Routing

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

SRX345 No internet access

  • 1.  SRX345 No internet access

    Posted 12-29-2022 09:24
    Hi everyone,

    I have been pulling my hair for 2 days trying to configure an SRX345. I have been using Netscreens ISG-2000 web interfaces and the SRX version 23 J-Web is a whole new ball Game.
    My issue is I have a static route set for my untrust WAN interface ge-0/0/0 to my datacenter IP which is not in my subnet group. But when I ping anything outside my firewall I get

    ping: sendto: No route to host.

    run show route

    inet.0: 3 destinations, 4 routes (3 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    192.168.1.0/24     *[Direct/0] 1d 04:53:03

                        >  via fxp0.0

                        [Direct/0] 17:22:54

                        >  via lo0.0

    192.168.1.1/32     *[Local/0] 1d 04:53:03

                           Local via fxp0.0

    192.168.1.2/32     *[Local/0] 17:22:54

                           Local via lo0.0

    trust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    10.10.20.0/24      *[Direct/0] 13:44:14

                        >  via ge-0/0/7.0

    10.10.20.254/32    *[Local/0] 13:44:14

                           Local via ge-0/0/7.0

    192.168.2.1/32     *[Local/0] 13:44:14

                           Reject

    untrust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    XXX.182.158.0/24    *[Direct/0] 02:02:57

                        >  via ge-0/0/0.0

    XXX.182.158.254/32  *[Local/0] 02:02:57

                           Local via ge-0/0/0.0

    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    ff02::2/128        *[INET6/0] 1d 04:53:07

                           MultiRecv

    trust-vr.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

    ff02::2/128        *[INET6/0] 13:44:16

                           MultiRecv

    untrust-vr.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

                                            

    fe80::d2dd:490f:fce5:5ac1/128

                       *[Local/0] 13:44:15

                           Local via dl0.0

    ff02::2/128        *[INET6/0] 13:44:16

                           MultiRecv

     

    I have my static Route set 0.0.0.0/0 set to XXX.182.141.1
    In my old IG-2000 I used to have untrust-vr not sure if I need to setup a routing-instance I did but did not help
    If anyone can help. Please

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------


  • 2.  RE: SRX345 No internet access

    Posted 12-29-2022 09:47
    The default route is not showing up in the shown routing table and local ping to the default gateway is not working.

    This leads me to think there may be a layer 2 issue on ge-0/0/0 to your gateway.

    What are the following configurations:
    interface ge-0/0/0
    assignment of ge-0/0/0.0 to a zone
    host inbound traffic for that zone

    Status of the interface when connected
    show interfaces terse

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX345 No internet access

    Posted 12-29-2022 12:54
      |   view attached
    It is assigned to the untrust zone

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 4.  RE: SRX345 No internet access

