SRX Services Gateway
Highlighted
SRX Services Gateway

SRX300 totally configured but not internet connection

a month ago

Hello,

I currently have a cluster of two SRX300 configured in HA but I cannot connect to the internet

 

I see HITS in the firewall rule and NAT rule but I don't have internet access.

 

I PING and resolve names correctly connected through the console port on either of the two nodes, so I understand that the routes are correctly configured.

 

A curious case is that in the TRUST (LAN) zone I cannot PING, but the trace routes connect perfectly even though all the services and protocols are allowed.

 

I attach my settings omitting some sensitive data.

 

## Last changed: 2020-07-15 11:13:31 CEST
version 15.1X49-D150.2;
groups {
    node0 {
        system {
            host-name FW-OMN-01;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.111.0.201/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name FW-OMN-02;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.111.0.202/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    domain-name OMNIACC.CORP;
    time-zone Europe/Madrid;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxx";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
        212.121.128.10;
        212.121.128.11;
    }
    services {
        ssh;
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http {
                interface fxp0.0;
            }
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file LOGS {
            any any;
            archive files 1;
            structured-data;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 130.206.3.166;
        server 130.206.0.1;
    }
    inactive: phone-home {
        server https://redirect.juniper.net;
        rfc-complaint;
    }
}
chassis {
    cluster {
        reth-count 4;
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
            preempt;
        }
        redundancy-group 2 {
            node 0 priority 200;
            node 1 priority 100;
            preempt;
        }
    }
}
services {
    application-identification;
}
security {
    log {
        mode event;
    }
    address-book {
        RED_OMNIA {
            address RED_OMNIA 10.111.0.0/16;
            attach {
                zone LAN;
            }
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        msrpc disable;
        sunrpc disable;
        rtsp disable;
        sccp disable;
        sip disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    flow {
        allow-dns-reply;
    }
    nat {
        source {
            rule-set INTERNET_COLT {
                from zone LAN;
                to zone WAN;
                rule INTERNET_COLT {
                    match {
                        source-address 10.111.0.0/16;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone LAN to-zone WAN {
            policy DEFAULT {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone LAN {
            description INTERNO;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone WAN {
            description EXTERNO;
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    dns;
                    http;
                    https;
                    ftp;
                }
            }
            interfaces {
                reth1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/4 {
        ether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/5 {
        ether-options {
            redundant-parent reth1;
        }
    }
    ge-1/0/4 {
        ether-options {
            redundant-parent reth0;
        }
    }
    ge-1/0/5 {
        ether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-1/0/2;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.111.0.200/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 2;
        }
        unit 0 {
            family inet {
                address 213.x.x.x/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 213.x.x.x;
        route 11.111.0.0/16 next-hop 10.111.0.1;
        route 10.111.0.0/16 next-hop 10.111.0.1;
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
    rstp {
        interface all;
    }
}

Best regards

PS: sorry for my English

14 REPLIES 14
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

[ Edited ]
a month ago

Hi Danjr,

 

Could you please let me know whether you were unable to access the Internet from the SRX? or You were unable to access the Internet when the traffic is passing through the SRX?

 

Also, please check the sessions to determine whether traffic is being sent and received.

 

user@host> show security flow session source-prefix  <x.x.x.x> destination-prefix <y.y.y.y>

user@host> show interfaces terse | match inet

user@host> show arp no-resolve

user@host> show chassis cluster status

user@host> show route 8.8.8.8



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi noobmaster

 

unable to access the Internet when the traffic is passing through the SRX

 

I answer the questions

 

user@host> show security flow session source-prefix  <10.111.0.200(LAN reth0.0)> destination-prefix <195.78.228.226>

{primary:node0}
root@FW-OMN-01> ...prefix 10.111.0.200 destination-prefix 195.78.228.226
node0:
--------------------------------------------------------------------------
Total sessions: 0

node1:
--------------------------------------------------------------------------
Total sessions: 0

