I see, thanks for the inputs, I have intentionally not exported routes, since i'll be saving those for JNCIE, where i'll be doing Network traffic engineering.
Original Message:
Sent: 12-25-2024 18:54
From: Landon Stuckey
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Bhuvanesh,
The fxp ports are not important. They are used for out of band management interfaces and they are not data plane ports. You can find more information on the various port types here:
https://www.juniper.net/documentation/us/en/software/junos/interfaces-ethernet/topics/topic-map/management-ethernet-interfaces.html#:~:text=The%20router's%20management%20Ethernet%20interface,the%20front%20of%20the%20router.
Referring to your other post, looking at that output, I do see there are more specific routes (/32s) advertised via OSPF that I missed previously, so I was mistaken there. It is possible that your neighbor relationship came up but, your loopbacks should still only be /32s and not /24s. Your BGP peering should say ESTABLISHED and not ACTIVE if there is an active peer relationship so you need to check that. If there is a relationship but you still have no routes, then it's likely because there are no families defined in your BGP configuration, which I pointed out before or you are not properly exporting routes into BGP. However there is still a lot of stuff that needs to be cleaned up in your configuration for things to work properly.
------------------------------
Landon Stuckey
Original Message:
Sent: 12-25-2024 18:27
From: BHUVANESH KUMAR N J
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Landon,
It was a very insightful, I'll make these suggested changes to tidy up things and should i go with /32 for fxp0 as well? Coming to vMX01 <> vMX02 BGP peering, you can refer to my initial post on Routing community. The peering between 10.10.1.1 <> 10.10.1.2 did become established even with the .
P.S> Apologies for pointing to old post, since I am bit lazy to spin up my server and open the lab and spin up the devices, which is going to be a 30 minutes to an hour of work for me. :)
------------------------------
BHUVANESH KUMAR N J
Original Message:
Sent: 12-25-2024 18:13
From: Landon Stuckey
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Bhuvanesh,
No problem and I am always happy to help!
Looking through your configs a little closer I see that the BGP peering between the loopbacks actually never came up. Here is why -- you have both loopbacks in the same /24 network so the peers would never peer up. Also, your BGP peering is in the ACTIVE state and not in the ESTABLISHED state.
NetAdmin@BKNJ-DC-vMX01> show bgp summary | match 10.10.1.3 10.10.1.3 65000 0 0 0 0 43:39 Active
NetAdmin@BKNJ-DC-FWcl-node0> show bgp summary | match 10.10.1.1 10.10.1.1 64567 0 0 0 0 59:48 Active
NetAdmin@BKNJ-DC-vMX01>
set interfaces lo0 unit 0 family inet address 10.10.1.1/24
NetAdmin@BKNJ-DC-FWcl-node0#
set groups node0 interfaces lo0 unit 0 family inet address 10.10.1.3/24
Your loopbacks should be configured as /32 addresses and not /24s. Also, if you look at your routing table output, it shows the entire /24 as a local network reachable with lo0.0 being the next hop on each device rather than going to the directly connected peer to reach the other loopback.
NetAdmin@BKNJ-DC-vMX01> show route terse inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = BothA V Destination P Prf Metric 1 Metric 2 Next hop AS path* ? 10.10.1.0/24 D 0 >lo0.0 * ? 10.10.1.1/32 L 0 Local* ? 10.10.1.2/32 O 10 1 >192.168.0.1* ? 10.10.1.3/32 O 10 1 >192.168.0.3* ? 10.127.0.0/24 D 0 >fxp0.0 * ? 10.127.0.10/32 L 0 Local* ? 192.18.1.0/30 D 0 >ge-0/0/0.0 * ? 192.18.1.2/32 L 0 Local* ? 192.168.0.0/31 D 0 >ae1.0 * ? 192.168.0.0/32 L 0 Local* ? 192.168.0.2/31 D 0 >ae2.0 * ? 192.168.0.2/32 L 0 Local* ? 224.0.0.5/32 O 10 1 MultiRecv
NetAdmin@BKNJ-DC-FWcl-node0> show route terse inet.0: 15 destinations, 16 routes (15 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = BothA V Destination P Prf Metric 1 Metric 2 Next hop AS path* ? 10.10.1.0/24 D 0 >lo0.0 * ? 10.10.1.1/32 O 10 1 >192.168.0.2* ? 10.10.1.2/32 O 10 2 >192.168.0.2* ? 10.10.1.3/32 L 0 Local* ? 10.127.0.0/24 D 0 >fxp0.0 ? D 0 >fxp0.0 * ? 10.127.0.12/32 L 0 Local* ? 10.127.0.13/32 L 0 Local* ? 192.168.0.0/24 D 0 >reth3.0 * ? 192.168.0.0/31 O 10 2 >192.168.0.2* ? 192.168.0.2/31 D 0 >reth2.0 * ? 192.168.0.3/32 L 0 Local* ? 192.168.0.5/32 L 0 Local* ? 192.168.0.6/31 D 0 >reth0.0 * ? 192.168.0.6/32 L 0 Local* ? 224.0.0.5/32 O 10 1 MultiRecv
Once you have corrected the loopbacks to be /32s, then you need to make sure that you have a route pointing to the directly connected neighbor to reach the loopback since it is not directly connected the peer. This can be done with an IGP (ISIS/OSPF) or you could use a static route. Don't forget to put the multihop statement in since this is EBGP and everything should work fine. Try making these corrections and everything should come alive.
I hope that helps you a bit more.
------------------------------
Landon Stuckey
Original Message:
Sent: 12-25-2024 17:06
From: BHUVANESH KUMAR N J
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Landon,
Thank you for the inputs my friend, You have final gave the answer that I was hoping to get after 2 weeks of head scratching, even no one from the "Routing" community asked me to check for multihop. Still one thing stays bizarre, For BGP between the vMX's Loopback, i did not use the multihop statement, but i saw the peering come up. Can you let me know if there is anything else you can find in this or my other config from the github repo?
Once again, thank you very much for the instant turn arounds and shared knowledge.
------------------------------
BHUVANESH KUMAR N J
Original Message:
Sent: 12-24-2024 10:31
From: Landon Stuckey
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Bhuvanesh,
From a BGP perspective, if you want to peer between the loopbacks you will need the "multihop" statement in your BGP configuration since your peers are in different autonomous systems and the interfaces are not directly connected. It is not a difficult thing to do and just requires the one command.
More information on that specific configuration can be found here.
https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/multihop-sessions.html
I hope that helps!
------------------------------
Landon Stuckey
Original Message:
Sent: 12-24-2024 10:14
From: BHUVANESH KUMAR N J
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Landon,
Thank you for your inputs, I tried to remove the peering for the Loopbacks and configure for connected interface IPs, and the Peering came up. There hasn't been a config change from the original port, except for this. Now I am wondering how to create peering between the Loopbacks.
------------------------------
BHUVANESH KUMAR N J
Original Message:
Sent: 12-24-2024 09:49
From: Landon Stuckey
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Bhuvanesh,
Looking at the configs you posted in the original post I have noticed two things.
1.) Your loopback is not in either security zone on your SRX cluster.
2.) The loopback does not show an ip address in the configuration output.
Why the ping in the other direction works when sourcing from the loopback is a little bit of a mystery, unless there has been a change in the configuration since your original post. Examine that portion of your configuration and let me know what you find.
BKNJ-DC-FWcl-node0#
set security zones security-zone trust tcp-rstset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces reth0.0set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust host-inbound-traffic system-services pingset security zones security-zone untrust host-inbound-traffic system-services allset security zones security-zone untrust host-inbound-traffic protocols bgpset security zones security-zone untrust host-inbound-traffic protocols ospfset security zones security-zone untrust host-inbound-traffic protocols allset security zones security-zone untrust interfaces reth2.0set security zones security-zone untrust interfaces reth3.0
set interfaces lo0 unit 0 family inet
------------------------------
Landon Stuckey
Original Message:
Sent: 12-24-2024 09:38
From: BHUVANESH KUMAR N J
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hey Landon,
With and Without source, Ping from vMX to vSRX, but succeeds if i do vice versa. I tried using both the interface and loopback IPs as source.
vMX01:
NetAdmin@BKNJ-DC-vMX01> ping 10.10.1.3 rapid PING 10.10.1.3 (10.10.1.3): 56 data bytes.....--- 10.10.1.3 ping statistics ---5 packets transmitted, 0 packets received, 100% packet lossNetAdmin@BKNJ-DC-vMX01> ping 10.10.1.3 rapid source 10.10.1.1 PING 10.10.1.3 (10.10.1.3): 56 data bytes.....--- 10.10.1.3 ping statistics ---5 packets transmitted, 0 packets received, 100% packet lossNetAdmin@BKNJ-DC-vMX01> ping 10.10.1.3 rapid source 192.168.0.2 PING 10.10.1.3 (10.10.1.3): 56 data bytes.....--- 10.10.1.3 ping statistics ---5 packets transmitted, 0 packets received, 100% packet lossNetAdmin@BKNJ-DC-vMX01>
vSRX01:
{primary:node0}NetAdmin@BKNJ-DC-FWcl-node0> ping rapid 10.10.1.1 PING 10.10.1.1 (10.10.1.1): 56 data bytes!!!!!--- 10.10.1.1 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 1.904/4.677/14.306/4.819 ms{primary:node0}NetAdmin@BKNJ-DC-FWcl-node0> ping rapid 10.10.1.1 source 10.10.1.3PING 10.10.1.1 (10.10.1.1): 56 data bytes!!!!!--- 10.10.1.1 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 2.227/4.598/8.019/2.556 ms{primary:node0}NetAdmin@BKNJ-DC-FWcl-node0> ping rapid 10.10.1.1 source 192.168.0.3 PING 10.10.1.1 (10.10.1.1): 56 data bytes!!!!!--- 10.10.1.1 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 2.199/3.414/6.606/1.630 ms{primary:node0}NetAdmin@BKNJ-DC-FWcl-node0>
------------------------------
BHUVANESH KUMAR N J
Original Message:
Sent: 12-24-2024 09:25
From: Landon Stuckey
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hi Bhuvanesh,
Are you specifically sourcing the ping from the lo0.0 interface or just running the ping command without sourcing?
