SRX

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr

Can you do a trace route and determine where the path fails?

I suspect one of two issues:

The routing from the reth3 gateway onward is not working.

The source nat rules on the reth3 internet path to not allow the translation of the mgmt VR ip address using that path.

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr

Hello , Thanks a lot for your reply . it was indeed related to reth3 ; ports were in wrong vlan . after fixing ports , i can ping internet from both VRs

However now i have strange issue ; i cannot resolve any hostname from any of the VR , i can however do telent to 8.8.8.8 on port 53

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance mgmt_junos
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^C^Z
Suspended

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance PRODUCTION
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.

show security flow session shows nothing related to dns

Junos is 21.2R3-S2.9

because of dns , the antimalware atp engine showing below

Connection status: Server hostname lookup failed

Can you do a trace route and determine where the path fails?

I suspect one of two issues:

The routing from the reth3 gateway onward is not working.

The source nat rules on the reth3 internet path to not allow the translation of the mgmt VR ip address using that path.

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr

came accross a juniper articel which mentions that dns does not wrk from fxp in mgmt-junos vr

SRX345 DNS query through fxp0 does not work when fxp0 belongs to routing instance mgmt_junos (juniper.net)

Tried many options with nat and allowed everything from junos-host zone , still dns does not working from both routing instances .

Although ping  and telnet on port 53 works . 

show log flow-trace shows nothing . i am scratching my head what to do now 

Hello , Thanks a lot for your reply . it was indeed related to reth3 ; ports were in wrong vlan . after fixing ports , i can ping internet from both VRs

However now i have strange issue ; i cannot resolve any hostname from any of the VR , i can however do telent to 8.8.8.8 on port 53

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance mgmt_junos
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^C^Z
Suspended

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance PRODUCTION
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.

show security flow session shows nothing related to dns

Junos is 21.2R3-S2.9

because of dns , the antimalware atp engine showing below

Connection status: Server hostname lookup failed

Can you do a trace route and determine where the path fails?

I suspect one of two issues:

The routing from the reth3 gateway onward is not working.

The source nat rules on the reth3 internet path to not allow the translation of the mgmt VR ip address using that path.

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr

The note that only the branch srx has this limitation is interesting.

Perhaps if DNS still works from standard virtual router instances you could just create a routing instance called mgmt along with a mgmt zone and then assign the fxp.0 interface to this one and get the desired functionality.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 12-10-2023 09:43
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

came accross a juniper articel which mentions that dns does not wrk from fxp in mgmt-junos vr

SRX345 DNS query through fxp0 does not work when fxp0 belongs to routing instance mgmt_junos (juniper.net)

Tried many options with nat and allowed everything from junos-host zone , still dns does not working from both routing instances .

Although ping  and telnet on port 53 works . 

show log flow-trace shows nothing . i am scratching my head what to do now 

Original Message:
Sent: 12-09-2023 05:18
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hello , Thanks a lot for your reply . it was indeed related to reth3 ; ports were in wrong vlan . after fixing ports , i can ping internet from both VRs

However now i have strange issue ; i cannot resolve any hostname from any of the VR , i can however do telent to 8.8.8.8 on port 53

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance mgmt_junos
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^C^Z
Suspended

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance PRODUCTION
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.

show security flow session shows nothing related to dns

Junos is 21.2R3-S2.9

because of dns , the antimalware atp engine showing below

Connection status: Server hostname lookup failed

Original Message:
Sent: 12-08-2023 20:06
From: spuluka
Subject: fxp0 in mgmt vr but cant ping internet

Can you do a trace route and determine where the path fails?

I suspect one of two issues:

The routing from the reth3 gateway onward is not working.

The source nat rules on the reth3 internet path to not allow the translation of the mgmt VR ip address using that path.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 12-08-2023 16:07
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr

Hi , It does not even work from Standard VR ,-PRODUCTION . 

This VR has interface which is connected to Internet . and dns resolution does not work from this VR also 

Original Message:
Sent: 12-10-2023 13:51
From: spuluka
Subject: fxp0 in mgmt vr but cant ping internet

The note that only the branch srx has this limitation is interesting.

