Re: [j-nsp] SRX100 reset
Hi, had the same problem when I first unpacked my SRX100. It requested an IP address but was not reachable at all by that address. I don't remember the exact way i finally fixed it that night, but there was something wrong with the VLAN/port-assignments (and maybe even zones) in the factory default config. You might want to try another port first, as fe-0/0/0 is [supposed to be] in the untrust and fe-0/0/1-7 in trust zone. If this doesn't work, check the config via serial cable and put one specific port into trust and manually assign an IP address to it. I clearly remember that for 1 or 2 hours I thought the device was broken, as it did not work at all, even following the quickstart guide. best regards, Volker Stefan Schlesinger wrote: > Hello Folks, > > I'm trying to reset my SRX100. When I press the Reset button the status > light turns amber, the SRX requests an IP address from my DHCP server, > I see an ARP entry, but I cannot ping it nor connect to it > using telnet/ssh/http. > > What could be the reason for this and how can I do a factory reset? > > Thanks, > > Stefan. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ospfv3 - JUNOS sends zero mtu in dbd -> stuck in ExStart
Hi again, yeah, this makes total sense! At first I thought this is a JUNOS-problem, as Cisco does send the "right" mtu along. I closed the bug report on the quagga bugzilla for now (with closed/invalid) and will talk to JTAC. I'll get back to you and the list as soon as I have some confirmation and/or fix. >I'm not so sure anymore. A fellow reader has challenged my >interpretation of the RFC wording, that it might mean "OSPF virtual >links", not tunnel (and similar virtual, non-physical) interfaces. >Upon re-reading with that interpretation in mind, I tend to agree. > >Thinking further about it, mtu=0 for OSPF virtual links makes sense, as >only OSPF PDUs are being tunnelled, no actual traffic. So there is no >sensible MTU to report in the DBD packets. On real tunneling interfaces >though, everything (OSPF PDUs and actual traffic) gets tunnelled, and >the tunnel has a real MTU associated. > >So in fact, I think my interpretation was wrong and JUNOS is actually >misbehaving by advertising MTU=0. It should report the tunnel interface >L3 MTU. > >Sorry for the noise. I suggest raising a case with JTAC and closing off >the Quagga bug filing. No, not at all! Thanks a lot for your input! I did not even read the appropriate RFC before you posted, which I should do next time. >BTW, I noticed your Linux tunnel interface being named "gre-nc" - I >guess the "gre" part is a leftover misnomer from trying GRE encaps? exactly ;-) It's actually "sit" now on the linux side >Best regards from Porz to Porz, >Daniel and best wishes back to you! Volker ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ospfv3 - JUNOS sends zero mtu in dbd -> stuck in ExStart
Hi Daniel, thank you for your reply. I've read the RFC now and you're right. I opened a bug report with quagga regarding this issue: https://bugzilla.quagga.net/show_bug.cgi?id=602 OSPFv3 on quagga seems to be a bit buggy in general, I'm still waiting for a fix of another problem (bug #600). Thanks again and have a good night, Volker On 06/16/10 08:49, Daniel Roesen wrote: > On Wed, Jun 16, 2010 at 03:39:47AM +0200, Volker D. Pallas wrote: >> I'm having an issue with an OSPFv3 neighborship between Linux/quagga >> (0.99.16) and JUNOS (10.1R2.8 on SRX-100) via a standard "ip"-tunnel: >> the dbd info sent by JUNOS always contains "mtu 0", which quagga does >> not like at all. This keeps my neighborship in ExStart. > > According to the OSPFv3 spec (RFC2740), JUNOS is correct in sending > MTU 0 on a tunnel interface: > > Interface MTU >The size in bytes of the largest IPv6 datagram that can be sent >out theassociated interface, without fragmentation. The MTUs >of common Internet link types can be found in Table 7-1of >[Ref12]. Interface MTU should be set to 0 in Database Description >packets sent over virtual links. > [...] > I'd say Quagga is wrong to expect anything else than MTU 0 on a > tunnel type interface... > > Best regards, > Daniel > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ospfv3 - JUNOS sends zero mtu in dbd -> stuck in ExStart
