Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

SRX345 No internet access

  • 1.  SRX345 No internet access

    Posted 12-29-2022 09:24
    Hi everyone,

    I have been pulling my hair for 2 days trying to configure an SRX345. I have been using Netscreens ISG-2000 web interfaces and the SRX version 23 J-Web is a whole new ball Game.
    My issue is I have a static route set for my untrust WAN interface ge-0/0/0 to my datacenter IP which is not in my subnet group. But when I ping anything outside my firewall I get

    ping: sendto: No route to host.

    run show route

    inet.0: 3 destinations, 4 routes (3 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    192.168.1.0/24     *[Direct/0] 1d 04:53:03

                        >  via fxp0.0

                        [Direct/0] 17:22:54

                        >  via lo0.0

    192.168.1.1/32     *[Local/0] 1d 04:53:03

                           Local via fxp0.0

    192.168.1.2/32     *[Local/0] 17:22:54

                           Local via lo0.0

    trust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    10.10.20.0/24      *[Direct/0] 13:44:14

                        >  via ge-0/0/7.0

    10.10.20.254/32    *[Local/0] 13:44:14

                           Local via ge-0/0/7.0

    192.168.2.1/32     *[Local/0] 13:44:14

                           Reject

    untrust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    XXX.182.158.0/24    *[Direct/0] 02:02:57

                        >  via ge-0/0/0.0

    XXX.182.158.254/32  *[Local/0] 02:02:57

                           Local via ge-0/0/0.0

    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    ff02::2/128        *[INET6/0] 1d 04:53:07

                           MultiRecv

    trust-vr.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    ff02::2/128        *[INET6/0] 13:44:16

                           MultiRecv

    untrust-vr.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

                                            

    fe80::d2dd:490f:fce5:5ac1/128

                       *[Local/0] 13:44:15

                           Local via dl0.0

    ff02::2/128        *[INET6/0] 13:44:16

                           MultiRecv

     

    I have my static Route set 0.0.0.0/0 set to XXX.182.141.1
    In my old IG-2000 I used to have untrust-vr not sure if I need to setup a routing-instance I did but did not help
    If anyone can help. Please

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------


  • 2.  RE: SRX345 No internet access

    Posted 12-29-2022 09:47
    The default route is not showing up in the shown routing table and local ping to the default gateway is not working.

    This leads me to think there may be a layer 2 issue on ge-0/0/0 to your gateway.

    What are the following configurations:
    interface ge-0/0/0
    assignment of ge-0/0/0.0 to a zone
    host inbound traffic for that zone

    Status of the interface when connected
    show interfaces terse

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX345 No internet access

    Posted 12-29-2022 12:54
      |   view attached
    It is assigned to the untrust zone

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 4.  RE: SRX345 No internet access

