SRX

Expand all | Collapse all

Multiple IP's on the loopback interface not working

Jump to Best Answer
  • 1.  Multiple IP's on the loopback interface not working

    Posted 07-16-2014 11:27

    I have an SRX550 with version 12.1X44-D20.3.  To provide availablility, I have two ISP's terminating in the device and doing BGP with them.  I advertise my /24, and they advertise just a 0.0.0.0 back to me.  Pretty straight forward.  The two interfaces peering with the ISP's have a local IP address on them that is just the peering IP.  The actual /24 IP's that I advertise are bound on the loopback interface.  This however doesn't seem to be working. The interface configuration is:

     

    [code]

    {primary:node1}
    root@SSC-SRX550-1> show configuration interfaces lo0
    unit 0 {
        family inet {
            filter {
                input Network_MGMT_Access;
            }
            address 198.97.232.2/24;
            address 198.97.232.1/24;
        }
    }

    [/code]

     

    In this current configuration, only the .2 address will ping.  It installs the correct route on the device:

     

    [code]

    198.97.232.0/24    *[Direct/0] 20:02:38
                        > via lo0.0
    198.97.232.2/32    *[Local/0] 20:02:38
                          Local via lo0.0

    [/code]

     

    But there is no /32 route for the .1 address.  It also won't show up on the interface list:

     

    [code]

    root@SSC-SRX550-1> show interfaces terse | match lo0   
    lo0                     up    up 
    lo0.0                   up    up   inet     198.97.232.2/24
    lo0.16384               up    up   inet     127.0.0.1           --> 0/0
    lo0.16385               up    up   inet     10.0.0.1            --> 0/0

    [/code]

     

     

    Am I missing something obvious about why this isn't working as I expect?



  • 2.  RE: Multiple IP's on the loopback interface not working

    Posted 07-16-2014 14:15

    Hi,

     

    Can u explain what r u trying to acheive exactly. I mean what is the problem u facing in BGP. May be there is another option better than assign secondary IP address on lo0 interface



  • 3.  RE: Multiple IP's on the loopback interface not working

    Posted 07-16-2014 16:06

    It's pretty straight forward.  Two interfaces terminated with connections from two different ISP's:

     

    0/0/0 -> ISP1

    0/0/0 -> ISP2

     

    Each ISP peers with use so we can advertise our /24 subnet back to them.  And then, we need to have several IP's from our /24 bound to the firewall and several of them as static NAT's.  So far, I can bind only a single IP from the /24 to the lo0 interface at a time. 



  • 4.  RE: Multiple IP's on the loopback interface not working

     
    Posted 07-16-2014 20:02

    Hi,

     

    If you are trying to advertsise the routes to BGP then instead of configuring multiple subnets on lo0, we can use discard routes.

     

    set routing-options static route 198.97.232.2/24 discard

     

    and export this static route in BGP using policy options.

     

    Below URL gives more details on this.

     

    http://www.juniper.net/techpubs/en_US/junos14.1/topics/example/bgp-advertise-inactive.html

     

    Thanks,

    Suraj

     

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 5.  RE: Multiple IP's on the loopback interface not working
    Best Answer

    Posted 07-17-2014 04:20

    Hello,

    I think it is pretty clear - You are telling Your SRX router the following:

    1/ that all other addresses apart from 198.97.232.2 are directly connected to lo0.0

    and

    2/ that all other addresses apart from 198.97.232.1 are directly connected to lo0.0

    No wonder it gets confused  where .2 and .1 belong - "do they belong to me or are they directly connected?"

    There is a workaround - You need to spell /24 only once as below:

     

    aarseniev@srx210> show configuration interfaces lo0 
    Jul 17 11:03:52
    unit 0 {
        family inet {
            address 198.97.232.2/24;
            address 198.97.232.1/32;
        }
    }

     And the result is:

     

    aarseniev@srx210> show route 198.97.232.0/24   
    Jul 17 11:03:37
    
    inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    198.97.232.0/24    *[Direct/0] 00:00:04
                        > via lo0.0
    198.97.232.1/32    *[Direct/0] 00:00:04
                        > via lo0.0
                        [OSPF/10] 00:00:03, metric 0
                        > via lo0.0
    198.97.232.2/32    *[Local/0] 00:00:04
                          Local via lo0.0
    

     

    This is from SRX210 with JUNOS 11.4, I don't have a SRX with 12.1 code but expect it to behave the same.

