Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I copied the config over from 320 to 340 and expected everything to just work.. :( IPv4 to devices on same subnet no longer can talk to each other.
IPv6 still works as I can inter communicate with things on same vlan no problem. :) but it was never setup to have secondary networks .
vlan 10 irb.0 with 2 ipv4 networks
10.10.10.1/27 primary / preferred
10.10.10.49/27 (its not start or end of the subnet but it does not have to be)
Host IP 10.10.10.3 can hit anything in the 10.10.10.32/27 network no issues and vice versa. Hosts can access Internet just fine via IPv4 and IPv6.
However 10.10.10.0/27 to anything other that SRX gw nothing, and hosts in 10.10.10.32/27 same :/
I never get an arp back from hosts and when I static set arp with correct info still nothing.. Its like all traffic gets silently dropped by SRX .
Makes me think I am hitting a bug .. was srx320 was running 21.4R3-S4 . 340 running 22.4R2-S2.6 Had tried to 21.4R3-S5 but had funky other issues.
Just asking if anyone can suggest best version of Junos they run on theirs .. Jtac recommended is 21.4R3-S4
Having a lot of odd issues with jdhcp too, but working on moving that over to a Kea server.
If you read this .. Thanks for your time.
It sounds like the l2-learning mode has not been activate yet.Since you loaded the configuration have you performed a reboot?Explaining, using irb interfaces on the SRX with multiple interfaces belonging to the same VLAN requires L2 Learning to be enabled. This is not by default.
This would have been part of your migrated configuration but it does require a reboot to be enabled. You typically will receive a notice during commit.
To check which mode is enabled (look for Global Mode):
show ethernet-switching global-information
MAC aging interval : 300
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 16383
MAC limit hit : Disabled
MAC packet action drop: Disabled
MAC+IP aging interval : IPv4 - 1200 seconds
IPv6 - 1200 seconds
MAC+IP limit Count : 393215
MAC+IP limit reached : No
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Switching
RE state : Master
VXLAN Overlay load bal: Disabled
VXLAN ECMP : Disabled
Fast Update : Disabled
To enable Switching mode
set protocols l2-learning global-mode switching
JunOS recommended today would be Junos release 22.2R3-S2 as this resolves current issues with J-Web as well.
Thanks for the suggestion but swithing was enabled when I copied over the SRX 320 to the 340 box.
srx340> show ethernet-switching global-information Global Configuration:
MAC aging interval : 1800 MAC learning : Enabled MAC statistics : Disabled MAC limit Count : 16383 MAC limit hit : Disabled MAC packet action drop: Disabled MAC+IP aging interval : IPv4 - 1200 seconds IPv6 - 1200 seconds MAC+IP limit Count : 393215 MAC+IP limit reached : No LE aging time : 1200 LE VLAN aging time : 1200 Global Mode : Switching RE state : Master VXLAN Overlay load bal: Disabled VXLAN ECMP : Disabled Fast Update : Disabled Host Pkts GBP src tag : 0
Global Configuration:MAC aging interval : 300MAC learning : EnabledMAC statistics : DisabledMAC limit Count : 16383MAC limit hit : DisabledMAC packet action drop: DisabledMAC+IP aging interval : IPv4 - 1200 seconds IPv6 - 1200 secondsMAC+IP limit Count : 393215MAC+IP limit reached : NoLE aging time : 1200LE VLAN aging time : 1200Global Mode : SwitchingRE state : MasterVXLAN Overlay load bal: DisabledVXLAN ECMP : DisabledFast Update : Disabled
Since only the 10.10.10.49/27 seems to have the access outside the SRX subnet I would check the following.
1- 10.10.10.49/27 host devices have the correct gateway on the device. Perhaps your dhcp issues are failing to provide the SRX interface as the gateway and making only local communications possible.
2-Confirm that the 10.10.10.49/27 subnet is included in the security policies that allow the 10.10.10.1/27 to successfully communicate outside the SRX. You can also look to see if any policy is being hit using.
show security flow session source-prefix 10.10.10.49/27
3-check return routing. Make sure the upstream routers know that the 10.10.10.1/27 subnet is reachable by the SRX interface facing them. Since 10.10.10.49/27 is working there is some route from the upstream devices back to the SRX or a NAT rule on the SRX to the interface connecting to that router. Make sure the route or NAT rule also covers the 10.10.10.49/27 subnet for the return traffic.
Steve . I wrote up a follow but did not save the daft, so I will touch base tomorrow.
Thanks for your time .
Quick back ground. I was let go recently and I had the chance to utilize this 340 to continue my Certs. Jtac is not an option. All
Going back this is some kinda weird ARP bug . I know, I know this is not a typical setup , but lets be honest 20% of all setups are odd balls . After sitting down and getting some time to put into this .Using the filter suggested. show sec flow ses src-prefix 10.10.10.0/27 dest-prefix 10.10.10.0/27
I seen half duplex session which I never noticed before.. Session ID: 22603, Policy name: WHAT-IS-GOING-ON/25, Timeout: 14, Session State: Valid In: 10.10.10.6/47752 --> 10.10.10.10/8007;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 3, Bytes: 180, Out: 10.10.10.10/8007 --> 10.10.10.6/47752;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
The 10.10.10.10 PBS is a physical box on an access port, 10.10.10.6 vm is running on Proxmox on a truck port Set a static arp on access port 10.10.10.6/27 to vm running on trunk port 10.10.10.10/27
ICMP and Proxmox traffic started flowing! Head slap moment as I dont recall if I set static arps on both sides last when I tested and what I was testing with . (being in a rush gets you ever time)
Testing using higher secondary networking Put another device on the Proxmox server 10.10.10.36 and a physical device on 10.10.10.41
Watching wireshark capture host 10.10.10.36? (10.10.10.41) at <incomplete> on ens18Set static arp and seen wireshark show icmp from .36 to .41 but no replies.
host 10.10.10.41? (10.10.10.36) at <incomplete> on enp1s0set static arp for .36 and traffic is flowing!
Going to start over and do a format install running 22.4RxsX .. FYI I did for a brief period set set the subnet mask from /27 on both addresses to /26 which made it 10.10.10.0/26 (0-63),and still I could not do 10.10.10.6 10.10.10.10 communication .
I do not have any support on the unit and I will be doing my best to keep the community in sync with my progression.
FYI . I was making notes about the trunk / access ports because im using to tshooting DAI / IP SRC Guard where the trunk port is always trusted.
SRX3xx does not support those features.
Guessing .6 had the cache entry as its been up 21days well before the swap from the 320 to 340, and .10 for 3 days ,
Thanks Steve / Gavin .. Have a great Thanksgiving or if your from outside US have a great Friends giving.
Tentative Resolution set interfaces irb.0 proxy-arp unrestricted https://supportportal.juniper.net/s/article/Example-Configuring-restricted-and-unrestricted-proxy-ARP-on-an-SRX-device?language=en_US