{primary:node0}

user@host> show interfaces terse | match inet

 

root@FW-OMN-01> show interfaces terse | match inet
fab0.0                  up    up   inet     30.17.0.200/24
fab1.0                  up    up   inet     30.18.0.200/24
fxp0.0                  up    up   inet     10.111.0.201/24
fxp1.0                  up    up   inet     129.16.0.1/2
jsrv.1                  up    up   inet     128.0.0.127/2
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
reth0.0                 up    up   inet     10.111.0.200/24
reth1.0                 up    up   inet     213.x.x.x/29 (IP OF WAN)

{primary:node0}

user@host> show arp no-resolve

 

root@FW-OMN-01> show arp no-resolve
MAC Address       Address         Interface         Flags
f4:bd:9e:8c:0a:d1 10.111.0.1      reth0.0                  none
f4:bd:9e:8c:0a:d1 10.111.0.1      fxp0.0                   none
d0:7e:28:a9:04:36 10.111.0.11     reth0.0                  none
d0:7e:28:a8:e9:36 10.111.0.12     reth0.0                  none
78:4f:9b:2e:9f:2e 30.17.0.2       fab0.0                   permanent
78:4f:9b:2c:65:ae 30.18.0.1       fab1.0                   permanent
78:4f:9b:2e:9e:7f 130.16.0.1      fxp1.0                   none
00:3a:7d:5f:fc:40 213.X.X.X  reth1.0                  none (IP OF DEFAULT ROUTE/GATEWAY)
Total entries: 8

user@host> show chassis cluster status

 

root@FW-OMN-01> show chassis cluster status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring      RE  Relinquish monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  1        primary        no      no       None
node1  1        secondary      no      no       None

Redundancy group: 1 , Failover count: 1
node0  200      primary        yes     no       None
node1  100      secondary      yes     no       None

Redundancy group: 2 , Failover count: 1
node0  200      primary        yes     no       None
node1  100      secondary      yes     no       None

 

user@host> show route 8.8.8.8

 

root@FW-OMN-01> show route 8.8.8.8

inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 23:56:40
                    > to 213.X.X.X via reth1.0 (GATEWAY/DEFAULT ROUTE)

Best Regards

Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi Danjr,

 

The configuration looks fine.

 

Could you please let me know whether you ran the command while the traffic is passing through the SRX?- show security flow session source-prefix  10.111.0.200 destination-prefix 195.78.228.226

 

Because 10.111.0.200 is your reth0.0 interface IP address, so you need to replace it in the security flow session with the device IP address from where you are initiating the traffic and send me the output once again.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi noobmaster

 

Yes, sorry my fault

 

Here is the result of the command doing it from my computer

 

show security flow session source-prefix  10.111.24.22 destination-prefix 195.78.228.226

 

root@FW-OMN-01> ....111.24.22 destination-prefix 195.78.228.226
node0:
--------------------------------------------------------------------------

Session ID: 37087, Policy name: DEFAULT/4, State: Active, Timeout: 2, Valid
  In: 10.111.24.22/52707 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 2, Bytes: 104,
  Out: 195.78.228.226/443 --> 213.27.140.187/62723;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 37088, Policy name: DEFAULT/4, State: Active, Timeout: 2, Valid
  In: 10.111.24.22/52708 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 2, Bytes: 104,
  Out: 195.78.228.226/443 --> 213.27.140.187/44276;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 37089, Policy name: DEFAULT/4, State: Active, Timeout: 2, Valid
  In: 10.111.24.22/52712 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 1, Bytes: 52,
  Out: 195.78.228.226/443 --> 213.27.140.187/34364;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
Total sessions: 3

node1:
--------------------------------------------------------------------------

Session ID: 11945, Policy name: DEFAULT/4, State: Backup, Timeout: 14406, Valid
  In: 10.111.24.22/52707 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,
  Out: 195.78.228.226/443 --> 213.27.140.187/62723;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 11946, Policy name: DEFAULT/4, State: Backup, Timeout: 14404, Valid
  In: 10.111.24.22/52708 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,
  Out: 195.78.228.226/443 --> 213.27.140.187/44276;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 11947, Policy name: DEFAULT/4, State: Backup, Timeout: 14396, Valid
  In: 10.111.24.22/52712 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,
  Out: 195.78.228.226/443 --> 213.27.140.187/34364;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
Total sessions: 3

{primary:node0}

 

Thx

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Danjr
a month ago

Re: SRX300 totally configured but not internet connection

a month ago

Hi Danjr,

 

I think your issue is that you have the same subnet on fxp0 for each firewall cluster member + on your reth0.0 (10.111.0.0/24).