    HTH

    Thanks
    Alex



  • 6.  RE: Multiple IP's on the loopback interface not working

    Posted 07-17-2014 17:09

    Of course!  That made perfect sense and fixed the locally attached IP's.  However I now have static NAT issues that aren't resolved.  I have this setup:

     

    # show security nat
    static {
        rule-set Netscaler {
            from zone untrust;
            rule 198-97-232-247 {
                match {
                    destination-address 198.97.232.247/32;
                }
                then {
                    static-nat {
                        prefix {
                            10.1.1.2/32;
                        }
                    }
                }
            }
        }
    }
    proxy-arp {
        interface lo0.0 {
            address {
                198.97.232.247/32;
            }
        }
    }

     

    Which seems pretty simple and straight forward. And I can see that it installs the route for it:

     

    # run show route 198.97.232.247

    inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)
    198.97.232.247/32 (1 entry, 1 announced)
            *Static Preference: 1
                    Next hop type: Discard
                    Address: 0x117ae1c
                    Next-hop reference count: 3
                    State: <Active Int ProxyArp>
                    Age: 8:27
                    Task: RPD Unix Domain Server./var/run/rpd_serv.local
                    Announcement bits (2): 0-KRT 3-Resolve tree 1
                    AS path: I

     

    And my understanding is that the "Next hope type: Discard" is correct/normal for proxy-arp's.  However nothing I can do can ping that IP.  I know the host behind it is good.  And I can even see in my filter that counts ICMP packets that packets are getting there, but not doing anything.  Thoughts?  This one seems to have stumped JTAC.



  • 7.  RE: Multiple IP's on the loopback interface not working

    Posted 07-18-2014 00:27

    Hello,

     


    gsweet@sav wrote:

    And my understanding is that the "Next hope type: Discard" is correct/normal for proxy-arp's.  However nothing I can do can ping that IP.  I know the host behind it is good.  And I can even see in my filter that counts ICMP packets that packets are getting there, but not doing anything.  Thoughts?  This one seems to have stumped JTAC.


    In order to be able to see ICMP Echo replies from destination NAT IP, You need to enable ICMP Echo/ping in the appropriate policy. When You do that, ICMP Echo requests from outside will be translated to go to 10.1.1.2 and provided this host is answering pings, You should get an ICMP Echo reply translated back and appearing to come from  198.97.232.247.

    HTH

    Thanks
    Alex



  • 8.  RE: Multiple IP's on the loopback interface not working

    Posted 07-18-2014 09:21

    Yep, and I've got all that setup unless I am missing something:

     

    untrust security zone:

     

    # show security zones security-zone untrust
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        reth0.0;
        reth1.0;
        lo0.0;
    }

     

    Security policies:

     

    # show security policies from-zone untrust to-zone DMZ 
    policy untrust_to_Netscaler {
        match {
            source-address any;
            destination-address Netscaler;
            application [ junos-dns-tcp junos-dns-udp junos-icmp-ping ];
        }
        then {
            permit;
        }
    }
    policy Permit-all-test {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
            }
        }
    }



  • 9.  RE: Multiple IP's on the loopback interface not working

    Posted 07-18-2014 09:45

    Hello,

    Destination NAT is performed BEFORE policy, so You need to match on private dst.IP in this policy

    Check out Figure 9.1

    http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#nat_precedence_in_the_junos_event_chain

    What doess "destination-address Netscaler" address-book entry contains?

    HTH

    Thanks
    Alex



  • 10.  RE: Multiple IP's on the loopback interface not working

    Posted 07-18-2014 10:37

    Yep, got that.  The Netscaler pool is the internal IP of the target.  However we did add the any:any policy to work around this temporarily.  Even then, we get no sessions flows.



  • 11.  RE: Multiple IP's on the loopback interface not working

    Posted 07-19-2014 13:09

    Hello there,

    2 further questions:

    1/ how do You advertise  198.97.232.247 to the outside world? BGP, IGP, static on the upstream GW?

    2/ do You use any routing instances at all to steer traffic differently?

    HTH

    Thanks
    Alex



  • 12.  RE: Multiple IP's on the loopback interface not working

    Posted 07-21-2014 12:06

    We advertise BGP.  We advertise the whole /24.  There aren't any routing instances configured.

     

    We know that traffic has no issues getting to the device because we can assign any IP in the /24 as a physical IP on the loopback and they all respond with out issue.  It appears to only be the static NAT's that are having problems. 



  • 13.  RE: Multiple IP's on the loopback interface not working

    Posted 07-25-2014 11:01

    So as a follow up, here is what the final solution was: rebooting the cluster. I was letting the cluster do a  minor firmware update from 12.1X44-D20 to D30.4.  I don’t know if it is that minor update, or if it was the chassis reboot that was required.  But whenit came back up I went to start a test ping to try a suggestion and lo and behold… it started pinging! So, now I am all resolved.