in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 03-24-2016 1:38 AM by deano. 1 replies.
Page 1 of 1 (2 items)
Sort Posts: Previous Next
  • 06-29-2015 9:15 AM

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,465

    SOLVED: disable -->JunOS default stateful firewall

    SOLVED:  issue - default JunOS stateful firewall

    BrianM gives the solution @14min into this video:
               JunOS Ethernet Interfaces & Ethernet Switching :: Part 2


    SOLUTION:

    configure
    delete security

                ### following three commands changed from flow-based -- BrianM
    set security forwarding-options family mpls  mode packet-based
    set security forwarding-options family iso   mode packet-based
    set security forwarding-options family inet6 mode packet-based
    commit and-quit


                ### must reboot to have affect
    request system reboot

     

    ================================================

    ================================================

    Original explanation of issue:

    Possible project migrating Cisco to JunOS.......and another great use of INE's AAP library.  Brian teaches intro-JunOS from the perspective of someone who is Cisco command-line trained.   Back and forth between IOS and JunOS -- comparing commands and processes.   Great videos so far.

     

    Trying to follow along, and I need help needed setting up JunOS connectivity.  JunOS expert needed.

    I think that it is a security config issue.  Seems like a firewall problem.  Unfortunately, I am lost on the JunOS command-line, and I have reach my limit with the initial JunOS setup (Juniper Firefly demo)

     

    Packet capture verifies the below communication, but JunOS will not respond.

    ARP cache -- both devices see each other

    root@vSRX-1> show arp
    MAC Address       Address         Name        Interface     Flags
    ca:01:07:68:00:08 12.12.12.1    12.12.12.1    ge-0/0/0.0     none

     

    R1-IOS#sh arp
    Protocol  Address          Age (min)  Hardware Addr   Type   Interface
    Internet  12.12.12.1              -   ca01.0768.0008  ARPA   FastEthernet0/0
    Internet  12.12.12.10            11   0800.279e.eb1d  ARPA   FastEthernet0/0

     

     

    ICMP -- JunOS can ping successfully (IOS replies), but JunOS will not reply.

    root@vSRX-1> ping 12.12.12.1
    PING 12.12.12.1 (12.12.12.1): 56 data bytes
    64 bytes from 12.12.12.1: icmp_seq=0 ttl=255 time=69.078 ms
    64 bytes from 12.12.12.1: icmp_seq=1 ttl=255 time=55.257 ms
    64 bytes from 12.12.12.1: icmp_seq=2 ttl=255 time=66.566 ms

     

    R1-IOS#ping 12.12.12.10
    <snip>
    .....

     

     

    OSPF --  R1-IOS can see JunOS hellos . JunOS sees nothing from IOS.

    R1-IOS debug;

    *Jun 29 10:13:27.843: OSPF-1 PAK  : rcv. v:2 t:1 l:44 rid:12.12.12.10 aid:0.0.0.0 chk:D409 aut:0 auk: from FastEthernet0/0

    R1-IOS#sh ip ospf neig
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    12.12.12.10     128   INIT/DROTHER    00:00:35    12.12.12.10     FastEthernet0/0

    NOTE:  I believe that it is stuck in init mode, because it is not seeing its own RID returned from JunOS. JunOS is ignoring everything.



    root@vSRX-1> show ospf neighbor


    NOTE:   does not see ospf packets from R1-IOS.

     

     

    ISSUE?/SOLUTION?

    I have tried to dismantle the JunOS firewall (untrusted-zone), and finally tried to place the interface into the TRUSTED-ZONE.

    Unfortunately, I am mangling my configuration and nothing has changed (everything commited).

    Below is my JunOS config output.  (packet captures verify all of the above)
    What am I missing? Why won't JUNOS respond to the neighbor?

     

    root@vSRX-1> show version
    Hostname: vSRX-1
    Model: firefly-perimeter
    JUNOS Software Release [12.1X47-D20.7]

    root@vSRX-1# show
    <SNIP>


        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
    <--necessary?
            }
        }
    }

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 12.12.12.10/24;

                }
            }
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface ge-0/0/0.0;

            }
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                ip {  
      <-- removed ping of death default (desparate move)
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000; ## Warning: 'queue-size' is deprecated
                        timeout 20;
                    }
                    land;
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-permit {  
    <-- initial change - I changed from default-deny
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                tcp-rst;
                interfaces {
                    ge-0/0/0.0;
    <-- I added to interface to trust
                }
            }
            security-zone untrust {
                screen untrust-screen;
            }
        }
    }

    ======================

    • Post Points: 20
  • 03-24-2016 1:38 AM In reply to

    Re: SOLVED: disable -->JunOS default stateful firewall

    And this just saved me after many hours of troubleshooting. I could also see layer 2 connectivity via arp 

    • Post Points: 5
Page 1 of 1 (2 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved