EIGRP with the Same Router ID – part 1

What could possibly go wrong with routers with the same EIGRP router ID (RID)?

Figure 1 is the topology for this lab. See figure below.

eigrp-rid-topo

Figure 1

I am going to run two different scenarios. The first one is going to be a point-to-point between R1 and R2. The second scenario would be R1 and R3 will both have the same RID. We are going to examine what is going to happen if two routers in the topology have the same RID.

Let’s tackle scenario one. The Example 1 below is the routing table of R1. At this point, everything is configured correctly. Example 2 is the EIGRP and interfaces config of R1.

Example 1

R1(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
 
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C       10.0.1.0/24 is directly connected, Loopback0
L       10.0.1.1/32 is directly connected, Loopback0
D       10.0.2.0/24 [90/409600] via 10.0.12.2, 00:02:11, Ethernet1/0
C       10.0.10.0/24 is directly connected, Loopback1
L       10.0.10.1/32 is directly connected, Loopback1
C       10.0.12.0/24 is directly connected, Ethernet1/0
L       10.0.12.1/32 is directly connected, Ethernet1/0
D       10.0.20.0/24 [90/409600] via 10.0.12.2, 00:02:02, Ethernet1/0
D       10.0.23.0/24 [90/307200] via 10.0.12.2, 00:02:17, Ethernet1/0
R1(config-if)#

Example 2

R1(config-if)#do show run | section router
router eigrp 1
 network 10.0.0.0
R1(config-if)#do show run int e1/0
!
interface Ethernet1/0
 ip address 10.0.12.1 255.255.255.0
 duplex full
end

R1(config-if)#do show run int lo0 
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.0
end

R1(config-if)#do show run int lo1
!
interface Loopback1
 ip address 10.0.10.1 255.255.255.0
end

Example 3 is the routing table of R2, and Example 4 is the EIGRP config and interfaces config of R2.

Example 3

R2#show ip route
Codes:   L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
         + - replicated route, % - next hop override

Gateway of last resort is not set

       10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
D        10.0.1.0/24 [90/409600] via 10.0.12.1, 00:11:38, Ethernet1/0
C        10.0.2.0/24 is directly connected, Loopback0
L        10.0.2.1/32 is directly connected, Loopback0
D        10.0.10.0/24 [90/409600] via 10.0.12.1, 00:11:30, Ethernet1/0
C        10.0.12.0/24 is directly connected, Ethernet1/0
L        10.0.12.2/32 is directly connected, Ethernet1/0
C        10.0.20.0/24 is directly connected, Loopback1
L        10.0.20.1/32 is directly connected, Loopback1
C        10.0.23.0/24 is directly connected, Ethernet1/1
L        10.0.23.2/32 is directly connected, Ethernet1/1
R2#

Example 4

R2#show run | section router
router eigrp 1
 network 0.0.0.0
R2#show run int eth1/0
!
interface Ethernet1/0
 ip address 10.0.12.2 255.255.255.0
 duplex full
end

R2#show run int lo0 
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
end

R2#show run int lo1
!
interface Loopback1
 ip address 10.0.20.1 255.255.255.0
end

R2#

Right now, the EIGRP between R1 and R2 is working correctly and the eigrp neighbor relationship look fine as shown in Example 5 and Example 6.

Example 5

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.2    Et1/0         11 00:18:43      45       270     0     57
R1#

Example 6

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.1    Et1/0         10 00:19:05      54       324     0     25
R2#

Now, I am going to manually change the RID of both routers to 1.1.1.1.

Example 7

R1#show run | sec router
router eigrp 1
 network 10.0.0.0
 eigrp router-id 1.1.1.1
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show run | sec router
router eigrp 1
 network 0.0.0.0
 eigrp router-id 1.1.1.1
R2#

Right after I changed both routers’ RID, R1’s route table drops all eigrp routes from R2. R2 did the same thing. Example 8 shows the route table for both routers.

Example 8

R1#show ip route
...
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C      10.0.1.0/24 is directly connected, Loopback0
L      10.0.1.1/32 is directly connected, Loopback0
C      10.0.10.0/24 is directly connected, Loopback1
L      10.0.10.1/32 is directly connected, Loopback1
C      10.0.12.0/24 is directly connected, Ethernet1/0
L      10.0.12.1/32 is directly connected, Ethernet1/0
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip route
...
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C      10.0.2.0/24 is directly connected, Loopback0
L      10.0.2.1/32 is directly connected, Loopback0
C      10.0.12.0/24 is directly connected, Ethernet1/0
L      10.0.12.2/32 is directly connected, Ethernet1/0
C      10.0.20.0/24 is directly connected, Loopback1
L      10.0.20.1/32 is directly connected, Loopback1
C      10.0.23.0/24 is directly connected, Ethernet1/1
L      10.0.23.2/32 is directly connected, Ethernet1/1
R2#

Here are the show eigrp iprotocols for both routers. Here you can see their router IDs.

Example 9

R1#show eigrp protocols 
EIGRP-IPv4 Protocol for AS(1)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 1.1.1.1
  Topology : 0 (base) 
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show eigrp protocols 
EIGRP-IPv4 Protocol for AS(1)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 1.1.1.1
  Topology : 0 (base) 
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R2#

At this point, R1 has lost the routes that R2’s advertising and vice versa.

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.2    Et1/0         14 00:14:10      58       378     0     69
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.1    Et1/0         14 00:14:03      56       504     0     37
R2#

Despite both routers have the same RID, the neighbor relationship is still up. Let’s fix R1’s network statement to be more specific and let’s advertise R1’s loopback1 via redistribution. Let’s see what’s going to happen.

Example 10

R1#show run | sec router
router eigrp 1
 network 10.0.1.0 0.0.0.255
 network 10.0.12.0 0.0.0.255
 redistribute connected metric 10000 10 255 1 1500
 eigrp router-id 1.1.1.1
R1#

R2 is still not accepting any eigrp routes from R1. Example 11 is R2’s route table

Example 11

R2#show ip route
...
    10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C     10.0.2.0/24 is directly connected, Loopback0
L     10.0.2.1/32 is directly connected, Loopback0
C     10.0.12.0/24 is directly connected, Ethernet1/0
L     10.0.12.2/32 is directly connected, Ethernet1/0
C     10.0.20.0/24 is directly connected, Loopback1
L     10.0.20.1/32 is directly connected, Loopback1
C     10.0.23.0/24 is directly connected, Ethernet1/1
L     10.0.23.2/32 is directly connected, Ethernet1/1
R2#

What is happening now is the eigrp loop prevention. If an eigrp router receives an eigrp advertisement, it will check the RID of who advertised the route. Now, if it sees its RID, then the router will not install the routes because it thinks that there is a routing loop. If the topology is loop free, the router should not receive an advertised route with its RID in the eigrp update packet.

Now, let’s turn on R3 and see its routing table

Example 12

R3#show ip route
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D      10.0.2.0/24 [90/409600] via 10.0.23.2, 00:00:26, Ethernet1/1
C      10.0.3.0/24 is directly connected, Loopback0
L      10.0.3.1/32 is directly connected, Loopback0
D      10.0.12.0/24 [90/307200] via 10.0.23.2, 00:00:26, Ethernet1/1
D      10.0.20.0/24 [90/409600] via 10.0.23.2, 00:00:26, Ethernet1/1
C      10.0.23.0/24 is directly connected, Ethernet1/1
L      10.0.23.3/32 is directly connected, Ethernet1/1
C      10.0.30.0/24 is directly connected, Loopback1
L      10.0.30.1/32 is directly connected, Loopback1
R3#

As you can see, routes from R1 is not getting to R3 because R2 is not installing the routes into its topology table; therefore, R2 will not forward the route to R3.

We will tackle scenario two on my next post.

Posted in CCIE, CCNP, Cisco, EIGRP, Misc. | Tagged , , , , , , , , | Leave a comment

WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

When you get this banner after logging into your Juniper device

***********************************************************************
** **
** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE **
** **
** It is possible that the primary copy of JUNOS failed to boot up **
** properly, and so this device has booted from the backup copy. **
** **
** Please re-install JUNOS to recover the primary copy in case **
** it has been corrupted. **
** **
***********************************************************************

This simply means that the switch/firewall/router booted from the backup partition. It is very likely that the file system got corrupted because of power loss.
We can verify this by using some of the show commands.

karlo@exswitch> show chassis alarms 
2 alarms currently active
Alarm time Class Description
2016-11-20 16:01:08 UTC Minor Host 0 Boot from backup root

karlo@exswitch> show system alarms 
3 alarms currently active
Alarm time Class Description
2016-11-20 16:01:08 UTC Minor Host 0 Boot from backup root

karlo@exswitch> show system storage partitions 
fpc0:
--------------------------------------------------------------------------
Boot Media: internal (da0)
Active Partition: da0s1a
Backup Partition: da0s2a
Currently booted from: backup (da0s2a)

Partitions information:
Partition Size Mountpoint
s1a 183M altroot 
s2a 184M / 
s3d 369M /var/tmp 
s3e 123M /var 
s4d 62M /config 
 
karlo@exswitch> show system snapshot media internal 
fpc0:
--------------------------------------------------------------------------
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Jun 14 21:42:33 2013
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jun 14 21:46:16 2013
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5

{master:0}
karlo@exswitch>

To fix this, we would need to copy the Junos image from the backup partition to the primary and backup partitions.
To do so, use the command below: request system snapshot media internal slice alternate
The slice seems to be a hidden command; therefore, you would have to type it in manually.

karlo@exswitch> request system snapshot media internal slice alternate 
fpc0:
--------------------------------------------------------------------------
Formatting alternate root (/dev/da0s1a)...
Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes)
The following filesystems were archived: /

Verify the snapshots

karlo@exswitch> show system snapshot media internal 
fpc0:
--------------------------------------------------------------------------
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Dec 27 15:37:20 2016
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jun 14 21:46:16 2013
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5

Then issue the command request system reboot slice alternate media internal. This will reboot from the primary partition.

Now, if you are upgrading your Junos device, and it keeps booting from the backup, use the command request system software rollback then reboot the system. Once it rebooted, you would be able to upgrade your device.

Cheers

Posted in Juniper, layer 2, Misc., troubleshoot | Tagged , , , , , , | Leave a comment

Palo Alto Firewalls HA Pair Upgrade

I upgraded my Palo Alto firewalls from version 6.1.12 to 7.1.1 recently. It is pretty much a straight forward upgrade but might as well write about it. Also, this is for the firewalls that do not have Internet access via their management (oob) interface.

I am going to do this via CLI since I have never used the GUI. To get started, do the following

  • Download all the PANOS you will need to upgrade your PAN firewalls
  • Check the checksum of the firmware
  • Backup your config
  • Schedule a network maintenance window. There should not be a downtime if you have an HA pair, but it is always better to have a dedicated maintenance window
  • If you still have a support contract, make sure that you let your PAN engineer to be on standby because calling their number is a pain

Since I am upgrading to version 7.1.1 from 6.1.12, I would need to follow an upgrade path. The upgrade path for PAN goes like this: If I were to go to 6.1.14 from 6.1.12, then I can go upgrade to 6.1.13 directly because 6.1.14 is in the same base firmware as 6.1.12 – the base version 6.1.0; however, if I were to upgrade to 7.0.10, then I would need to upgrade to the base firmware which is 7.0.1 (there is no 7.0.0) then upgrade directly to 7.0.10.

The thing is when you upgrade, you would need to restart the firewall (just like any firewall) for the upgrade to take effect. The cool thing about the PAN, once you installed the base firmware, you can install the next version right away without restarting the firewall. This is only true if you’re going to the version that is on the same base firmware. Otherwise, you will need to restart the firewall.

To make this simple here is a visual representation of how PAN upgrade is done. The red ones are the base firmware for a specific version.
From 6.1.12
To 6.1.14
6.1.12 > 6.1.14 then restart > done

From 6.1.12
To 7.1.1
6.1.12 > 7.0.1 then restart > 7.1.0 > 7.1.1 then restart > done

From 5.0.20
To 7.1.5
5.0.20 > 6.0.0 then restart 6.1.0 then restart 7.0.1 then restart 7.1.0 > 7.1.5 then restart > done

You get the idea.

Before we begin, here are some recommended commands that need to be disabled when upgrading an HA pair. These commands are done in configuration mode.

  • set deviceconfig setting session tcp-reject-non-syn no
  • set deviceconfig high-availability group <value> election-option preemptive no

Starting from here, all the commands below are done in operational mode.

Let’s get started. The first thing is ssh or console into the active device.You can do ssh or console into the passive device, but to test the failover, you would need to start at the active device. Once you are connected to the active device, the device needs to be suspended first. The device status will change from being active (or passive) to suspended as shown below

admin@PAN01(active)> request high-availability state suspeneded

Successfully changed HA state to suspended
admin@PAN01(suspended)>

Once the firewall in suspended mode, you can import the firmware. In my case, it will import the 7.0.1 base firmware via scp. The command syntax is

scp import software from <username>@<server-ip>:<path>
admin@PAN01(suspended)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.0.1 
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
RSA key fingerprint is ba:ee:8c:a4:75:90:b4:c4:81:ed:36:37:9c:32:46:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (RSA) to the list of known hosts.
root@10.0.5.10's password: 
PanOS_3000-7.0.1 100%                                                     602MB 22.3MB/s 00:27

PanOS_3000-7.0.1 saved

Once the import is completed, the next step is to install the firmware.

admin@PAN01(suspended)> request system software install file PanOS_3000-7.0.1 
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 163. Run 'show jobs id 163' to monitor its status. Please reboot the device after the installation is done.
163

admin@PAN01(suspended)>

As you can see, we can use the command show jobs id <job-id> to view the installation process. The installation takes about a few minutes.

admin@PAN01(suspended)> show jobs id 163

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:01:35         163       SWInstall       ACT   PEND       66%
Warnings:
Details:

admin@PAN01(suspended)> show jobs id 163

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:01:35         163       SWInstall       ACT   PEND       99%
Warnings:
Details:

admin@PAN01(suspended)> show jobs id 163

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:01:35         163       SWInstall       FIN     OK 22:06:16
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN01(suspended)>

Since I am upgrading to 7.1.1, and I just installed 7.0.1, I would need to restart the device.

admin@PAN01(suspended)> request restart system 
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Fri Oct 28 22:08:15 2016):

The system is going down for reboot NOW!

