SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  No East West traffic after migrating from SRX320 to SRX340

    This message was posted by a user wishing to remain anonymous
    Posted 11-17-2023 14:31
    This message was posted by a user wishing to remain anonymous

    Head scratcher.  

    I copied the config over from 320 to 340 and expected everything to just work.. :( IPv4  to devices on same subnet no longer can talk to each other.

    IPv6 still works  as I can inter communicate with things on same vlan no problem. :) but it was never setup to have secondary networks .

    vlan 10  irb.0  with 2 ipv4 networks

    10.10.10.1/27 primary / preferred

    10.10.10.49/27  (its not start or end of the subnet but it does not have to be)

    Host IP 10.10.10.3 can hit anything in the 10.10.10.32/27 network no issues and vice versa. Hosts can access Internet just fine via IPv4 and IPv6.

    However 10.10.10.0/27 to anything other that SRX gw nothing, and  hosts in 10.10.10.32/27 same  :/

    I never get an arp back from hosts and when I static set arp with correct info still nothing.. Its like all traffic gets silently dropped by SRX .  

    Makes me think I am hitting a bug ..  was srx320 was running 21.4R3-S4 .   340 running 22.4R2-S2.6  Had tried to 21.4R3-S5 but had funky other issues.

    Just asking if anyone can suggest  best version of Junos they run on theirs .. Jtac recommended is  21.4R3-S4

    Having a lot of odd issues with jdhcp too, but working on moving that over to a Kea server.

    If you read this .. Thanks for your time.



  • 2.  RE: No East West traffic after migrating from SRX320 to SRX340

    Posted 11-19-2023 00:04

    Hi Anon,

    It sounds like the l2-learning mode has not been activate yet.
    Since you loaded the configuration have you performed a reboot?

    Explaining, using irb interfaces on the SRX with multiple interfaces belonging to the same VLAN requires L2 Learning to be enabled. This is not by default. 

    This would have been part of your migrated configuration but it does require a reboot to be enabled. You typically will receive a notice during commit.

    To check which mode is enabled (look for Global Mode):

    show ethernet-switching global-information

    Global Configuration:

MAC aging interval    : 300
MAC learning          : Enabled
MAC statistics        : Disabled
MAC limit Count       : 16383
MAC limit hit         : Disabled
MAC packet action drop: Disabled
MAC+IP aging interval : IPv4 - 1200 seconds
                        IPv6 - 1200 seconds
MAC+IP limit Count    : 393215
MAC+IP limit reached  : No
LE  aging time        : 1200
LE  VLAN aging time   : 1200
Global Mode           : Switching
RE state              : Master
VXLAN Overlay load bal: Disabled
VXLAN ECMP            : Disabled
Fast Update           : Disabled

    To enable Switching mode

    set protocols l2-learning global-mode switching

    JunOS recommended today would be Junos release 22.2R3-S2 as this resolves current issues with J-Web as well.

    Kind Regards,



    ------------------------------
    GAVIN WHITE
    ------------------------------

    Original Message


  • 3.  RE: No East West traffic after migrating from SRX320 to SRX340

    This message was posted by a user wishing to remain anonymous
    Posted 11-19-2023 19:34
    This message was posted by a user wishing to remain anonymous

    Thanks for  the suggestion but swithing was enabled when I copied over the SRX 320 to the 340 box. 

    srx340> show ethernet-switching global-information 
    Global Configuration:

    MAC aging interval    : 1800        
    MAC learning          : Enabled     
    MAC statistics        : Disabled    
    MAC limit Count       : 16383       
    MAC limit hit         : Disabled    
    MAC packet action drop: Disabled    
    MAC+IP aging interval : IPv4 - 1200 seconds
                            IPv6 - 1200 seconds 
    MAC+IP limit Count    : 393215      
    MAC+IP limit reached  : No          
    LE  aging time        : 1200        
    LE  VLAN aging time   : 1200        
    Global Mode           : Switching   
    RE state              : Master      
    VXLAN Overlay load bal: Disabled    
    VXLAN ECMP            : Disabled    
    Fast Update           : Disabled    
    Host Pkts GBP src tag : 0       


    Original Message


  • 4.  RE: No East West traffic after migrating from SRX320 to SRX340

    Posted 11-19-2023 13:46

    Since only the 10.10.10.49/27 seems to have the access outside the SRX subnet I would check the following.