Hi, I'm having an issue with an OSPFv3 neighborship between Linux/quagga (0.99.16) and JUNOS (10.1R2.8 on SRX-100) via a standard "ip"-tunnel: the dbd info sent by JUNOS always contains "mtu 0", which quagga does not like at all. This keeps my neighborship in ExStart. I set an ipv6 mtu on all kinds of underlying interfaces but the transmitted mtu does not ever change. there is actually an mtu on the interface: # run show interfaces ip-0/0/0.2 | match mtu Protocol inet6, MTU: 1472 # run show ospf3 interface ip-0/0/0.2 extensive Interface State AreaDR ID BDR ID Nbrs ip-0/0/0.2 PtToPt 0.0.0.1 0.0.0.0 0.0.0.01 Address fe80::b2c6:9aff:fe39:b200, Prefix-length 64 OSPF3-Intf-index 3, Type P2P, MTU 1472, Cost 1 Adj count: 0, Router LSA ID: - Hello 5, Dead 10, ReXmit 5, Not Stub Protection type: None still JUNOS sends 0 (excerpt from trace on JUNOS): Jun 16 02:57:14.012463 OSPF sent DbD fe80::b2c6:9aff:fe39:b200 -> ff02::5 (ip-0/0/0.2 IFL 86 area 0.0.0.1) Jun 16 02:57:14.012576 Version 3, length 28, ID 172.23.5.1, area 0.0.0.1 Jun 16 02:57:14.012669 checksum 0x0, instance-id 0 Jun 16 02:57:14.012763 options 0x13, i 1, m 1, ms 1, seq 0xac14361c, mtu 0 tcpdump on the linux side: 03:00:05.532800 IP6 fe80::b2c6:9aff:fe39:b200 > ff02::5: OSPFv3-dd 28: rtrid 172.23.5.1 area 0.0.0.1 V6/E/R I/M/MS mtu 0 S AC14361C quagga log: 2010/06/16 03:01:19 OSPF6: DbDesc received on gre-nc 2010/06/16 03:01:19 OSPF6: src: fe80::b2c6:9aff:fe39:b200 2010/06/16 03:01:19 OSPF6: dst: ff02::5 2010/06/16 03:01:19 OSPF6: OSPFv3 Type:2 Len:28 Router-ID:172.23.5.1 2010/06/16 03:01:19 OSPF6: Area-ID:0.0.0.1 Cksum:6d7e Instance-ID:0 2010/06/16 03:01:19 OSPF6: MBZ: 0 Option: --|R|-|--|E|V6 IfMTU: 0 2010/06/16 03:01:19 OSPF6: MBZ: 0 Bits: IMm SeqNum: 0xac14361c 2010/06/16 03:01:19 OSPF6: I/F MTU mismatch Unfortunately quagga does not support mtu-ignore, so how can I influence what JUNOS sends as mtu? Thanks, Volker ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE tunnel - inbound traffic drops
To provide my solution in case someone finds this thread: -I changed the tunnel to ip-0/0/0[.2] using the same config -changed the linux end to: > ip tunnel add tun-nc mode sit remote 87.79.237.76 local 80.237.249.84 > ttl 255 > ip addr add 2a01:488:1000:1001:0:50ed:c910:aa00/127 dev tun-nc > ip link set tun-nc up multicast on The tunnel now works fine and both ends are ospfv3-neighbors. Thank you, Volker On 05/23/2010 05:56 PM, Volker D. Pallas wrote: Hi, i'm trying to set up a simple gre-tunnel from an SRX-100 running JUNOS 10.1R2.8 to a remote linux host. I verified using tcpdump on both sides: -pings from linux to junos get sent but are never received.(no sign of them in tcpdump of pp0.0/gre.0) -pings from junos to linux arrive (also visible in tcpdump of pp0.0) and are replied to, but the reply does not reach junos This sounds like a problem with security zones or policies, but I have tried about *everything* and it never worked - not even with extreme measures. Temporarily allowed all inbound traffic for pp0.0, put all involved interfaces into the 'trust'-zone and so on. this is my basic tunnel-config: # set interfaces gre unit 0 tunnel source 87.79.237.76 # set interfaces gre unit 0 tunnel destination 