SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  VRRP Ping only works when monitor traffic is on

    Posted 04-12-2021 08:16
    I am testing out a setup in GNS3. I added2 vSRX 18.4R3 3.0 devices, connected to a standard switch. I added the simplest of simple configs:


    vSRX1:

    set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.4/28 vrrp-group 1 virtual-address 10.0.10.2
    set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.4/28 vrrp-group 1 priority 220
    set security zones security-zone trust host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic protocols vrrp

    root> show vrrp brief
    Interface State Group VR state VR Mode Timer Type Address
    ge-0/0/4.0 up 1 master Active A 0.691 lcl 10.0.10.4
    vip 10.0.10.2

    vSRX2:

    set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.3/28 vrrp-group 1 virtual-address 10.0.10.2
    set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.3/28 vrrp-group 1 priority 200
    set security zones security-zone trust host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic protocols vrrp


    Interface State Group VR state VR Mode Timer Type Address
    ge-0/0/4.0 up 1 backup Active D 2.900 lcl 10.0.10.3
    vip 10.0.10.2
    mas 10.0.10.4






    So all seems to work OK concerning vrrp. I can see the 224.0.0.18 packets containing vrrp info with the packt tracer, and all seems to work ok.

    Now comes the fun part. The sirtual IP can only be pinged from inside the master box, at this moment vSRX1. From the vSRX2 the ping gets no reply. I can see the packet going towards the vSRX1, but no reply. Now I let the ping go and start a monitor traffic on the ge-0/0/4 interface on vSRX1 to see the ping coming in. And ping starts to work.


    vSRX2:
    root> ping 10.0.10.2
    PING 10.0.10.2 (10.0.10.2): 56 data bytes
    ^C
    --- 10.0.10.2 ping statistics ---
    8 packets transmitted, 0 packets received, 100% packet loss

    root> ping 10.0.10.2
    PING 10.0.10.2 (10.0.10.2): 56 data bytes
    64 bytes from 10.0.10.2: icmp_seq=11 ttl=64 time=4.874 ms
    64 bytes from 10.0.10.2: icmp_seq=12 ttl=64 time=1.585 ms
    64 bytes from 10.0.10.2: icmp_seq=13 ttl=64 time=3.560 ms
    64 bytes from 10.0.10.2: icmp_seq=14 ttl=64 time=1.719 ms
    64 bytes from 10.0.10.2: icmp_seq=15 ttl=64 time=1.730 ms
    64 bytes from 10.0.10.2: icmp_seq=16 ttl=64 time=1.879 ms
    64 bytes from 10.0.10.2: icmp_seq=17 ttl=64 time=1.604 ms
    ^C
    --- 10.0.10.2 ping statistics ---
    109 packets transmitted, 7 packets received, 93% packet loss
    round-trip min/avg/max/stddev = 1.585/2.422/4.874/1.192 ms

    root>



    vSRX1:
    root> ping 10.0.10.2
    PING 10.0.10.2 (10.0.10.2): 56 data bytes
    64 bytes from 10.0.10.2: icmp_seq=0 ttl=64 time=0.329 ms
    64 bytes from 10.0.10.2: icmp_seq=1 ttl=64 time=0.043 ms
    ^C
    --- 10.0.10.2 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.043/0.186/0.329/0.143 ms

    root> monitor traffic interface ge-0/0/4 no-resolve
    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is OFF.
    Listening on ge-0/0/4, capture size 96 bytes

    12:28:18.829984 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    12:28:19.594558 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    12:28:20.537789 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    12:28:21.506782 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    12:28:22.469059 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    12:28:23.343387 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    12:28:24.344707 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
    ^C
    7 packets received by filter
    0 packets dropped by kernel

    root>



    Am I missing some firewall settings to make icmp work? Also routing to this virtual IP does not work (the reason I am testing this), but during the monitor routing does work.



    ------------------------------
    Ben Ooijevaar
    ------------------------------


  • 2.  RE: VRRP Ping only works when monitor traffic is on

     
    Posted 04-12-2021 08:37
    accept-data | High Availability User Guide | Juniper Networks TechLibrary although I don't understand why this would affected routing through the box ...


  • 3.  RE: VRRP Ping only works when monitor traffic is on

    Posted 04-12-2021 08:51

    Thanks for the reply. accept-data is what I tried at first. Still does not work.

    As you can see on vSRX1 accept-data is on

    root> show vrrp detail
    Physical interface: ge-0/0/4, Unit: 0, Address: 10.0.10.4/28
    Index: 69, SNMP ifIndex: 521, VRRP-Traps: disabled, VRRP-Version: 2
    Interface state: up, Group: 1, State: master, VRRP Mode: Active
    Priority: 220, Advertisement interval: 1, Authentication type: none
    Advertisement threshold: 3, Computed send rate: 0
    Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.0.10.2
    Advertisement Timer: 0.221s, Master router: 10.0.10.4
    Virtual router uptime: 04:31:59, Master router uptime: 04:31:54
    Virtual Mac: 00:00:5e:00:01:01
    Preferred: yes
    Tracking: disabled

    root>


    It affects routing because packets are not forwarded. Maybe I should mention I also created another setup with more devices attached. Then the packets should pass throught the vSRX and out via another interface. And the second vrrp provides a second route basically.



    ------------------------------
    Ben Ooijevaar
    ------------------------------



  • 4.  RE: VRRP Ping only works when monitor traffic is on

    Posted 01-27-2023 13:46
    Ben,
    We are experiencing this exact same issue and JTAC hasn't been able to help.  Did you ever find a solution or a workaround for this?

    Thanks
    Jon

    ------------------------------
    JON SITTNER
    ------------------------------