Perhaps if DNS still works from standard virtual router instances you could just create a routing instance called mgmt along with a mgmt zone and then assign the fxp.0 interface to this one and get the desired functionality.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 12-10-2023 09:43
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

came accross a juniper articel which mentions that dns does not wrk from fxp in mgmt-junos vr

SRX345 DNS query through fxp0 does not work when fxp0 belongs to routing instance mgmt_junos (juniper.net)

Tried many options with nat and allowed everything from junos-host zone , still dns does not working from both routing instances .

Although ping  and telnet on port 53 works . 

show log flow-trace shows nothing . i am scratching my head what to do now 

Original Message:
Sent: 12-09-2023 05:18
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hello , Thanks a lot for your reply . it was indeed related to reth3 ; ports were in wrong vlan . after fixing ports , i can ping internet from both VRs

However now i have strange issue ; i cannot resolve any hostname from any of the VR , i can however do telent to 8.8.8.8 on port 53

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance mgmt_junos
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^C^Z
Suspended

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance PRODUCTION
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.

show security flow session shows nothing related to dns

Junos is 21.2R3-S2.9

because of dns , the antimalware atp engine showing below

Connection status: Server hostname lookup failed

Original Message:
Sent: 12-08-2023 20:06
From: spuluka
Subject: fxp0 in mgmt vr but cant ping internet

Can you do a trace route and determine where the path fails?

I suspect one of two issues:

The routing from the reth3 gateway onward is not working.

The source nat rules on the reth3 internet path to not allow the translation of the mgmt VR ip address using that path.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 12-08-2023 16:07
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr

Can you try applying either of the command below:

set system name-server 8.8.8.8 source-address   x.x.x.x

or 

 set system name-server 8.8.8.8 routing-instance  <routing-instance>

Regards,

------------------------------
Brijil R

Original Message:
Sent: 12-10-2023 17:56
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hi , It does not even work from Standard VR ,-PRODUCTION . 

This VR has interface which is connected to Internet . and dns resolution does not work from this VR also 

Original Message:
Sent: 12-10-2023 13:51
From: spuluka
Subject: fxp0 in mgmt vr but cant ping internet

The note that only the branch srx has this limitation is interesting.

Perhaps if DNS still works from standard virtual router instances you could just create a routing instance called mgmt along with a mgmt zone and then assign the fxp.0 interface to this one and get the desired functionality.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 12-10-2023 09:43
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

came accross a juniper articel which mentions that dns does not wrk from fxp in mgmt-junos vr

SRX345 DNS query through fxp0 does not work when fxp0 belongs to routing instance mgmt_junos (juniper.net)

Tried many options with nat and allowed everything from junos-host zone , still dns does not working from both routing instances .

Although ping  and telnet on port 53 works . 

show log flow-trace shows nothing . i am scratching my head what to do now 

Original Message:
Sent: 12-09-2023 05:18
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hello , Thanks a lot for your reply . it was indeed related to reth3 ; ports were in wrong vlan . after fixing ports , i can ping internet from both VRs

However now i have strange issue ; i cannot resolve any hostname from any of the VR , i can however do telent to 8.8.8.8 on port 53

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance mgmt_junos
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^C^Z
Suspended

root@B-PRI> telnet 8.8.8.8 port 53 routing-instance PRODUCTION
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.

show security flow session shows nothing related to dns

Junos is 21.2R3-S2.9

because of dns , the antimalware atp engine showing below

Connection status: Server hostname lookup failed

Original Message:
Sent: 12-08-2023 20:06
From: spuluka
Subject: fxp0 in mgmt vr but cant ping internet

Can you do a trace route and determine where the path fails?

I suspect one of two issues:

The routing from the reth3 gateway onward is not working.

The source nat rules on the reth3 internet path to not allow the translation of the mgmt VR ip address using that path.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 12-08-2023 16:07
From: skywalker_007
Subject: fxp0 in mgmt vr but cant ping internet

Hello ,

I have cluster of SRX 380 , I have setup two 

Production vr has all the traffic interfaces and default route in prod vrf is towards upstream router ; i can ping Internet from PROD VR 

i have reth3 which is in PROD vr and has IP of 10.0.89.58 

I have put fxp0 in mgmt_junos vr   and put nexthop as IP of reth3 because they fall in same subnet

I cant ping Internet from management VR ;

i tried putting next-table as PROD vr  but still not luck

how can i ping internet from mgmt_junos vr