    Posted 01-02-2023 12:54
    Happy New Year to all,

    Can anyone help Here is my config file. Still not able to ping out 


    ## Last changed: 2022-12-30 19:49:59 EST
    version 22.3R1.11;
    groups {
    noded;
    node0 {
    system {
    backup-router 192.168.1.1 destination [ 128.0.0.0/1 192.100.0.0/16 ];
    }
    }
    }
    system {
    host-name gw3;
    root-authentication {
    Xxxxx }
    login {
    user xxxxxxx {
    uid 2002;
    class super-user;
    authentication {
    xxxxxxxx }
    }
    }
    services {
    ssh {
    root-login allow;
    }
    netconf {
    ssh;
    }
    dhcp-local-server {
    group jdhcp-group {
    interface fxp0.0;
    interface irb.0;
    }
    }
    web-management {
    http {
    interface [ vlan.0 ge-0/0/0.0 ge-0/0/7.0 fxp0.0 ];
    }
    https {
    system-generated-certificate;
    }
    session {
    idle-timeout 1440;
    session-limit 7;
    }
    }
    }
    backup-router 192.168.1.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
    time-zone America/New_York;
    name-server {
    69.13.54.137;
    69.13.54.138;
    8.8.8.8;
    8.8.4.4;
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file interactive-commands {
    interactive-commands any;
    }
    file messages {
    any notice;
    authorization info;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server 132.163.97.5 prefer;
    server 128.138.141.177 prefer;
    }
    phone-home {
    server https://redirect.juniper.net;
    rfc-compliant;
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy trust-to-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy our-internet-policy {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone trust {
    policy our-deny-policy {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    pre-id-default-policy {
    then {
    log {
    session-close;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    ssh;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    ge-0/0/7.0;
    }
    }
    security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    https;
    ping;
    }
    }
    }
    ge-0/0/15.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    }
    }
    }
    dl0.0 {
    host-inbound-traffic {
    system-services {
    tftp;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    description Internet;
    family inet {
    address xxx.182.158.254/24 {
    web-authentication {
    http;
    https;
    redirect-to-https;
    }
    }
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/5 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/6 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/7 {
    unit 0 {
    family inet {
    address 10.10.20.254/24;
    }
    }
    }
    ge-0/0/8 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/9 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/10 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/11 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/12 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/13 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/14 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/15 {
    unit 0 {
    family inet {
    dhcp {
    vendor-id Juniper-srx345;
    }
    }
    }
    }
    cl-1/0/0 {
    dialer-options {
    pool 1 priority 100;
    }
    }
    dl0 {
    unit 0 {
    family inet {
    negotiate-address;
    }
    family inet6 {
    negotiate-address;
    }
    dialer-options {
    pool 1;
    dial-string 1234;
    always-on;
    }
    }
    }
    fxp0 {
    unit 0 {
    family inet {
    address 192.168.1.1/24 {
    web-authentication {
    http;
    https;
    redirect-to-https;
    }
    }
    }
    }
    }
    irb {
    unit 0 {
    family inet {
    address 192.168.2.1/24;
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.1.2/24;
    }
    }
    }
    }
    firewall {
    family inet {
    filter Trusted-Mgm {
    term Management-IP {
    from {
    source-address {
    197.153.56.212/32;
    }
    }
    }
    }
    }
    }
    access {
    profile local {
    client echouafnist {
    firewall-user {
    password "$9$U4D.5n6A01hCtvWXxdV.Pf5n/"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool junosDHCPPool1;
    }
    }
    address-assignment {
    pool junosDHCPPool1 {
    family inet {
    network 192.168.1.0/24;
    range junosRange {
    low 192.168.1.2;
    high 192.168.1.254;
    }
    dhcp-attributes {
    router {
    192.168.1.1;
    }
    propagate-settings ge-0/0/0.0;
    }
    }
    }
    pool junosDHCPPool2 {
    family inet {
    network 192.168.2.0/24;
    range junosRange {
    low 192.168.2.2;
    high 192.168.2.254;
    }
    dhcp-attributes {
    router {
    192.168.2.1;
    }
    propagate-settings ge-0/0/0.0;
    }
    }
    }
    }
    firewall-authentication {
    web-authentication {
    default-profile local;
    banner {
    success "Welcome BB";
    }
    }
    }
    }
    vlans {
    vlan-trust {
    vlan-id 3;
    l3-interface irb.0;
    }
    }
    protocols {
    l2-learning {
    global-mode switching;
    }
    rstp {
    interface all;
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop xxx.182.144.1;
    }
    }

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 5.  RE: SRX345 No internet access

    Posted 01-02-2023 12:56
      |   view attached
    Here is the config file if anyone is kind enough to help me. I can not even ping my ISP IP nothing going in or out of the wan ge-0/0/0.0 I get:
    ping: sendto: No route to host
    I have been fighting this for days now.

    Also noticed that on the fx0 Management interface instead of J-web I get the Firewall Authentication screen which if you create a login to under firewall authentication redirects you after successful login to a blank screen. How do I get my J-web login back?


    ------------------------------
    JAY ECHOUAFNI
    ------------------------------

    Attachment(s)

    txt
    config_noData.txt   10 KB 1 version


  • 6.  RE: SRX345 No internet access

    Posted 01-03-2023 09:59
    Hey,

    The configuration of the ge-0/0/0 interface is as shown below. The interface IP is from the network xxx.182.158.0/24
    interfaces {
        ge-0/0/0 {
            unit 0 {
                description Internet;
                family inet {
                    address xxx.182.158.254/24 {
                        web-authentication {
                            http;
                            https;
                            redirect-to-https;
                        }
                    }
                }
            }
        }​

    The static default route is pointed towards xxx.182.144.1. Now this next-hop is not in the same network range as the ge-0/0/0 interface.

    The static route should be pointing towards the gateway of the xxx.182.158.0/24 subnet that is assigned.

    Which IP(s) are you pinging when you get no route to the host? What is the IP of the gateway in the subnet xxx.182.158.0/24?

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------