Connection closed by foreign host.

Disconnected from remote host(PAN01) at 18:15:14.

Once the device boots up, check the software version

admin@PAN01(passive)> show system info | match sw
sw-version: 7.0.1

Once you confirmed the version, import the another base firmware

admin@PAN01(passive)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
ECDSA key fingerprint is 88:8f:77:fc:88:b0:dc:ef:34:31:24:68:ef:0a:72:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (ECDSA) to the list of known hosts.
root@10.0.5.10's password: 
PanOS_3000-7.1.0 100% 699MB 25.9MB/s 00:27

PanOS_3000-7.1.0 saved

Then install the firmware after importing the base firmware. However, this time the syntax has changed. The file option is not available anymore.

admin@PAN01(passive)> request system software install 
+ load-config Configuration to use for booting new software
> version     Upgrade to a software package by version

admin@PAN01(passive)> request system software install version 
7.1.0   7.1.0
<value> Upgrade to a software package by version

admin@PAN01(passive)> request system software install version 7.1.0 
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) 

Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.

Always check the status of the installation

admin@PAN01(passive)> show jobs id 2

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:23:02           2       SWInstall       ACT   PEND       84%
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager

admin@PAN01(passive)> show jobs id 2

Enqueued                     ID            Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:23:02           2       SWInstall       FIN     OK 22:27:34
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager
Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN01(passive)>

At this point, since we are going to 7.1.1 and we just installed 7.1.0, we do not need to restart the device. We can install the 7.1.1 first then we can restart.

admin@PAN01(passive)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1.1
root@10.0.5.10's password: 
PanOS_3000-7.1.1 100% 252MB 28.0MB/s 00:09

PanOS_3000-7.1.1 saved

Install the 7.1.1

admin@PAN01(passive)> request system software install version 7.1.1

Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)
Software install job enqueued with jobid 3. Run 'show jobs id 3' to monitor its status. Please reboot the device after the installation is done.
3

admin@PAN01(passive)> show jobs id 3

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:31:46           3       SWInstall       ACT   PEND       81%
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager

admin@PAN01(passive)> show jobs id 3

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:31:46           3       SWInstall       FIN     OK 22:35:48
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager
Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN01(passive)>

Once the installation is done, restart the device

admin@PAN01(passive)> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Fri Oct 28 22:36:48 2016):

The system is going down for reboot NOW!

Connection closed by foreign host.

Disconnected from remote host(PAN01) at 18:36:51.

Once the firewall restarted, the device will be stuck in suspended mode. The reason is, the current active firewall version is in 6.1.12, and the upgraded firewall is on 7.1.1. The two version are not compatible with regards to high-availability pairing.

Let’s work with the second firewall. Here is a caveat. Since the newer version is not compatible, the one I upgraded will not become either active or passive until its pair gets to the compatible version. 

However, if the software is compatible, the HA state will turn to <passive>. It may take ~1 minute or 2, so I would recommend to wait for it. If the software base version is the same, then it they are compatible; therefore, wait for the HA to reestablish. 

Now, if you are upgrading this via SSH, I would highly recommend that keep the current active device as active because once you lost your connection, that device is not going to become active until you use the command request high-availability state functional. If you are connected via SSH, you won’t be able to execute this command. Therefore, we want the active firewall to boot up as an active device not suspended.

I am doing this via SSH, so I am not going to suspend the firewall. Just like the first firewall, I am going to import the firmware.

admin@PAN02(active)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.0.1
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
RSA key fingerprint is ba:ee:8c:a4:75:90:1c:c4:81:ed:36:cb:9c:32:78:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (RSA) to the list of known hosts.
root@10.0.5,10's password:
PanOS_3000-7.0.1                                             100% 602MB 11.2MB/s   00:54  

PanOS_3000-7.0.1 saved

admin@PAN02(active)>

Once imported, install the firmware.

admin@PAN02(active)> request system software install file PanOS_3000-7.0.1
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 144. Run 'show jobs id 144' to monitor its status. Please reboot the device after the installation is done.
144

admin@PAN02(active)> show jobs id 144

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 23:44:34         144       SWInstall       ACT   PEND       86%
Warnings:
Details:

port22@P07101EF01(active)> show jobs id 144

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 23:44:34         144       SWInstall       FIN     OK 23:48:28
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN02(active)>

Restart the device

admin@PAN02(active)> request restart system 
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Connection closed by foreign host.

Disconnected from remote host(PAN02) at 19:35:23.

After the reboot, verify the version of the firmware

admin@PAN02(suspended)> show system info | match sw
sw-version: 7.0.1

Now, import the base firmware then install it

admin@PAN02(suspended)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1.0
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
ECDSA key fingerprint is 88:8f:09:3c:88:b0:dc:11:34:31:24:68:ef:0a:9d:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (ECDSA) to the list of known hosts.
root@10.0.5.10's password: 
PanOS_3000-7.1.0 100%                                                       699MB 11.1MB/s 01:03

PanOS_3000-7.1.0 saved

Install the firmware

admin@PAN02(suspended)> request system software install version 7.1.0 
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 3. Run 'show jobs id 3' to monitor its status. Please reboot the device after the installation is done.
3

admin@PAN02(suspended)>

Once the firmware is installed, do not restart the firewall yet. We will need to install the desire firmware. Import the firmware then install.

admin@PAN02(suspended)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1.1
root@10.0.5.10's password: 
PanOS_3000-7.1.1                                                     100% 252MB 28.0MB/s 00:09

PanOS_3000-7.1.1 saved

admin@PAN02(suspended)> request system software install version 7.1.1
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 4. Run 'show jobs id 4' to monitor its status. Please reboot the device after the installation is done.
4

admin@PAN02(suspended)>

 

Restart the device

admin@PAN02(suspended)> request restart system 
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Fri Oct 28 23:58:03 2016):

The system is going down for reboot NOW!

Connection closed by foreign host.

Disconnected from remote host(PA02) at 19:58:06.

After it reboots, login again and check  the system software version

port22@P07101EF01> show system info | match sw
sw-version: 7.1.1

Also, login to both device and check if the device is in suspend mode. If either one of them is in suspended mode, then use this command

request high-availability state functional

That should do it.

 

Cheers!

Posted in Misc. | Leave a comment

Juniper SRX300 Layer 2 Issues

I am going to make this as short as possible. I purchased an SRX300 to replace my SRX100 firewall. The one I noticed right out of the box was each interface was in routed interface. Unlike the older branch models (SRX1xy, SRX2xy, etc) the ports were in switching mode.

Also, the JunOS version is at 15.1X49-D45 In my case, I need these ports to do switching and not routing. Therefore, I went ahead and modified my SRX100 config to match the new SRX300. When I commit, the box barked at me stating something along this lines.

from-zone (trust) and to-zone (untrust) must be both L2 or L3 zones.
error: configuration check-out failed

I had no idea what it meant, so I removed my security policies and tried to commit again then I got this. It makes sense because the newer boxes uses irb interfaces now instead of vlan.

error: l3-interface: 'vlan.11': Only IRB interface is supported, e.g. irb.10

I replaced all vlan interfaces with irb interfaces then commit check then I got this.

error: interface-unit: 'irb.11': This interface cannot be configured in a zone
error: statement creation failed: irb.11

At this point, I have no idea what was happening. The box is not letting me to commit. Therefore, I fired up Chrome and went to Juniper release notes page for the 15.1X49-D45 that I currently have. I scrolled down to page 10, the layer 2 features, and found this paragraphs.

Support forenhancedLayer2transparentbridgemodeandswitchingmode—Starting with Junos OS Release 15.1X49-D40, the enhanced Layer 2 transparent bridge mode and switching mode features are supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Use the set protocols l2-learning global-mode (transparent-bridge | switching) command to switch between the Layer 2 transparent bridge mode and switching mode. After switching the mode, you must reboot the device for the configuration to take effect. The layer 2 protocols supported in switching mode is Link Aggregation Control Protocol (LACP).

NOTE:
• LACP is not supported on SRX300 and SRX320 devices.
• LACP is not supported in transparent bridge mode.

The command set protocols l2-learning global-mode switching is the answer to my problems. However, it does not support LACP. I checked the newer versions’ release notes, and found the newer JunOS version support LACP. I upgraded the SRX300 and used the mentioned command. Everything works.

Oh! Before I forget, the set protocols l2-learning global-mode  will require for you to reboot the SRX.

 

Cheers!

Posted in Misc. | Leave a comment

OSX El Capitan and FTDI USB-to-serial adapter

This post is about fixing the USB-to-serial FTDI adapter on OSX 10.11. Since I upgraded to El Capitan 10.11, my USB-to-serial adapter had stopped working.

Before 10.11 (El Capitan), I didn’t have to download the driver to get my FTDI adapter to work. Unfortunately, now, I have to. I really don’t want to mess with the system to get a single USB adapter to work.