 

In the Junos version you are using, they are utilizing the same routing-table. For a start, please try to configure an alternate prefix on fxp0.0 for both members (you don't have to be able to reach it, so 100.64.0.0/24 or whatever you choose is perfect).

Of course you then needs to reach the cluster via reth0.0 or console connections during the test.

 

If this works, then you can solves this permanently by upgrading your SRX300's to minimum Junos 18.3R1 where "management routing-instances" has been introduced for srx. That feature gives you a seperate routing-table for fxp0.0 so IP-net can overlap with reth0.0.

 

Basically you can do something like this after upgrading:

set system management-instance
set routing-instances mgmt_junos routing-options static route 0/0 next-hop 10.11.0.200

 

More information management routing instances: https://www.juniper.net/documentation//en_US/junos/topics/topic-map/management-interface-in-non-defa...

 

Please let us know if this helps :slightly_smiling_face:


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi Danjr,

 

It seems like the SRX has processed and sent the traffic out but there is no return traffic.

 

Please perform the below steps:

 

  1. Check whether the destination is reachable by some other means such as trying from different network, bypassing SRX etc. Because I suspect the destination is not responding back.
  2. Take packet captures on SRX and this way we can check whether the return traffic are returned back to SRX. Please check the following link for configuring packet captures on SRX Branch series devices - https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709
  3. In the packet capture, if the return traffic are seen then we need to configure flow traceoptions in SRX to determine where the packet is getting dropped in Junos flow.
  4. Check whether you have any firewall filter responsible for blocking the traffic in inbound direction.

                                     user@host# show firewall | display set

                                    user@host#  show interfaces reth1 | display set

 

Flow traceoptions:

 

set security flow ​traceoptions file JTAC-FTRACE files 5 size 50m

set security flow traceoptions flag basic-datapath

set security flow traceoptions flag packet-drops

set security flow traceoptions packet-filter PF1 source-prefix 10.111.24.22/32

set security flow traceoptions packet-filter PF1 destination-prefix 195.78.228.226/32

set security flow traceoptions packet-filter PF1 destination-port 443

set security flow traceoptions packet-filter PF2 source-prefix 195.78.228.226/32

set security flow traceoptions packet-filter PF2 source-port 443

set security flow traceoptions packet-filter PF2 destination-prefix 213.27.140.187/32

 

If the traffic doesn't work and the destination server is actually reachable from other networks, please attach the flow traces, firewall filter outputs and packet captures.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hello,

You have the same subnet 10.111.0.0/24 assigned to fxp0 and reth0/LAN zone.

And Your pb symptoms are consistent with this common mistake.

If You want to keep fxp0 and reth0 both Up/Up at the same time, please do one of below:

1/ use different subnets for fxp0 and reth0

2/ put reth0 and reth1 into different routing-instance

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi Aarseniev,

 

Guess you are right. I can also see the same ARP being learnt for both the interfaces.

 

f4:bd:9e:8c:0a:d1 10.111.0.1      reth0.0                  none
f4:bd:9e:8c:0a:d1 10.111.0.1      fxp0.0                   none

 

@danjr, can you make the suggested change? or Just deactivate the fxp0 interface for the purpose of testing? 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi all

 

Finally i change the network attached in fxp0 in other subnet and i can ping the reth0.0 interface

 

To test on my network, I have created a route from the network core that sends traffic to ip 195.78.228.226 through ip 10.111.0.200 and I have connectivity

 

This route is created so as not to disturb other colleagues and to be able to do tests

 

When I change the route in my network core to redirect all traffic to 10.111.0.200 I have no connection to anything. I think it could be DNS problems

 

Another curious case is that I do not have a ping from the 10.111.2.0/23 subnet, even though I have created the 10.111.0.0/16 network in the addressbook, and the static route to be able to access the 10.111.0.0/16 network from the FW.