    Posted 01-02-2023 12:54
    Happy New Year to all,

    Can anyone help Here is my config file. Still not able to ping out 


    ## Last changed: 2022-12-30 19:49:59 EST
    version 22.3R1.11;
    groups {
    noded;
    node0 {
    system {
    backup-router 192.168.1.1 destination [ 128.0.0.0/1 192.100.0.0/16 ];
    }
    }
    }
    system {
    host-name gw3;
    root-authentication {
    Xxxxx }
    login {
    user xxxxxxx {
    uid 2002;
    class super-user;
    authentication {
    xxxxxxxx }
    }
    }
    services {
    ssh {
    root-login allow;
    }
    netconf {
    ssh;
    }
    dhcp-local-server {
    group jdhcp-group {
    interface fxp0.0;
    interface irb.0;
    }
    }
    web-management {
    http {
    interface [ vlan.0 ge-0/0/0.0 ge-0/0/7.0 fxp0.0 ];
    }
    https {
    system-generated-certificate;
    }
    session {
    idle-timeout 1440;
    session-limit 7;
    }
    }
    }
    backup-router 192.168.1.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
    time-zone America/New_York;
    name-server {
    69.13.54.137;
    69.13.54.138;
    8.8.8.8;
    8.8.4.4;
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file interactive-commands {
    interactive-commands any;
    }
    file messages {
    any notice;
    authorization info;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server 132.163.97.5 prefer;
    server 128.138.141.177 prefer;
    }
    phone-home {
    server https://redirect.juniper.net;
    rfc-compliant;
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy trust-to-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy our-internet-policy {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone trust {
    policy our-deny-policy {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    pre-id-default-policy {
    then {
    log {
    session-close;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    ssh;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    ge-0/0/7.0;
    }
    }
    security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    https;
    ping;
    }
    }
    }
    ge-0/0/15.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    }
    }
    }
    dl0.0 {
    host-inbound-traffic {
    system-services {
    tftp;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    description Internet;
    family inet {
    address xxx.182.158.254/24 {
    web-authentication {
    http;
    https;
    redirect-to-https;
    }
    }
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/5 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/6 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/7 {
    unit 0 {
    family inet {
    address 10.10.20.254/24;
    }
    }
    }
    ge-0/0/8 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/9 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/10 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/11 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/12 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/13 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/14 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/15 {
    unit 0 {
    family inet {
    dhcp {
    vendor-id Juniper-srx345;
    }
    }
    }
    }
    cl-1/0/0 {
    dialer-options {
    pool 1 priority 100;
    }
    }
    dl0 {
    unit 0 {
    family inet {
    negotiate-address;
    }
    family inet6 {
    negotiate-address;
    }
    dialer-options {
    pool 1;
    dial-string 1234;
    always-on;
    }
    }
    }
    fxp0 {
    unit 0 {
    family inet {
    address 192.168.1.1/24 {
    web-authentication {
    http;
    https;
    redirect-to-https;
    }
    }
    }
    }
    }
    irb {
    unit 0 {
    family inet {
    address 192.168.2.1/24;
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.1.2/24;
    }
    }
    }
    }
    firewall {
    family inet {
    filter Trusted-Mgm {
    term Management-IP {
    from {
    source-address {
    197.153.56.212/32;
    }
    }
    }
    }
    }
    }
    access {
    profile local {
    client echouafnist {
    firewall-user {
    password "$9$U4D.5n6A01hCtvWXxdV.Pf5n/"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool junosDHCPPool1;
    }
    }
    address-assignment {
    pool junosDHCPPool1 {
    family inet {
    network 192.168.1.0/24;
    range junosRange {
    low 192.168.1.2;
    high 192.168.1.254;
    }
    dhcp-attributes {
    router {
    192.168.1.1;
    }
    propagate-settings ge-0/0/0.0;
    }
    }
    }
    pool junosDHCPPool2 {
    family inet {
    network 192.168.2.0/24;
    range junosRange {
    low 192.168.2.2;
    high 192.168.2.254;
    }
    dhcp-attributes {
    router {
    192.168.2.1;
    }
    propagate-settings ge-0/0/0.0;
    }
    }
    }
    }
    firewall-authentication {
    web-authentication {
    default-profile local;
    banner {
    success "Welcome BB";
    }
    }
    }
    }
    vlans {
    vlan-trust {
    vlan-id 3;
    l3-interface irb.0;
    }
    }
    protocols {
    l2-learning {
    global-mode switching;
    }
    rstp {
    interface all;
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop xxx.182.144.1;
    }
    }

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 5.  RE: SRX345 No internet access

    Posted 01-02-2023 12:56
      |   view attached
    Here is the config file if anyone is kind enough to help me. I can not even ping my ISP IP nothing going in or out of the wan ge-0/0/0.0 I get:
    ping: sendto: No route to host
    I have been fighting this for days now.

    Also noticed that on the fx0 Management interface instead of J-web I get the Firewall Authentication screen which if you create a login to under firewall authentication redirects you after successful login to a blank screen. How do I get my J-web login back?


    ------------------------------
    JAY ECHOUAFNI
    ------------------------------

    Attachment(s)

    txt
    config_noData.txt   10 KB 1 version


  • 6.  RE: SRX345 No internet access

    Posted 01-03-2023 09:59
    Hey,

    The configuration of the ge-0/0/0 interface is as shown below. The interface IP is from the network xxx.182.158.0/24
    interfaces {
        ge-0/0/0 {
            unit 0 {
                description Internet;
                family inet {
                    address xxx.182.158.254/24 {
                        web-authentication {
                            http;
                            https;
                            redirect-to-https;
                        }
                    }
                }
            }
        }​

    The static default route is pointed towards xxx.182.144.1. Now this next-hop is not in the same network range as the ge-0/0/0 interface.