Download this driver

Once the driver has been downloaded, install and restart your OSX 10.11 computer. After the restart, verify that you are able to see the adapter by opening your terminal and enter ls /dev/ | grep serial as shown below

nixmbpr:PYTHON Karlo$ ls /dev/ | grep serial
cu.usbserial
cu.usbserial-FTAJPFTI
tty.usbserial
tty.usbserial-FTAJPFTI

If you don’t see an entry that means that your system doesn’t see the adapter.

Hope you find this post helpful.

Cheers!

Posted in Misc., troubleshoot | Tagged , , , , , , , , , | Leave a comment

Juniper SRX Dynamic-VPN (Remote-access) – Part 2

So here is the second part of dynamic VPN, but this is post will mainly for verification/troubleshooting. If you are looking for configuring the dynamic-vpn (remote access VPN), please check the part 1 of this post.

Verification

To verify and the remote client successfully VPN’d in to the SRX, use the command show security ike security-associations brief. You may see more than one entry here if you have some other ike traffic such as site-to-site VPN and/or another session from another dynamic-vpn.

Example 1

karlo> show security ike security-associations brief    
Index    State   Initiator cookie   Responder cookie   Mode           Remote Address  
4542718   DOWN   6a685801e0f0a351   0000000000000000   Aggressive     1.1.1.1        
4542712   UP     39de8a6735c6e475   e1c4c10b2234ffc0   Aggressive     10.0.11.114

The 3rd line with an index# of 4542718 can be ignored. This is for my site-to-site VPN, and not relevant to this post. Anyways, that one we are interested in is the last line with in index# 4542712. As you can see in Example 1, the state is “UP” and it shows the IP address of the remote client.

Another useful command can be use is show security ike active-peer

Example 2

karlo> show security ike active-peer  
Remote Address                    Port    Peer IKE-ID                         XAUTH username                    Assigned IP
1.1.1.1                           500     Not-Available                    
10.0.11.114                       57717   your-dynamic-dns.dyn.net            karlo                             10.0.9.100                      

karlo>

If everything works in phase 1, and still no connection, verify the phase 2. You can use show security ipsec inactive-tunnels. As you can see in Example 3, It displays the total inactive tunnels and errors.

Example 3

karlo> show security ipsec inactive-tunnels          
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID      Port  Nego#  Fail#  Flag     Gateway         Tunnel Down Reason
131073  500   0      0      600a29   1.1.1.1         SA not initiated

karlo>

To see the total active tunnels, use the command show security ipsec security-associations

Example 4

karlo> show security ipsec security-associations  
Total active tunnels: 1
ID   Algorithm       SPI      Life:sec/kb  Mon lsys Port Gateway  
<268173325 ESP:aes-cbc-128/sha1 5d542e0 3066/ 499908 - root 56070 10.0.11.114    
>268173325 ESP:aes-cbc-128/sha1 204d6fa9 3066/ 499908 - root 56070 10.0.11.114    

karlo>

The last one would be show security ipsec statistics, which gives you the number of ESP errors

Example 5

 

karlo> show security ipsec statistics          
ESP Statistics:
  Encrypted bytes:           261680
  Decrypted bytes:           171253
  Encrypted packets:           1370
  Decrypted packets:           2364
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

karlo>

 Troubleshooting

Now, if none of the verification commands works, then this is the time to troubleshoot the issue. Maybe the remote user is able to connect to the VPN, but not passing traffic or cannot connect to the VPN at all. There are a lot of VPN issues, and I am no expert. I am just going to list that one that I have encountered.

Failed to receive HTTP response

If the users cannot VPN at all and getting an error stating “Failed to receive HTTP response” from your desktop client. Check your SRX version because according to Juniper:

This issue affects only branch SRX platforms and always occurs when Dynamic VPN is configured. This is a regression issue, it is introduced from 12.1X44-D55, 12.1X46-D40, 12.1X47-D30, 12.3X48-D20, and 15.1X49-D20.

These are the known working version 12.1X47-D35, 12.3X48-D25, 15.1X49-D30 according to Juniper’s problem report. Also, I have an older SRX100H and its code version is 12.1X46-D35, and dynamic-vpn is working with this code.

VPN connection is up. but no traffic is going through

Ensure the remote client receives an IP address from the SRX. If the remote client didn’t receive an IP address from the SRX, then check your configuration related to DHCP. YOu can use show configuration system services dhcp-local-server. Ensure that you have the interface for the dynamic vpn in a group.

Also, make sure that the dhcp is in the config under the security-zone interface level.

Example 6

karlo> show configuration security zones security-zone DYN-VPN-ZONE interfaces vlan.9
host-inbound-traffic {
   system-services {
       dhcp;              
   }
}

Lastly, the security policy should be in place. The from-zone should be the untrust and the to-zone should be the destination zone. And the permit statement should be sent to the ipsec tunnel.