@noobmaster wrote:

Hi Aarseniev,

 

Guess you are right. I can also see the same ARP being learnt for both the interfaces.

 

f4:bd:9e:8c:0a:d1 10.111.0.1      reth0.0                  none
f4:bd:9e:8c:0a:d1 10.111.0.1      fxp0.0                   none

 

@danjr, can you make the suggested change? or Just deactivate the fxp0 interface for the purpose of testing? 


ARP is duplicated because both interfaces are connected to the same network core

 

Thx friends 

 

Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi Danjr,

 

"To test on my network, I have created a route from the network core that sends traffic to ip 195.78.228.226 through ip 10.111.0.200 and I have connectivity" - - - - Does that mean you got the access to the Internet?

 

"Another curious case is that I do not have a ping from the 10.111.2.0/23 subnet, even though I have created the 10.111.0.0/16 network in the addressbook, and the static route to be able to access the 10.111.0.0/16 network from the FW." - - - - Can you please draw a topology with IP addressing in it, because it is quite difficult to understand. If you were unable to access the intended traffic, please provide the session output and route output while generating traffic.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi noobmaster

 

 Does that mean you got the access to the Internet?

 

I can do a traceroute to public ip and reaches the destination, but it does not resolve public domains

 

Now I am at home, the network map is made with paint

 

map.png

The switch core is layer 3 and is the gateway for all subnets. have the following vlans defined

 

  • vlan 100 administration where the RETH0.0 link is connected 

         NETWORK 10.111.0.0/24 Vlan interface 10.111.0.1

 

  • vlan 101, WAN where the RETH1.0 link is connected 

 

  • Vlan 102 SERVERS where the FXP0 ports of each nodes are connected
    Network 10.111.2.0/23 Vlan interface 10.111.2.1

         In this Vlan my company's servers are connected (DC, DHCP, DNS ...)

 

  • Vlan 124 DATA in this vlan is where we are connected the workers of the company
    Network 10.111.24.0/21 Vlan interface 10.111.24.1

I hope this helps

 

thank you very much to all

Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hey Danjr,

 

Thanks for the topology.

 

If I'm not wrong, you have 2 issues at the moment: DNS issue and PING issue.

 

  • When I change the route in my network core to redirect all traffic to 10.111.0.200 I have no connection to anything. I think it could be DNS problems.
  • Another curious case is that I do not have a ping from the 10.111.2.0/23 subnet, even though I have created the 10.111.0.0/16 network in the address book, and the static route to be able to access the 10.111.0.0/16 network from the FW.

Let's sort the ping issue first and for that, I need you to provide me the below answers.

 

  1. From where you are initiating the ping, give me the source and destination IP address.
  2. user@route> show route <destination-ip>
  3. user@host> show security flow session source-prefix <source-ip> destination-prefix <destination-ip>   <<<< Capture this output when initiating the ping.
  4. user@host> show interfaces terse | match inet


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

[ Edited ]
a month ago

Hello,

 

Your SRX is doing source NAT - if You configured Your  network to "return traffic to 10.111.0.200", then this is wrong choice. You need to provide a return route to 213.27.140.187.

And if You only allowed Your SRX to talk to 195.78.228.226, then this is insufficient, You also need to allow at least 1 public DNS such as 8.8.8.8 or 8.8.4.4.

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: SRX300 totally configured but not internet connection

a month ago

Hi all,

 

Everything works correctly now. I am writing these lines through the internet connection of the firewall

 

I have created a specific vlan only for the FXP0 ports, because when connecting them to VLAN 102 with network 10.111.2.0, it conflicted with my company's DNS server that are in the same VLAN. After this change, everything works correctly.

 

I will have to update Junos os to a more current version, although currently I cannot download it because I do not have a maintenance account. I will ask my partner

 

Thank you very much to all

Feedback