SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series.
  • 1.  Tacacs+ Problem

    Posted 12-05-2014 03:15

    Hey All,

     

    I'm new with a Junos platform , and I am facing a problem.
    
    I'm trying to set up in hum SRX100 one authentication via TACACS + . The configuration seems ok Being . The Problem And que an interface used to manage this is a virtual router.
    The tacacs + server is on the same network that interface , but when I do a traceroute test to the server IP , the package goes for another interface (default route) .
    In ancient SSG5 the problem was resolved , stating which interface should be associated with TACACS . But the SRX100 even making this association , did not get a result .
    
    Someone has seen this problem and managed to solve?

    Below is the part of config:
    hnsa@FW_A06_MGT_002> show configuration
    ## Last commit: 2014-12-04 20:59:27 GMT-3 by hnsa
    version 12.1X44-D30.4;
    system {
    host-name FW_A06_MGT_002;
    domain-name htbnoc.com;
    time-zone GMT-3;
    authentication-order tacplus;
    root-authentication {
    encrypted-password "$1$b3EDb/Nh$SLM0Gdp05/un3ZLomzI3/1"; ## SECRET-DATA
    }
    name-server {
    192.168.3.254;
    }
    name-resolution {
    no-resolve-on-input;
    }
    tacplus-server {
    192.168.3.254 {
    port 49;
    secret "$9$fzF/1IclvL36clvL7NjHkmQF/Ct"; ## SECRET-DATA
    timeout 10;
    single-connection;
    source-address 192.168.2.2;
    }
    }
    accounting {
    events [ login change-log interactive-commands ];
    destination {
    tacplus;
    }
    }
    login {
    user hnsa {
    uid 2000;
    class super-user;
    authentication {
    encrypted-password "$1$97mqiy46$g.iD0hKvEh0neEJMaWCuX0"; ## SECRET-DATA
    }
    }
    user remote {
    full-name TAC_USER;
    uid 2001;
    class super-user;
    authentication {
    encrypted-password "$1$97mqiy46$g.iD0hKvEh0neEJMaWCuX0"; ## SECRET-DATA
    }
    }
    }
    services {
    ssh;
    telnet;
    web-management {
    http {
    interface fe-0/0/7.0;
    }
    https {
    system-generated-certificate;
    interface fe-0/0/7.0;
    }
    session {
    idle-timeout 60;
    session-limit 3;
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server us.ntp.pool.org;
    server 192.168.3.254;
    }
    }
    interfaces {
    fe-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.255.213/24;
    }
    }
    }
    fe-0/0/2 {
    unit 0 {
    family inet {
    address 192.168.5.215/24;
    }
    }
    }
    fe-0/0/4 {
    unit 0 {
    family inet {
    address 192.168.11.214/24;
    }
    }
    }
    fe-0/0/7 {
    unit 0 {
    family inet {
    address 192.168.2.2/22;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 198.18.255.219;
    }
    }
    protocols {
    stp;
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    destination {
    pool 192_168_11_215_ {
    address 192.168.11.215/32;
    }
    pool 192_168_5_215_ {
    address 192.168.5.215/32;
    }
    }
    }
    policies {
    from-zone MGT_HUB11 to-zone Internet {
    policy MGT_HUB11 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone MGT_HUB05 to-zone Internet {
    policy MGT_HUB05 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone MGT_HUB11 {
    policy MGT_HUB11 {
    description "Acesso MGT_HUB11";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone MGT_HUB05 {
    policy MGT_HUB05 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone MGT_HUB11 {
    interfaces {
    fe-0/0/4.0 {
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    }
    }
    }
    security-zone MGT_HUB05 {
    interfaces {
    fe-0/0/2.0 {
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    }
    }
    }
    security-zone MGT_HS {
    interfaces {
    fe-0/0/7.0 {
    host-inbound-traffic {
    system-services {
    ping;
    http;
    https;
    ssh;
    telnet;
    }
    }
    }
    }
    }
    security-zone Internet {
    interfaces {
    fe-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    }
    }
    }
    }
    }
    routing-instances {
    MGT_HG {
    instance-type virtual-router;
    interface fe-0/0/7.0;
    routing-options {
    static {
    route 192.168.30.0/24 next-hop 198.18.1.255;
    }
    }
    }
    }

    hnsa@FW_A06_MGT_002>

    Tks,



  • 2.  RE: Tacacs+ Problem

    Posted 12-05-2014 03:45

    Hi engenharia ,

     

    I do not see any route pointing to 192.168.3.0/24 on the SRX.

     

    On the routing-instance , you have route to 192.168.30.0/24 and not 3.0/24

     

    if it is wrong then modify it to 3.0/24

     

    then you need to share the 192.168.3.0/24 between inet.0 and virtual-instance by many method.

     

    one method is :

     

    set routing-options static route 192.168.3.254 next-table MGT_HUGHES.inet.0

     

    Regards,
    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     



  • 3.  RE: Tacacs+ Problem

    Posted 12-05-2014 03:48

    Hi engenharia ,

     

    I do not see any route pointing to 192.168.3.0/24 on the SRX.

     

    Also as you are using the source ip address 192.168.2.2 , then you need a route on inet.0 table for 3.254 server

     

    set routing-options static route 192.168.3.254/32 next-hop  next-hop-ip

     

     

    Regards,
    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 4.  RE: Tacacs+ Problem

    Posted 12-05-2014 04:42

    Hi rparthi,

     

    Thanks for answer. I added the route,  but not work. Smiley Sad

     

    Question: Tacacs Sercer is IP 192.168.3.254/22 (these network is connect to fe0/0/7.0 - virtual-router instance).

