Junos OS

We have setup a Mist POC for a customer and are trying to add the SRX340 cluster to Mist.

After days of debugging we created the mgmt_junos routing instance with appropriate routes and dns config.

In front of the SRX cluster is a cluster of QFX5100 as a routing core stack.
- The fxp0 interfaces are connected to this QFX Stack. 
- 0.0.0.0 next-hop for mgmt_junos routing-instance is the IP of the irb interface on the QFX.
- All traffic from mgmt_junos routing-instance is then routed to the Trust interface zone of the SRX.

If we do a ping from fxp0.0 or routing-instance mgmt_junos to 8.8.8.8 it works,
but a ping to google.nl or any other fqdn it fails.
In logging we see the dns request from 10.31.203.200 but it seems it does not arrive at the fxp0.0 interface.

Any ideas?

------------------------------
Arno Schrijver
------------------------------

Hi Arno,

are you able to share the SRX Cluster configuration ? This would make it more easy to help you look into the issue you are facing. 

Have you setup the security-policies between the zones you are using correctly ?

Marcel

------------------------------
Marcel ten Berg

Solution Architect
Juniper Networks
------------------------------

Original Message:
Sent: 07-31-2023 07:15
From: Arno Schrijver
Subject: cannot get Mist working on SRX340 cluster.

We have setup a Mist POC for a customer and are trying to add the SRX340 cluster to Mist.

After days of debugging we created the mgmt_junos routing instance with appropriate routes and dns config.

In front of the SRX cluster is a cluster of QFX5100 as a routing core stack.
- The fxp0 interfaces are connected to this QFX Stack. 
- 0.0.0.0 next-hop for mgmt_junos routing-instance is the IP of the irb interface on the QFX.
- All traffic from mgmt_junos routing-instance is then routed to the Trust interface zone of the SRX.

If we do a ping from fxp0.0 or routing-instance mgmt_junos to 8.8.8.8 it works,
but a ping to google.nl or any other fqdn it fails.
In logging we see the dns request from 10.31.203.200 but it seems it does not arrive at the fxp0.0 interface.

Any ideas?

------------------------------
Arno Schrijver
------------------------------

on the SRX 345 Cluster

set groups node0 system host-name FW-1-node0
set groups node0 interfaces fxp0 unit 0 family inet address 10.31.203.200/24
set groups node1 system host-name FW-1-node1
set groups node1 interfaces fxp0 unit 0 family inet address 10.31.203.201/24

set system management-instance

set system name-server 8.8.8.8 routing-instance mgmt_junos
set system name-server 8.8.4.4 routing-instance mgmt_junos

set routing-instances mgmt_junos description "Juniper Management Traffic"
set routing-instances mgmt_junos routing-options static route 0.0.0.0/0 next-hop 10.31.203.253

set routing-options static route 10.31.203.0/24 next-hop 192.168.99.253

set routing-instances ZIGGO interface reth0.0
set routing-instances ZIGGO instance-type virtual-router
set routing-instances ZIGGO routing-options static route 10.31.203.0/24 next-table inet.0

set security nat source rule-set source-nat-Ziggo to zone Ziggo
set security nat source rule-set source-nat-Ziggo rule source-nat-junosmgnt match source-address 10.31.203.200/32
set security nat source rule-set source-nat-Ziggo rule source-nat-junosmgnt match destination-address 0.0.0.0/0
set security nat source rule-set source-nat-Ziggo rule source-nat-junosmgnt then source-nat pool ziggo-212-203-31-227m32

set security policies from-zone Trust to-zone Ziggo policy allow-junos match source-address **_LAN_******_203
set security policies from-zone Trust to-zone Ziggo policy allow-junos match destination-address any
set security policies from-zone Trust to-zone Ziggo policy allow-junos match application any
set security policies from-zone Trust to-zone Ziggo policy allow-junos then permit

======

on the QFX Stack

set routing-options static route 0.0.0.0/0 next-hop 192.168.99.254

set interfaces irb unit 99 description TO-SRX345
set interfaces irb unit 99 family inet address 192.168.99.253/24

set interfaces irb unit 203 description LAN_Management
set interfaces irb unit 203 family inet address 10.31.203.253/24

------------------------------
Arno Schrijver
------------------------------

Original Message:
Sent: 07-31-2023 11:34
From: MarcTB
Subject: cannot get Mist working on SRX340 cluster.