80.237.249.84 # set interfaces gre unit 0 family inet6 address 2a01:488:1000:1001:0:50ed:c910:aa01/127 # set security zones security-zone untrust interfaces gre.0 host-inbound-traffic system-services ping I already switched to ipv4 which was also not working, so i can rule out that this has something to do with ipv6. A trace on 'security' also showed the following, which I don't really like: May 23 15:58:32 15:58:31.1697039:CID-0:RT:pak_for_self: No handler function found for proto:47, dst-port:2048, drop pkt There is a second tunnel configured on that linux box to a remote cisco device ("same" config) and this is working properly. I would appreciate any help, thanks in advance, Volker ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] no family inet6 for vlan.*-interfaces on 10.1R2.8?
Oh yes, I forgot to mention. It's an SRX-100. I downgraded the box to 10.1R1.8 yesterday and now I have my family inet6 back :-) weird issue! Volker On 05/26/2010 09:20 AM, Thomas Eichhorn wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Volker, on what kind of device? teichh...@testbox.fra# set interfaces vlan.333 family ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups inet IPv4 parameters inet6IPv6 protocol parameters iso OSI ISO protocol parameters mpls MPLS protocol parameters [edit] I have it on JUNOS Base OS boot [10.1R2.8]... Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] no family inet6 for vlan.*-interfaces on 10.1R2.8?
Hi, I just realized that there seems to be no "family inet6" anymore for vlan-interfaces since upgrading to junos 10.1R2.8. Fortunately my old config is still active and working, but I cannot modify it: # show interfaces vlan unit 10 family inet { address 172.23.5.1/25; } family inet6 { address 2001:4dd0:ff08:10::1/64; } # set interfaces vlan unit 10 family ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > inet IPv4 parameters > mpls MPLS protocol parameters > tcc Translational cross-connect parameters > vpls Virtual private LAN service parameters Is this a new feature or a bug? For interfaces other than vlan.* this is still working as expected. Thanks, Volker ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] GRE tunnel - inbound traffic drops
Hi, i'm trying to set up a simple gre-tunnel from an SRX-100 running JUNOS 10.1R2.8 to a remote linux host. I verified using tcpdump on both sides: -pings from linux to junos get sent but are never received.(no sign of them in tcpdump of pp0.0/gre.0) -pings from junos to linux arrive (also visible in tcpdump of pp0.0) and are replied to, but the reply does not reach junos This sounds like a problem with security zones or policies, but I have tried about *everything* and it never worked - not even with extreme measures. Temporarily allowed all inbound traffic for pp0.0, put all involved interfaces into the 'trust'-zone and so on. this is my basic tunnel-config: # set interfaces gre unit 0 tunnel source 87.79.237.76 # set interfaces gre unit 0 tunnel destination 80.237.249.84 # set interfaces gre unit 0 family inet6 address 2a01:488:1000:1001:0:50ed:c910:aa01/127 # set security zones security-zone untrust interfaces gre.0 host-inbound-traffic system-services ping I already switched to ipv4 which was also not working, so i can rule out that this has something to do with ipv6. A trace on 'security' also showed the following, which I don't really like: May 23 15:58:32 15:58:31.1697039:CID-0:RT:pak_for_self: No handler function found for proto:47, dst-port:2048, drop pkt There is a second tunnel configured on that linux box to a remote cisco device ("same" config) and this is working properly. I would appreciate any help, thanks in advance, Volker ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp