Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) across the l3vpn to validate bidirectional traffic passing?
-- Hugo Slabbert | email, xmpp/jabber: [email protected] pgp key: B178313E | also on Signal On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <[email protected]> wrote:
Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
have change from SRX flow-mode default. But I do have ldp neighbor up and
mpls forwarding is occurring via mpls l3vpn vrf . ....and I do believe the
ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
but I just don't seem to be able to ping from one side of the st0 tunnel
interface to the other.
See...
root@demo-srx300> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
root@demo-srx300> show route table mpls.0
mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 04:51:07, metric 1
Receive
1 *[MPLS/0] 04:51:07, metric 1
Receive
2 *[MPLS/0] 04:51:07, metric 1
Receive
13 *[MPLS/0] 04:51:07, metric 1
Receive
16 *[VPN/0] 04:51:07
to table one.inet.0, Pop
345552 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16507
345568 *[LDP/9] 04:43:04, metric 4, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16508
345584 *[LDP/9] 04:43:04, metric 2, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16512
345600 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16513
345616 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16516
345632 *[LDP/9] 04:43:04, metric 4, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16517
345648 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16518
root@demo-srx300> show route table mpls.0 terse
mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 0 M 0 1 Receive
* ? 1 M 0 1 Receive
* ? 2 M 0 1 Receive
* ? 13 M 0 1 Receive
* ? 16 V 0 Table
* ? 345552 L 9 3 >10.101.14.197
* ? 345568 L 9 4 >10.101.14.197
* ? 345584 L 9 2 >10.101.14.197
* ? 345600 L 9 3 >10.101.14.197
* ? 345616 L 9 3 >10.101.14.197
* ? 345632 L 9 4 >10.101.14.197
* ? 345648 L 9 3 >10.101.14.197
* ? 345664 L 9 7 >10.101.14.197
* ? 345680 L 9 6 >10.101.14.197
* ? 345696 L 9 7 >10.101.14.197
* ? 345712 L 9 7 >10.101.14.197
* ? 345728 L 9 6 >10.101.14.197
* ? 345744 L 9 7 >10.101.14.197
root@demo-srx300> show route table mpls.0 terse | count
Count: 528 lines
root@demo-srx300> show ldp neighbor
Address Interface Label space ID Hold time
10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10
root@demo-srx300>
-----Original Message-----
From: Emille Blanc [mailto:[email protected]]
Sent: Thursday, July 11, 2019 3:04 PM
To: Aaron Gould; [email protected]
Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
Based on what you described, it sounds like you already got your MPLS/LDP
running in a packet-mode routing-instance, as otherwise MPLS is dropped on
an SRX in flow mode.
No obvious ideas with the output provided otherwise.
Do the flows in your IPSEC instance get created?
-----Original Message-----
From: juniper-nsp [mailto:[email protected]] On Behalf Of
Aaron Gould
Sent: Thursday, July 11, 2019 12:27 PM
To: [email protected]
Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
such that I have an l3vpn functional into the SRX.
I have a lo0.99 interface as the external interface used for ike/ipsec.
Seems that I'm pretty close to getting this done, as i have ike phase 1 up
and ike phase 2 up, but only seeing encrypted packets as I try to ping
between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
side (mx104 with ms-mic-16g)
Let me know what I'm missing.
I'm seeing drops in these to show outputs. which seems to coincide with a
100-packet ping test...
root@demo-srx300> show security flow statistics
Current sessions: 9
Packets forwarded: 417926
Packets dropped: 15604
Fragment packets: 0
Pre fragments generated: 0
Post fragments generated: 0
root@demo-srx300> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
root@demo-srx300> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 252264
Decrypted bytes: 0
Encrypted packets: 1618
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
root@demo-srx300> show security flow statistics | grep rop
Packets dropped: 15650
root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
count 100
PING 10.102.199.66 (10.102.199.66): 56 data bytes
............................................................................
........................
--- 10.102.199.66 ping statistics ---
100 packets transmitted, 0 packets received, 100% packet loss
root@demo-srx300> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 267864
Decrypted bytes: 0
Encrypted packets: 1718
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
root@demo-srx300> show security flow statistics | grep rop
Packets dropped: 15755
-Aaron
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