Hi Arno,

are you able to share the SRX Cluster configuration ? This would make it more easy to help you look into the issue you are facing. 

Have you setup the security-policies between the zones you are using correctly ?

Marcel

------------------------------
Marcel ten Berg

Solution Architect
Juniper Networks

Original Message:
Sent: 07-31-2023 07:15
From: Arno Schrijver
Subject: cannot get Mist working on SRX340 cluster.

We have setup a Mist POC for a customer and are trying to add the SRX340 cluster to Mist.

After days of debugging we created the mgmt_junos routing instance with appropriate routes and dns config.

In front of the SRX cluster is a cluster of QFX5100 as a routing core stack.
- The fxp0 interfaces are connected to this QFX Stack. 
- 0.0.0.0 next-hop for mgmt_junos routing-instance is the IP of the irb interface on the QFX.
- All traffic from mgmt_junos routing-instance is then routed to the Trust interface zone of the SRX.

If we do a ping from fxp0.0 or routing-instance mgmt_junos to 8.8.8.8 it works,
but a ping to google.nl or any other fqdn it fails.
In logging we see the dns request from 10.31.203.200 but it seems it does not arrive at the fxp0.0 interface.

Any ideas?

------------------------------
Arno Schrijver
------------------------------

Hello Arno,

Can you try to route the traffic directly from mgmt instance to the qfx / internet rather than sending to inet table? 

Regards,

Brijil 

------------------------------
Brijil R
------------------------------

Original Message:
Sent: 07-31-2023 07:15
From: Arno Schrijver
Subject: cannot get Mist working on SRX340 cluster.

We have setup a Mist POC for a customer and are trying to add the SRX340 cluster to Mist.

After days of debugging we created the mgmt_junos routing instance with appropriate routes and dns config.

In front of the SRX cluster is a cluster of QFX5100 as a routing core stack.
- The fxp0 interfaces are connected to this QFX Stack. 
- 0.0.0.0 next-hop for mgmt_junos routing-instance is the IP of the irb interface on the QFX.
- All traffic from mgmt_junos routing-instance is then routed to the Trust interface zone of the SRX.

If we do a ping from fxp0.0 or routing-instance mgmt_junos to 8.8.8.8 it works,
but a ping to google.nl or any other fqdn it fails.
In logging we see the dns request from 10.31.203.200 but it seems it does not arrive at the fxp0.0 interface.

Any ideas?

------------------------------
Arno Schrijver
------------------------------

I would go from a direct "route-leak" between the instances (Virtual-Routers)

Below example should help you, if you make the changes to reflect your environment it should be ready to paste and commit

#IPv4 policy statement to import routes from your Internet instance (Virtual Router) / For you would that be your ziggo zone
set policy-options policy-statement NET-INET-PREFIXES term prefixes from instance INTERNET-EDGE
set policy-options policy-statement NET-INET-PREFIXES term prefixes from protocol direct
set policy-options policy-statement NET-INET-PREFIXES term prefixes from protocol local
set policy-options policy-statement NET-INET-PREFIXES term prefixes from protocol bgp
set policy-options policy-statement NET-INET-PREFIXES term prefixes then accept

# IPV6 policy statement to import routes from your Internet instance (Virtural Router) / For you would that be your ziggo zone
set policy-options policy-statement NET-INET-PREFIXES term prefixes6 from instance INTERNET-EDGE
set policy-options policy-statement NET-INET-PREFIXES term prefixes6 from family inet6
set policy-options policy-statement NET-INET-PREFIXES term prefixes6 from protocol direct
set policy-options policy-statement NET-INET-PREFIXES term prefixes6 from protocol local
set policy-options policy-statement NET-INET-PREFIXES term prefixes6 from protocol bgp
set policy-options policy-statement NET-INET-PREFIXES term prefixes6 then accept

#Import a default route (IPv4/IPv6) from the internet-Edge routing instance  / For you is that ziggo
set policy-options policy-statement default-to-routing-instance term default from instance INTERNET-EDGE
set policy-options policy-statement default-to-routing-instance term default from route-filter 0.0.0.0/0 exact
set policy-options policy-statement default-to-routing-instance term default then accept
set policy-options policy-statement default-to-routing-instance term default6 from instance INTERNET-EDGE
set policy-options policy-statement default-to-routing-instance term default6 from family inet6
set policy-options policy-statement default-to-routing-instance term default6 from route-filter ::/0 exact
set policy-options policy-statement default-to-routing-instance term default6 then accept
set policy-options policy-statement default-to-routing-instance term reject then reject

#IPv4 part of the import policy from instance Internal lan / master instance of the SRX
set policy-options policy-statement INTERNAL-LAN term prefixes from instance master
set policy-options policy-statement INTERNAL-LAN term prefixes from protocol direct
set policy-options policy-statement INTERNAL-LAN term prefixes from protocol local
set policy-options policy-statement INTERNAL-LAN term prefixes from route-filter x.x.x.x/x exact
set policy-options policy-statement INTERNAL-LAN term prefixes then accept

#IPv6 part of the import policy from instance Internal lan / master instance of the SRX
set policy-options policy-statement INTERNAL-LAN term prefixes6 from instance master
set policy-options policy-statement INTERNAL-LAN term prefixes6 from family inet6
set policy-options policy-statement INTERNAL-LAN term prefixes6 from protocol direct
set policy-options policy-statement INTERNAL-LAN term prefixes6 from protocol local
set policy-options policy-statement INTERNAL-LAN term prefixes6 from route-filter x:x:x:x::/x exact
set policy-options policy-statement INTERNAL-LAN term prefixes6 then accept

#Routing intstance config Internet Edge (for you that is ziggo)
set routing-instances INTERNET-EDGE interface pp0.0
set routing-instances INTERNET-EDGE description "Internet Edge"
set routing-instances INTERNET-EDGE instance-type virtual-router
set routing-instances INTERNET-EDGE routing-options rib INTERNET-EDGE.inet6.0 static route 0::/0 next-hop pp0.0
set routing-instances INTERNET-EDGE routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-instances INTERNET-EDGE routing-options static route 0.0.0.0/0 metric 0
set routing-instances INTERNET-EDGE routing-options instance-import INTERNAL-LAN

# Master instance (aka SRX) import the routes from the Internet instance (for you that is ziggo)
set routing-options instance-import default-to-routing-instance
set routing-options instance-import NET-INET-PREFIXES

------------------------------
Marcel ten Berg

Solution Architect
Juniper Networks
------------------------------

Original Message:
Sent: 08-02-2023 21:44
From: Brijil
Subject: cannot get Mist working on SRX340 cluster.

Hello Arno,

Can you try to route the traffic directly from mgmt instance to the qfx / internet rather than sending to inet table? 

Regards,

Brijil 

------------------------------
Brijil R

Original Message:
Sent: 07-31-2023 07:15
From: Arno Schrijver
Subject: cannot get Mist working on SRX340 cluster.

We have setup a Mist POC for a customer and are trying to add the SRX340 cluster to Mist.

After days of debugging we created the mgmt_junos routing instance with appropriate routes and dns config.

In front of the SRX cluster is a cluster of QFX5100 as a routing core stack.
- The fxp0 interfaces are connected to this QFX Stack. 
- 0.0.0.0 next-hop for mgmt_junos routing-instance is the IP of the irb interface on the QFX.
- All traffic from mgmt_junos routing-instance is then routed to the Trust interface zone of the SRX.

If we do a ping from fxp0.0 or routing-instance mgmt_junos to 8.8.8.8 it works,
but a ping to google.nl or any other fqdn it fails.
In logging we see the dns request from 10.31.203.200 but it seems it does not arrive at the fxp0.0 interface.

Any ideas?

------------------------------
Arno Schrijver
------------------------------