    The static route should be pointing towards the gateway of the xxx.182.158.0/24 subnet that is assigned.

    Which IP(s) are you pinging when you get no route to the host? What is the IP of the gateway in the subnet xxx.182.158.0/24?

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 7.  RE: SRX345 No internet access

    Posted 01-03-2023 10:00
    Hey,

    The IP address assigned to the interface ge-0/0/0.0 is xxx.182.158.254/24. It is in the network xxx.182.158.0/24

    The default static route points to xxx.182.144.1. But it is not in the same network as xxx.182.158.0/24. The default-route should point towards the gateway of the network associated with the interface ge-0/0/0.0.

    What is the gateway of the network xxx.182.158.0/24? Which IPs are you pinging when you see "No route to host"?

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 8.  RE: SRX345 No internet access

    Posted 01-05-2023 11:20
    I found the problem. I did not have this issue in mu ISG-2000 but in the SRX I had to set the subnet mask to xxx.182.158.254/16 on my ge-0/0/0.0 then I was able to ping the outside world. 

    Now all my computers behind the SRX are not able to get on the internet I will open a new thread

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 9.  RE: SRX345 No internet access

    Posted 01-05-2023 16:01
    Hi Jay,

    Changing the subnet mask to /16 from /24 solves your problem as the next-hop for the default-route xxx.182.144.1 becomes part of the network xxx.182.0.0/16 assigned to the ge-0/0/0.0 interface. With /24 the network to which ge-0/0/0.0 was assigned was xxx.182.158.0/24 . xxx.182.144.1 is not a host IP in the same network.

    If you didn't have this issue with /24 assigned on the ge-0/0/0.0 interface, then on that device you must be having another route (static or dynamic) for your next-hop xxx.182.144.1.

    Regards
    Sheetanshu

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 10.  RE: SRX345 No internet access

    Posted 01-05-2023 20:34
    So what should I do Can you explain. I only got it to work by changing my wan Ip subnet mask

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 11.  RE: SRX345 No internet access

    Posted 01-06-2023 11:01
    What is the gateway of the subnet assigned to the WAN interface ge-0/0/0.0 (in the /24 network)? The static default route should point to the gateway of the xxx.182.158.0/24 network.

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 12.  RE: SRX345 No internet access

    Posted 01-06-2023 12:40
    The Wan interface was XXX.182.158.5/24 which I had to change to /16 for it to work Thegateway is XXX,182.144..1 0/.0.0.0/0 nett hope XXX.182.144.1




  • 13.  RE: SRX345 No internet access

    Posted 01-09-2023 09:35
    I started moving my sites to the new SRX from my older Juniper Netscreen and noticed that on one of my web sites visitors' IPs are showing up with my firewall trust interface  IP 10.10.20.254 which is a high security risk and also false all the information.
    So I thought I misconfigured the Security policy when I put the inside IP of the destination server rather than the outside Nated IP.  I reverse that in the Security Policy and after that all stopped working so. All 15 of my Nated servers where no longer visible to the internet. All my Static NATs stopped working, No longer visible from the internet.

    When I go to an inside server behind the SRX and lookup it's IP it shows me the corrected nated outside IP . I can go out but nothing can get back in port 80 and ping. When I check the Security policies they did not changes since they were working fine I even disabled them and created a new on from untrust to trust and selected my server as the destination and allowed all services to test.

    I rolled back my config to one From few hours before any of my changes but nothing all the Nats are there and their ARP proxy IPs are there but not traffic is going thru the SRX.

    I can ping out of the SRX Wan interface and I can get to login screen from the web. Wan interface ge-0/0/0.0 but nothing else.  I am at a loss. I even rebooted the SRX345 in vein.

    I have been down for 4 hours and do not know how to get this back up. Please help me.



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------