    But the packets tray to departure on fe0/0/0 (internet interface). 

    So, the Tacacs server is directly connected on fe0/0/7.0 and the packets still going to interface 192.168.255.0/24 (internet interface).

     

    I think is a problem of routing, but i can't solve this.

     

    See the traceroute:

    hnsa@FW_A06_MGT_002> traceroute 192.168.3.254
    traceroute to 192.168.3.254 (192.168.3.254), 30 hops max, 40 byte packets
    traceroute: sendto: No route to host
    1 traceroute: wrote 192.168.3.254 40 chars, ret=-1
    *traceroute: sendto: No route to host
    traceroute: wrote 192.168.3.254 40 chars, ret=-1
    ^C
    hnsa@FW_A06_MGT_002>

     

    These virtual-router instance is used just for separate management. All others interfaces are used to real traffic.

     

    The config about route:

     

    routing-instances {
    MGT_HS {
    instance-type virtual-router;
    interface fe-0/0/7.0;
    routing-options {
    static {
    route 192.168.30.0/24 next-hop 192.168.1.255;
    }

     

    And default route is to internet interface (fe0/0/0.0)

     

    routing-options {
    static {
    route 0.0.0.0/0 next-hop 198.18.255.219;
    }
    }

     

    Any idea?

     

    Tks

     



  • 5.  RE: Tacacs+ Problem

    Posted 12-05-2014 05:07


    Hi engenharia ,

     

    I do not think you have added a route for 192.168.3.0/24 or 192.168.3.254/32 route.

    This route will not be active if next-hop gateway is not reachable.

     

    System is not seeing the route.

     

    share the route configuration:

     

    1. show route | no-more

     

    2. show configuration routing-options

    3. show configuration routing-instances

     

    if TACAS server is reachable via Fe-0/0/7 interface then your Fe-0/0/7 routing instance should have route to TACASserver.


    you need 2 route statement:

     

    set routing-instances MGT_HUGHES routing-options static route 192.168.3.254/32 next-hop next-hop-ipaddress

     

    then commit the changes

     

    then try reaching it using the command:

    1.   traceroute 192.168.3.254 routing-instance MGT_HUGHES

    2.  traceroute 192.168.3.254 interface fe-0/0/7

    Regards,
    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 6.  RE: Tacacs+ Problem

    Posted 12-05-2014 05:26

    Hi rparthi,

     

    See the output of commands:

     

    hnsa@FW_A06_MGT_002> show route | no-more

    inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:29:32
    > to 192.168.255.219 via fe-0/0/0.0
    192.168.5.215/32 *[Local/0] 1d 23:44:55
    Reject
    192.168.11.214/32 *[Local/0] 1d 23:44:55
    Reject
    192.168.255.0/24 *[Direct/0] 1d 23:44:48
    > via fe-0/0/0.0
    192.168.255.213/32 *[Local/0] 1d 23:44:55
    Local via fe-0/0/0.0

    MGT_HS.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    192.168.30.0/24 *[Static/5] 1d 23:44:48
    > to 192.168.1.255 via fe-0/0/7.0
    192.168.0.0/22 *[Direct/0] 1d 23:44:48
    > via fe-0/0/7.0
    192.168.2.2/32 *[Local/0] 1d 23:44:55
    Local via fe-0/0/7.0
    192.168.3.254/32 *[Static/5] 19:37:02
    > to 198.18.1.255 via fe-0/0/7.0

     

    _______________________________________

     

     

    hnsa@FW_A06_MGT_002> show configuration routing-options
    static {
    route 0.0.0.0/0 next-hop 192.168.255.219;
    }

    hnsa@FW_A06_MGT_002>

     

    _________________________________________

     

     

    hnsa@FW_A06_MGT_002> show configuration routing-instances
    MGT_HS {
    instance-type virtual-router;
    interface fe-0/0/7.0;
    routing-options {
    static {
    route 192.168.30.0/24 next-hop 192.168.1.255;
    route 192.168.3.254/32 next-hop 192.168.1.255;
    }
    }
    }

     

     

    See the result about traceroute to 192.168.3.254:

     

    hnsa@FW_A06_MGT_002> traceroute 192.168.3.254
    traceroute to 192.168.3.254 (192.168.3.254), 30 hops max, 40 byte packets
    1 192.168.255.219 (192.168.255.219) 4.031 ms 3.566 ms 2.837 ms
    2 192.168.3.254 (192.168.3.254) 3.112 ms 3.557 ms *

    hnsa@FW_A06_MGT_002>

     

     

    Tks,



  • 7.  RE: Tacacs+ Problem
    Best Answer

    Posted 12-05-2014 05:41

    Hi engenharia ,


    Route is added now:

     

    share this output :


    traceroute 192.168.3.254 routing-instance MGT_HUGHES
    traceroute 192.168.3.254 interface fe-0/0/7

     

    if these 2 succeeds then your Tacas server connection should work.

     

    if you want traceroute 192.168.3.254 to work  then add the following line:

     

    set routing-options static route 192.168.3.254 next-table MGT_HUGHES.inet.0

     

    Note :

    ensure you the return routes added on connected devices 192.168.1.255 for SRX.

     

    Your VR should also have route to inet.0 network.

     

    Regards,
    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 8.  RE: Tacacs+ Problem

    Posted 12-05-2014 09:08

    Hi rparthi,

     

    Thanks for help. Now i can authenticate with Tacacs+!

     

    Regards,

    engenharia