------------------
    BENJAMINONEKALIT OBURA
    ------------------------------