[j-nsp] Mx Policy routing problem

Dave Bell me at geordish.org
Mon Nov 23 05:27:17 EST 2015 

Hi Cahit,

> root at mx80-core# show interfaces ae0
> aggregated-ether-options {
>  minimum-links 1;
>  lacp {
>  active;
>  periodic fast;
>  }
> }
> unit 0 {
>  family inet {
>  filter {
>  input FWDirect;
>  }
>  address 10.32.35.14/30;
>  }
> }

> Request timeout for icmp_seq 14714
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 5400 938d   0 0000  38  01 d3ad 192.168.2.102  185.9.159.86

This looks like you are sourcing your traffic from the address on
interface ae0? If this is the case, then it is not actually ingressing
ae0, therefore the firewall won't be hit.

Try testing from the thing connected to ae0 (if you can).

Regards,
Dave


On 23 November 2015 at 10:08, Cahit Eyigünlü <cahit.eyigunlu at spd.net.tr> wrote:
> Hello friends  ;
>
> We have an MX80 router which has connection on ae0 to our isp
>
>
>
> root at mx80-core# show interfaces ae0
> aggregated-ether-options {
>  minimum-links 1;
>  lacp {
>  active;
>  periodic fast;
>  }
> }
> unit 0 {
>  family inet {
>  filter {
>  input FWDirect;
>  }
>  address 10.32.35.14/30;
>  }
> }
>
>
> [edit]
> root at mx80-core# show firewall
> filter FWDirect {
>     term UDPFW {
>         from {
>             destination-address {
>                 185.9.159.86/32;
>             }
>             protocol udp;
>         }
>         then {
>             log;
>             routing-instance UDP-Routes;
>         }
>     }
>     term TCPFW {
>         from {
>             destination-address {
>                 185.9.159.86/32;
>             }
>         }
>         then {
>             count TCPFWTR;
>             log;
>             routing-instance TCP-Routes;
>         }
>     }
>     term Default {
>         then accept;
>     }
> }
>
> [edit]
> root at mx80-core# show routing-instances
> Normal-Routes {
>     instance-type virtual-router;
> }
> TCP-Routes {
>     instance-type forwarding;
>     routing-options {
>         static {
>             route 0.0.0.0/0 next-hop 37.123.100.122;
>         }
>     }
> }
> UDP-Routes {
>     instance-type forwarding;
>     routing-options {
>         static {
>             route 0.0.0.0/0 next-hop 37.123.100.98;
>         }
>     }
> }
>
> [edit]
> root at mx80-core# show protocols ospf
> rib-group SPD-Route;
> area 0.0.0.0 {
>     interface all;
>     interface ae0.0 {
>         disable;
>     }
> }
>
> [edit]
>
> root at mx80-core# show routing-options rib-groups
> SPD-Route {
>     import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
> }
>
> [edit]
> root at mx80-core#
>
>
>
> The router has connection to routing instance ip addresses and logging the connections :
>
>
> root at mx80-core# run ping 37.123.100.122
> PING 37.123.100.122 (37.123.100.122): 56 data bytes
> 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
> 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
> ^C
> --- 37.123.100.122 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
>
> [edit]
> root at mx80-core# run ping 37.123.100.98
> PING 37.123.100.98 (37.123.100.98): 56 data bytes
> 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
> 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
> 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
> ^C
> --- 37.123.100.98 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
>
> [edit]
> root at mx80-core# run show firewall log
> Log :
> Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
> 08:44:20  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:19  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:18  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:17  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:16  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:15  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:14  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:13  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:12  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:11  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:10  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
> 08:44:09  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
>
>
>
> but we can not access from outside the network :
>
>
>
> Request timeout for icmp_seq 14714
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 5400 938d   0 0000  38  01 d3ad 192.168.2.102  185.9.159.86
>
> Request timeout for icmp_seq 14715
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 5400 28e7   0 0000  38  01 3e54 192.168.2.102  185.9.159.86
>
> Request timeout for icmp_seq 14716
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 5400 ffb1   0 0000  38  01 6789 192.168.2.102  185.9.159.86
>
> Request timeout for icmp_seq 14717
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 5400 99ee   0 0000  38  01 cd4c 192.168.2.102  185.9.159.86
>
> Request timeout for icmp_seq 14718
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 5400 a9d1   0 0000  38  01 bd69 192.168.2.102  185.9.159.86
>
>
>
> how can i over come this issue ??
>
>
>
> [SPDNet Telekomünikasyon  A.S. Logo]<http://https://www.spd.net.tr/>
>
> Cahit Eyigünlü
> SPDNet Telekomünikasyon A.S.
> +908508409773
> 75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
> [WebsiteGB]<http://https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [:inkedIn button] <http://https://www.linkedin.com/company/spdnet>    [Twitter button] <https://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR>
>
>
> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list