    1- 10.10.10.49/27 host devices have the correct gateway on the device.  Perhaps your dhcp issues are failing to provide the SRX interface as the gateway and making only local communications possible.

    2-Confirm that the 10.10.10.49/27 subnet is included in the security policies that allow the 10.10.10.1/27 to successfully communicate outside the SRX.  You can also look to see if any policy is being hit using.

    show security flow session source-prefix 10.10.10.49/27

    3-check return routing.  Make sure the upstream routers know that the 10.10.10.1/27 subnet is reachable by the SRX interface facing them.  Since 10.10.10.49/27 is working there is some route from the upstream devices back to the SRX or a NAT rule on the SRX to the interface connecting to that router.  Make sure the route or NAT rule also covers the 10.10.10.49/27 subnet for the return traffic.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 5.  RE: No East West traffic after migrating from SRX320 to SRX340

    This message was posted by a user wishing to remain anonymous
    Posted 11-19-2023 19:35
    This message was posted by a user wishing to remain anonymous

    Steve .  I wrote up a follow but did not save the daft, so  I will touch base tomorrow.

    Thanks for your time .

    Quick back ground. I was let go recently and I had the chance to utilize this 340 to continue my Certs.  Jtac is not an option. All


    Original Message


  • 6.  RE: No East West traffic after migrating from SRX320 to SRX340

    This message was posted by a user wishing to remain anonymous
    Posted 11-20-2023 17:22
    This message was posted by a user wishing to remain anonymous

    Going back this is some kinda weird ARP bug .  I know, I know this is not a typical setup , but lets be honest 20% of all setups are odd balls . 
    After sitting down and getting some time to put into this .
    Using the filter suggested.  show sec flow ses src-prefix  10.10.10.0/27 dest-prefix 10.10.10.0/27

    I seen half duplex session which I never noticed before..  
    Session ID: 22603, Policy name: WHAT-IS-GOING-ON/25, Timeout: 14, Session State: Valid
      In: 10.10.10.6/47752 --> 10.10.10.10/8007;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 3, Bytes: 180, 
      Out: 10.10.10.10/8007 --> 10.10.10.6/47752;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0, 

    The 10.10.10.10 PBS is a physical box on an access port, 10.10.10.6 vm is running on Proxmox on a truck port 
    Set a static arp on access port 10.10.10.6/27  to vm running on trunk port 10.10.10.10/27

    ICMP and Proxmox traffic started flowing! Head slap moment as I dont recall if I set static arps on both sides last when I tested 
    and what I was testing with . (being in a rush gets you ever time)

    Testing using higher secondary networking  
    Put another device on the Proxmox server 10.10.10.36 and a physical device on 10.10.10.41 

    Watching wireshark capture 
    host 10.10.10.36
    ? (10.10.10.41) at <incomplete> on ens18
    Set static arp  and seen wireshark show icmp from .36 to .41 but no replies.

    host 10.10.10.41
    ? (10.10.10.36) at <incomplete> on enp1s0
    set static arp for .36 and  traffic is flowing!

    Going to start over and do a format install running 22.4RxsX ..  
    FYI I did for a brief period set set the subnet mask from /27 on both addresses to /26 which made it 10.10.10.0/26 (0-63),
    and  still I could not do 10.10.10.6 10.10.10.10 communication .

    I do not have any support on the unit and I will be doing my best to keep the community in sync with my progression. 

    FYI . I was making notes about the trunk / access ports because im using to tshooting  DAI / IP SRC Guard where the trunk port is always trusted.

    SRX3xx  does not support those features.  

    Guessing  .6 had the cache entry as its been up 21days well before the swap from the 320 to 340, and .10 for 3 days ,

    Thanks Steve / Gavin .. Have a great Thanksgiving  or if your from outside US have a great Friends giving.


    Original Message


  • 7.  RE: No East West traffic after migrating from SRX320 to SRX340

    This message was posted by a user wishing to remain anonymous
    Posted 11-21-2023 05:32
    This message was posted by a user wishing to remain anonymous

    Tentative Resolution 
     set interfaces irb.0 proxy-arp unrestricted  
     https://supportportal.juniper.net/s/article/Example-Configuring-restricted-and-unrestricted-proxy-ARP-on-an-SRX-device?language=en_US


    Original Message