SRX

Issue is that I am trying to get a web server tunneled via gre to the internet using filter based routing and static NAT. From web-server all seems working. wget a site on the net uses the tunnel as expected, but when using telnet x.x.x.x 80 to the server there is no reply. Using tcpdump I can see packets arriving and replies beeing sendt. Flow sessions are being setup to the tunnel:

Session ID: 1680, Policy name: RASPHTTP/12, Timeout: 4, Valid
  In: 87.55.148.197/42802 --> 87.61.119.138/80;tcp, Conn Tag: 0x0, If: gr-0/0/0.42, Pkts: 2, Bytes: 120, 
  Out: 192.168.2.90/80 --> 87.55.148.197/42802;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0, 

What am I overseeing?

Configuration is attached.

BR

Tomas Jensen

Interface gr-0/0/0.42 is not in the TUNNEL-INSTANCE routing instance. While traffic originating from the inside correctly uses the filter to look up routes in COAX-INSTANCE, when a new session is initiated by traffic from gr-0/0/0.42, then the reverse route back to 87.55.148.197 is looked up in whatever instance the gre interface is in, and that's likely sending the return traffic where you don't want it. That would be my guess.

You can use monitor security flow commands to set up a flow trace and see exactly what routes are selected.

Disclaimer: I'm having difficulty following the config you posted as it's incomplete, uses set commands, it split into sections, and even includes delete commands. I also have trouble following rib-groups in my head in general.

Issue is that I am trying to get a web server tunneled via gre to the internet using filter based routing and static NAT. From web-server all seems working. wget a site on the net uses the tunnel as expected, but when using telnet x.x.x.x 80 to the server there is no reply. Using tcpdump I can see packets arriving and replies beeing sendt. Flow sessions are being setup to the tunnel:

Session ID: 1680, Policy name: RASPHTTP/12, Timeout: 4, Valid
  In: 87.55.148.197/42802 --> 87.61.119.138/80;tcp, Conn Tag: 0x0, If: gr-0/0/0.42, Pkts: 2, Bytes: 120, 
  Out: 192.168.2.90/80 --> 87.55.148.197/42802;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0, 

What am I overseeing?

Configuration is attached.

BR

Tomas Jensen

Interface gr-0/0/0.42 is not in the TUNNEL-INSTANCE routing instance. While traffic originating from the inside correctly uses the filter to look up routes in COAX-INSTANCE, when a new session is initiated by traffic from gr-0/0/0.42, then the reverse route back to 87.55.148.197 is looked up in whatever instance the gre interface is in, and that's likely sending the return traffic where you don't want it. That would be my guess.

You can use monitor security flow commands to set up a flow trace and see exactly what routes are selected.

Disclaimer: I'm having difficulty following the config you posted as it's incomplete, uses set commands, it split into sections, and even includes delete commands. I also have trouble following rib-groups in my head in general.

Issue is that I am trying to get a web server tunneled via gre to the internet using filter based routing and static NAT. From web-server all seems working. wget a site on the net uses the tunnel as expected, but when using telnet x.x.x.x 80 to the server there is no reply. Using tcpdump I can see packets arriving and replies beeing sendt. Flow sessions are being setup to the tunnel:

Session ID: 1680, Policy name: RASPHTTP/12, Timeout: 4, Valid
  In: 87.55.148.197/42802 --> 87.61.119.138/80;tcp, Conn Tag: 0x0, If: gr-0/0/0.42, Pkts: 2, Bytes: 120, 
  Out: 192.168.2.90/80 --> 87.55.148.197/42802;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0, 

What am I overseeing?

Configuration is attached.

BR

Tomas Jensen

Hi Nicolay,

Forwariding instances don't hav interfaces attached:

• Forwarding-Use this routing instance type for filter-based forwarding applications. For this instance type, there is no one-to-one mapping between an interface and a routing instance. All interfaces belong to the default instance inet.0.

BR

Tomas Jensen

Interface gr-0/0/0.42 is not in the TUNNEL-INSTANCE routing instance. While traffic originating from the inside correctly uses the filter to look up routes in COAX-INSTANCE, when a new session is initiated by traffic from gr-0/0/0.42, then the reverse route back to 87.55.148.197 is looked up in whatever instance the gre interface is in, and that's likely sending the return traffic where you don't want it. That would be my guess.

You can use monitor security flow commands to set up a flow trace and see exactly what routes are selected.

Disclaimer: I'm having difficulty following the config you posted as it's incomplete, uses set commands, it split into sections, and even includes delete commands. I also have trouble following rib-groups in my head in general.

Issue is that I am trying to get a web server tunneled via gre to the internet using filter based routing and static NAT. From web-server all seems working. wget a site on the net uses the tunnel as expected, but when using telnet x.x.x.x 80 to the server there is no reply. Using tcpdump I can see packets arriving and replies beeing sendt. Flow sessions are being setup to the tunnel:

Session ID: 1680, Policy name: RASPHTTP/12, Timeout: 4, Valid
  In: 87.55.148.197/42802 --> 87.61.119.138/80;tcp, Conn Tag: 0x0, If: gr-0/0/0.42, Pkts: 2, Bytes: 120, 
  Out: 192.168.2.90/80 --> 87.55.148.197/42802;tcp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0, 

What am I overseeing?

Configuration is attached.

BR

Tomas Jensen