Example 7

karlo> show configuration security policies from-zone untrust to-zone trust
policy DYN-untrust_TO_trust {
   description "USED FOR ALLOWING TRAFFIC FROM DYNAMIC VPN TO PASS THROUGH";
   match {
       source-address any;
       destination-address any;
       application any;
   }
   then {
       permit {
           tunnel {
               ipsec-vpn IPSEC-DYN-VPN;
           }
       }
   }
}

You can also check if there is a traffic hitting the SRX. Use the command show security flow session

Example 8

karlo> show security flow session
Session ID: 12683, Policy name: DYN-untrust_TO_trust/10, Timeout: 1800, Valid
In: 10.0.9.103/56357 --> 10.0.3.1/22;tcp, If: fe-0/0/0.0, Pkts: 502, Bytes: 38710
Out: 10.0.3.1/22 --> 10.0.9.103/56357;tcp, If: .local..0, Pkts: 288, Bytes: 36773

In addition, a traceoption under the security flow can be used. This is going to be useful if the remote user received an IP address and have them generate some traffic to a specific destination.

[edit]
karlo# show | compare
[edit security]
+   flow {
+      traceoptions {
+           file TSHOOT;
+           flag basic-datapath;
+           packet-filter REMOTE_TO_INTERNAL {
+               source-prefix 10.0.9.114/32;
+               destination-prefix 10.0.3.10/32;
+           }
+           packet-filter INTERNAL_TO_REMOTE {
+               source-prefix 10.0.3.10/32;
+               destination-prefix 10.0.9.114/32;
+           }
+       }
+   }

[edit]
karlo#

After you commit the traceoption, have the remote user generate some traffic. Then you can view the results of the traceoption via show log <filename>.

show log TSHOOT

 

Hope you will find this post helpful

Cheers!

 

Posted in Misc. | Leave a comment

Juniper SRX Dynamic VPN (Remote Access VPN) – Part 1

I have been really busy at work and personal stuff, and I have not posted any useful stuff lately. This post will be for a simple home Dynamic VPN or other vendors call it Remote Access VPN configuration.

Here is a simple topology

juniper dynamic-vpn topo.jpg

Figure 1

 

Juniper SRX firewalls comes with a dynamic VPN permanent license, but it is very limited. I have an SRX100 firewall, and it comes with 2 dynamic VPN license as shown in Example 1. The line that is highlighted is the license that comes with SRX100.

Example 1

root# run show system license
License usage:
                     Licenses       Licenses   Licenses     Expiry
Feature name             used      installed     needed
dynamic-vpn                 0           2           0       permanent
ax411-wlan-ap               0           2           0       permanent

Licenses installed: none
[edit]
root#

As you can see, it comes with two licenses for dynamic-vpn, and it is permanent; therefore, I can have two users that can VPN to my network. If I need more users then I would need to purchase a license. Since it is a home network, two licenses should be sufficient for now.

Now, before we jump into the configuration, you would need to download Junos Pulse (discontinued) or the Pulse Secure desktop client. For Linux desktop client, you can probably use this from Institute for Advanced Study. I have never tested this, so I can’t really comment on the Linux desktop client.

Unfortunately, if you are using a newer code (firmware) on the SRX the Windows’ desktop client is not available any longer, and if you try to navigate to https://<srx-untrust-ip-addr>/dynamic-vpn, you will get the banner as shown in Figure 2

Figure 1

Figure 2

The dynamic VPN requires https service for it to work. If you use JWEB via https to configure your SRX then you can skip the Example 2. The interface fe-0/0/0.0 (untrust) is my interface to connected to the Internet. We would the https service enabled on the Internet facing interface since it is the receiving interface for the dynamic VPN.

Example 2

[edit]
root# show system services web-management
https {
    system-generated-certificate;
    interface fe-0/0/0.0;
}
[edit]
root#
set system services web-management https system-generated-certificate
set system services web-management https interface fe-0/0/0.0

 

Ensure that the untrust interface, in this case is fe-0/0/0.0, is accepting https and ike. This is done under the security-zone. I do not have a static IP address that is why I have dhcp added, but for what we are trying to accomplish here, what we need are just the ike and https.

Example 3

[edit]

root# show security zones security-zone untrust            
screen untrust-screen;
interfaces {
   fe-0/0/0.0 {
       host-inbound-traffic {
           system-services {
               dhcp;
               https;
               ike;
           }
       }
   }
}
[edit]
root#
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

 

We need to configure the IKE and IPSEC proposals for the dynamic VPN for IKE and IPSEC tunnel configuration.

