SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  GRE tunnels Hardware Down

    Posted 15 days ago
    Edited by Jodi Meier 15 days ago

    Hi there,

    I'm looking to create several GRE tunnels on a SRX1500 device.  Below is the configuration example used:

    set interfaces gr-0/0/0 unit 0 tunnel source 172.16.1.1
    set interfaces gr-0/0/0 unit 0 tunnel destination 10.136.176.49
    set interfaces gr-0/0/0 unit 0 family inet address 10.100.100.1/24
    set interfaces gr-0/0/0 unit 1 tunnel source 172.16.1.1
    set interfaces gr-0/0/0 unit 1 tunnel destination 10.136.176.61
    set interfaces gr-0/0/0 unit 1 family inet address 10.100.200.1/24

    set routing-options static route 10.100.100.0/24 gr-0/0/0.0
    set routing-options static route 10.100.200.0/24 gr-0/0/0.1

    On configuring the GRE interfaces these log messages are seen:

    fwdd_cos_qpic_large_buf_status: can't find pic structure for gr-0/0/0

    swq_interface_get_delay_ms: can't find pic structure for gr-0/0/0

    fwdd_ing_ifd_chan_add: platform ioctl failed with status 22

    pfe_ifd_channel_add: fwdd_ing_ifd_chan_add returned error 22

    JBCM:jbcm_ifd_ioctl_handler: jbcm_ifd_ioctl_handler: skip gre interface

    =======================================================

    Pathfinder confirms the platform and Junos version supports GRE 

    Clear DF-Bit (Don't Fragment Bit) Junos OS 15.1X49-D30
    GRE acceleration enhancement Junos OS 21.2R1
    Generic routing encapsulation (GRE) Junos OS 15.1X49-D30
    Internally generated GRE interface (gr-0/0/0) Junos OS 15.1X49-D30
    Keepalive support for GRE interfaces Junos OS 15.1X49-D30
    Multicast over GRE Tunnels Junos OS 15.1X49-D30

    The interfaces are added to show interface terse, but stay in Link Proto down:

    gr-0/0/0      up up

    gr-0/0/0.0  up down inet 10.100.100.1

    gr-0/0/0/1 up down inet 10.100.200.1

    A show interface gr-0/0/0.0 extensive gives:

    Flags: Hardware-Down

    The IPs are added to the routing table but "Reject":

    10.100.100.1/32    *[Local/0] 00:00:45

                                                Reject

    ======================================

    Any ideas would be appreciated.  

    Thanks



    ------------------------------
    ANDREW MCGREGOR
    ------------------------------



  • 2.  RE: GRE tunnels Hardware Down

    Posted 14 days ago

    This is a bit silly, but can you confirm 172.16.1.1 belongs to the firewall?



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: GRE tunnels Hardware Down

    Posted 11 days ago

    Hi Nikolay, yes I can confirm the source interface is on the firewall.



    ------------------------------
    ANDREW MCGREGOR
    ------------------------------



  • 4.  RE: GRE tunnels Hardware Down

    Posted 11 days ago

    Alright. Is it maybe in a non-default routing instance? If yes, you can try adding tunnel routing-instance something something.

    I can reproduce those messages you're seeing when using a source address the firewall doesn't have. I'm curious if routing instance problem would have the same effect. I interpret the message as the device being unable to "bind" the tunnel to its configured source.

    Can confirm, though, that GRE definitely works on the 1500.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: GRE tunnels Hardware Down

    Posted 11 days ago

    Hi Nikolay, 

    Thanks for investigating your end.  The route is part of the default routing instance.  The source address is configured as a loopback interface on the SRX and it's currently got a static route for the gr-0/0/0.0 interface.  As I was responding to @spuluka, even with all the gr-0/0/0.0 config removed, we're still seeing errors in the logs for the system gr-0/0/0 interface which isn't inspiring confidence.   We're running 23.4.R2.13.



    ------------------------------
    ANDREW MCGREGOR
    ------------------------------



  • 6.  RE: GRE tunnels Hardware Down

    Posted 11 days ago

    I took a quick look again -- these messages are showing up in the log whenever gr-0/0/0 is touched, even for working tunnels, so it's probably one of those things that JTAC would say to ignore.

    I see Hardware-Down state:

    • when the tunnel source was not configured on the firewall
    • when the tunnel destination was unreachable (no valid route)

    The tunnel source is ruled out as the cause. Check route to 10.136.176.61.

    Unrelated -- If the IP on the tunnel is /24, then you don't really need a static route for that /24. Though, it would be interesting to see what the counterpart configuration is on the other tunnel endpoint.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 7.  RE: GRE tunnels Hardware Down

    Posted 12 days ago

    Are the gr-0/0/0.0 and gr-0/0/0.2 added to the appropriate security zones as interfaces?  And the necessary protocols allowed for the zone and policies for the traffic.

    example

    https://supportportal.juniper.net/s/article/Junos-GRE-Configuration-Example?language=en_US



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 8.  RE: GRE tunnels Hardware Down

    Posted 11 days ago

    Hi Steve, yes the interfaces are added to security zones and necessary protocols allowed.  I lab-ed the config over the weekend and it works as intended on the vSRX.  

    In desperation, I removed all the gr-0/0/0.0 and gr-0/0/0.1 configuration and rebooted the SRX cluster.  On reboot of the Primary we saw these in the log messages:

    fwdd_ifd_set_eff_bandwidth: can't find outq ifd entry for ifd gr-0/0/0

    cosman_compute_install_sched_params: Failed to get subunit b/w for gr-0.0.0 

    COSMAN_FWDD: cosman_update_sched_policy_for_ifd:2950 updation of sched policy failed for ife 160 (gr0/0/0)

    I'm thinking this may be a possible bug on the Junos version and only option is to raise a call with Juniper.

    Thanks for your feedback.

    Andrew



    ------------------------------
    ANDREW MCGREGOR
    ------------------------------



  • 9.  RE: GRE tunnels Hardware Down

    Posted 10 days ago

    Discovered a routing issue with the destination address being blocked.  The tunnel has now come up, even with the error messages in the log.  Thanks everyone for their time investigating this issue.



    ------------------------------
    ANDREW MCGREGOR
    ------------------------------