Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Communication through 2 srx not establishing

    This message was posted by a user wishing to remain anonymous
    Posted 03-08-2023 09:03
    This message was posted by a user wishing to remain anonymous

    Hi,
    Two srx not communicating,the ports are configured as trunk with allowed vlans.
    The SRX models are SRX 550 and SRX 345, SRX connected each other using fiber link.
    Please find attached screenshot and advise.

    SRX 550 Config

    set interfaces ge-0/0/8 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members srx550
    set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 virtual-address 10.0.0.1
    set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 priority 202
    set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 preempt
    set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 accept-data
    set security zones security-zone srx550 host-inbound-traffic system-services all
    set security zones security-zone srx550 host-inbound-traffic protocols all
    set security zones security-zone srx550 interfaces irb.90
    set vlans srx550 vlan-id 90
    set vlans srx550 l3-interface irb.90

    SRX 345 Config

    set interfaces ge-0/0/12 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members srx345
    set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 virtual-address 10.0.0.2
    set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 priority 202
    set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 preempt
    set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 accept-data
    set security zones security-zone srx345 host-inbound-traffic system-services all
    set security zones security-zone srx345 host-inbound-traffic protocols all
    set security zones security-zone srx345 interfaces irb.90
    set vlans s345 vlan-id 90
    set vlans s345 l3-interface irb.90



  • 2.  RE: Communication through 2 srx not establishing

    Posted 03-08-2023 09:07

    What is the communication that is currently blocked?

    What is permitted on the link will depend on whether it is transit traffic through the SRX zones or self traffic between the devices and what the protocols involved are.

    What you show so far should cover things like ospf between the SRX and other protocols but any transit traffic would also need a security policy created.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Communication through 2 srx not establishing

    This message was posted by a user wishing to remain anonymous
    Posted 03-13-2023 08:07
    This message was posted by a user wishing to remain anonymous

    Hi,

    Communication from different zones are blocked.

    Self traffic between SRX is working properly but all other traffic from zones are not sending and receiving the packets.

    VRRP, Static Route and MSTP are configured in the firewalls .




  • 4.  RE: Communication through 2 srx not establishing

    Posted 03-13-2023 08:10

    There would need to be a security policy on both SRX for the transit zone traffic to be permitted.

    Policy is from the perspective of the first packet initiating the communications between the two hosts.

    First SRX will have a policy from zone of the host to zone of the link between SRX which I assume is the srx345 zone noted above.

    Second SRX will have a policy from zone of the link srx345 to the zone where the destination host is connected.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Communication through 2 srx not establishing

    This message was posted by a user wishing to remain anonymous
    Posted 03-15-2023 07:55
    This message was posted by a user wishing to remain anonymous

    Hi,

    Proper security zones, from and to policies are defined in both firewalls.

    Even if we permit-all still issue is there.

    I suspect the issue is with mstp or static route between vrrp. Kindly advise .




  • 6.  RE: Communication through 2 srx not establishing

    Posted 03-15-2023 08:06

    To troubleshoot communications not work you will need to see if the desired traffic is hitting which policy using

    show security flow session

    This can be restricted using either or both of the restrictions for source and destination prefix.  

    show security flow session source-prefix 192.168.1.1/32 destination-prefix 192.168.2.1/32

    The result will identify the policy used and any nat applied to the traffic

    The other check is to confirm the routing table entries active are sending the destination traffic to the desired interface

    show route 192.168.1.1

    This will confirm the destination traffic to the correct zone.  If the source is directly attached the source zone will be that interface.

    We also need to confirm that both devices have their default gateway set to the SRX interface for their subnet.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------