Also, can you include the output of what you are doing so that I have a better visual of what is happening?
------------------------------
Landon Stuckey
Original Message:
Sent: 12-24-2024 09:16
From: BHUVANESH KUMAR N J
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hi Landon,
Thank you for your reply, in this post I am specifically looking at the below Part detailed in the picture.
The Issue is with BGP between Loopback of the vMX or vQFX to loopback of the vSRX. Currently I am working to get vMX01 <> vSRX01 BGP established to focus on the issue, and as test case.
The connection goes as follows:
vMX01 has lo0 as 10.10.1.1/24, connected to the vSRX cluster (lo0 as 10.10.1.3/24) via ae2 (ge-0/0/6 & ge-0/0/7) with IP 192.168.0.2/31 on vMX side to reth2 (ge-0/0/6 &ge-7/0/6) with IP 192.168.0.3/31. OSPF is up on both vMX and vSRX and Route table is being populated with with routes learned by OSPF. ICMP fails if I Ping from vMX to vSRX, but succeeds if i do vice versa. it is so much puzzling to me. No security features are blocking connection, all traffic is allowed.
------------------------------
BHUVANESH KUMAR N J
Original Message:
Sent: 12-24-2024 07:50
From: Landon Stuckey
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hi Bhuvanesh,
This is a lot to follow so you may want to work on simplifying this lab a bit or break this lab up into individual parts if you are trying to learn.
Aside from that, it looks like there might be a slight misconfig is going on. I did notice that your BGP configuration on BKNJ-DC-FWcl-node0 does not include any address families in the configuration for your neighbors. Based on that alone, I would go back and validate all of your BGP configurations. Start by focusing on one neighbor at a time and ensure the neighbor relationship establishes before moving on to the next one.
set protocols bgp group To_vMX01 type externalset protocols bgp group To_vMX01 local-address 10.10.1.3set protocols bgp group To_vMX01 export send-directset protocols bgp group To_vMX01 local-as 65000set protocols bgp group To_vMX01 neighbor 10.10.1.1 peer-as 64567set protocols bgp group To_vMX01 neighbor 192.168.0.2 peer-as 64567set protocols bgp group To_vMX02 type externalset protocols bgp group To_vMX02 local-address 10.10.1.4set protocols bgp group To_vMX02 local-as 65000set protocols bgp group To_vMX02 neighbor 10.10.1.2 peer-as 64567set protocols bgp group To-vQFX01 type internalset protocols bgp group To-vQFX01 local-address 10.10.1.3set protocols bgp group To-vQFX01 local-as 65000set protocols bgp group To-vQFX01 neighbor 10.10.1.5 peer-as 65000
------------------------------
Landon Stuckey
Original Message:
Sent: 12-22-2024 15:22
From: BHUVANESH KUMAR N J
Subject: BGP is not coming up between two vMX routers and a vSRX cluster
Hi Folks,
I hope all is well, I am network engineer new to Juniper. I am working on my JNCIA, but I always have an habit of dipping my toes dipper, when it comes to learning. Thus I decided to Create a Lab with 2 branch offices and a DC inside GNS3, PFB the Lab setup image. I started the Lab by getting the DC side, I was working on bringing BGP up as the first step in this project and I've ran into an issue where I am unable to establish BGP between the vMX routers and the vSRX cluster.
When I started to investigate things to my knowledge, I found somethings that I would call strange:
- I have enabled OSPF between those devices, which is up (Full state on both vMX and vSRX). BGP is stuck in Active state. I was able to ping from vSRX to vMX loopbacks, but the vice versa is not working. When I check the Routing Table on vMX, I see OSPF is inserting the route to vSRX nodes. The Redundant Ethernet reth2 is configured for vMX1, where ae2 is bundling the connection from the vSRX nodes; same goes for vMX2. The ISP clouds have a bridged interface connecting to a vSRX (not clustered) respectively hosted on proxmox, where BGP was established without a hiccup.
- When I enabled traceoptions on the vSRX side and checked all flags of BGP, I see that both the vSRX and the vMX are going to OpenFail and keeps restarting BGP connection process.
- Interface on vSRX is set to untrust side, for now, but tried moving it to trust and allowing all traffic, still issue persisted.
Right now, I am working to make the routing between the SRX cluster and vMX01 router proper, before moving on to vMX02. Any and all suggestions, inputs, and advices are highly appreciated.
This is a Work in progress, so I kindly apologise for any silly mistakes on my end. I have attached the file containing the config, traceoptions and fe show commands.
Lab Setup:
Legend:
------------------------------
Thanks and Regards
BHUVANESH KUMAR N J
------------------------------