SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  No return packets via tunnel

    Posted 22 days ago
      |   view attached

    Issue is that I am trying to get a web server tunneled via gre to the internet using filter based routing and static NAT. From web-server all seems working. wget a site on the net uses the tunnel as expected, but when using telnet x.x.x.x 80 to the server there is no reply. Using tcpdump I can see packets arriving and replies beeing sendt. Flow sessions are being setup to the tunnel:

    Session ID: 1680, Policy name: RASPHTTP/12, Timeout: 4, Valid
      In: 87.55.148.197/42802 --> 87.61.119.138/80;tcp, Conn Tag: 0x0, If: gr-0/0/0.42, Pkts: 2, Bytes: 120, 
      Out: 192.168.2.90/80 --> 87.55.148.197/42802;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0, 

    What am I overseeing?

    Configuration is attached.

    BR

    Tomas Jensen



    ------------------------------
    TOMAS JENSEN
    ------------------------------

    Attachment(s)

    txt
    tomas_dk.txt   14 KB 1 version


  • 2.  RE: No return packets via tunnel

    Posted 9 days ago

    Interface gr-0/0/0.42 is not in the TUNNEL-INSTANCE routing instance. While traffic originating from the inside correctly uses the filter to look up routes in COAX-INSTANCE, when a new session is initiated by traffic from gr-0/0/0.42, then the reverse route back to 87.55.148.197 is looked up in whatever instance the gre interface is in, and that's likely sending the return traffic where you don't want it. That would be my guess.

    You can use monitor security flow commands to set up a flow trace and see exactly what routes are selected.

    Disclaimer: I'm having difficulty following the config you posted as it's incomplete, uses set commands, it split into sections, and even includes delete commands. I also have trouble following rib-groups in my head in general.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: No return packets via tunnel

    Posted 7 days ago

    Hi Nikolay,

    It is not possible to apply a interface to a forwarding instance as far as I know.

    Documentation says:
    Forwarding-Use this routing instance type for filter-based forwarding applications. For this instance type, there is no one-to-one mapping between an interface and a routing instance. All interfaces belong to the default instance inet.0.

    BR

    Tomas Jensen



    ------------------------------
    TOMAS JENSEN
    ------------------------------



  • 4.  RE: No return packets via tunnel

    Posted 7 days ago

    Hi Nicolay,

    Forwariding instances don't hav interfaces attached:

    • Forwarding-Use this routing instance type for filter-based forwarding applications. For this instance type, there is no one-to-one mapping between an interface and a routing instance. All interfaces belong to the default instance inet.0.

    BR

    Tomas Jensen



    ------------------------------
    TOMAS JENSEN
    ------------------------------



  • 5.  RE: No return packets via tunnel

    Posted 6 days ago

    Oh, right... You'll have to upgrade the routing instance to virtual-router in order to put the GRE tunnel in it. That, of course, will comes with more work:

    • I'm not sure if the PBR filter will let you pick a virtual-router instance. If you need to have a forwarding instance for the filter, then you can create a forwarding instance PBR-INSTANCE which has a single route 0.0.0.0/0 next-table COAX-INSTANCE.inet.0 and still do the routing magic in COAX-INSTANCE.
    • All interfaces in the same zone must be in the same routing instance, so if there are other interfaces in the zone where the GRE tunnel is, then the GRE tunnel will need to go into its own zone, with its own policies, etc. You can utilize configuration groups to avoid duplicating policies, if you wish.
    • The RIB group magic may be affected by moving the GRE tunnel into a separate routing instance.

    All that being said, I think it's worth doing a flow trace to confirm this is really the issue before doing all this extra work to move the GRE tunnel into a separate routing instance.



    ------------------------------
    Nikolay Semov
    ------------------------------