Example 4

[edit]
root# show security ike proposal IKE-DYN-PROPOSAL 
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 1200;

[edit]
root# show security ipsec proposal IPSEC-DYN-PROPOSAL 
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;

[edit]
root#
set security ike proposal IKE-DYN-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-DYN-PROPOSAL dh-group group2
set security ike proposal IKE-DYN-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-DYN-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-DYN-PROPOSAL lifetime-seconds 1200

set security ipsec proposal IPSEC-DYN-PROPOSAL protocol esp
set security ipsec proposal IPSEC-DYN-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-DYN-PROPOSAL encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-DYN-PROPOSAL lifetime-seconds 3600

 

Once you have prepared the ike and ipsec proposals, then you would need to configure the tunnel. The proposals you have created earlier will be linked to the policies. Also, I am using DDNS, so yours may be configure differently here if you have a static IP, but if you are using DDNS at your home then it should be the same.

Example 5

[edit]
root# show security ike policy IKE-DYN-POLICY 
mode aggressive;
proposals IKE-DYN-PROPOSAL;
pre-shared-key ascii-text "asd*#(0P;>!3Hb@&GnO0k.Ct0Bhc-Vw2JD.mT3/t5QO1hSvKL8X7-2a"; ## SECRET-DATA

[edit]
root# show security ike gateway IKE-DYN-GATEWAY 
ike-policy IKE-DYN-POLICY;
dynamic {
 hostname your-dynamic-dns.dyn.net;
 connections-limit 4;
 ike-user-type shared-ike-id;
}
external-interface fe-0/0/0;
xauth access-profile DYN-REMOTE-VPN;

[edit]
root# show security ipsec policy IPSEC-DYN-POLICY 
perfect-forward-secrecy {
 keys group5;
}
proposals IPSEC-DYN-PROPOSAL;

[edit]
root# show security ipsec vpn IPSEC-DYN-VPN 
ike {
 gateway IKE-DYN-GATEWAY;
 ipsec-policy IPSEC-DYN-POLICY;
}
establish-tunnels immediately;

[edit]
root#
set security ike policy IKE-DYN-POLICY mode aggressive
set security ike policy IKE-DYN-POLICY proposals IKE-DYN-PROPOSAL
set security ike policy IKE-DYN-POLICY pre-shared-key ascii-text "asd*#(0P;>!3Hb@&GnO0k.Ct0Bhc-Vw2JD.mT3/t5QO1hSvKL8X7-2a"; ## SECRET-DATA
set security ike gateway IKE-DYN-GATEWAY ike-policy IKE-DYN-POLICY
set security ike gateway IKE-DYN-GATEWAY dynamic hostname your-dynamic-dns.dyn.net
set security ike gateway IKE-DYN-GATEWAY dynamic connections-limit 4
set security ike gateway IKE-DYN-GATEWAY dynamic ike-user-type shared-ike-id
set security ike gateway IKE-DYN-GATEWAY external-interface fe-0/0/0
set security ike gateway IKE-DYN-GATEWAY xauth access-profile DYN-REMOTE-VPN
set security ipsec policy IPSEC-DYN-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-DYN-POLICY proposals IPSEC-DYN-PROPOSAL
set security ipsec vpn IPSEC-DYN-VPN ike gateway IKE-DYN-GATEWAY
set security ipsec vpn IPSEC-DYN-VPN ike ipsec-policy IPSEC-DYN-POLICY
set security ipsec vpn IPSEC-DYN-VPN establish-tunnels immediately

 

Once the tunnel has been configured, the DHCP address assignment for dynamic VPN users need to be configured

Example 6

[edit]
root# show access address-assignment pool DYN-REMOTE-POOL
family inet {
   network 192.168.0.0/24;
   range DYN-REMOTE-IP-RANGE {
       low 192.168.0.100;
       high 192.168.0.110;
   }
   xauth-attributes {
       primary-dns 8.8.8.8/32;
   }
}
[edit]
root#
set access address-assignment pool DYN-REMOTE-POOL family inet network 192.168.0.0/24
set access address-assignment pool DYN-REMOTE-POOL family inet range DYN-REMOTE-IP-RANGE low 192.168.0.100
set access address-assignment pool DYN-REMOTE-POOL family inet range DYN-REMOTE-IP-RANGE high 192.168.0.110
set access address-assignment pool DYN-REMOTE-POOL family inet xauth-attributes primary-dns 8.8.8.8/32

 

Configuring the dynamic VPN authentication, and the dhcp pool that was created above need to be link to this configuration.

Example 7

[edit]
root# show access profile DYN-REMOTE-VPN
client user01 {
   firewall-user {
       password "your-remote-user-password"; ## SECRET-DATA
   }
}
address-assignment {
   pool DYN-REMOTE-POOL;
}
[edit]
root# show access firewall-authentication 
web-authentication {
    default-profile DYN-REMOTE-VPN;
}
[edit]
root#
set access profile DYN-REMOTE-VPN client user01 firewall-user password your-remote-user-password
set access profile DYN-REMOTE-VPN address-assignment pool DYN-REMOTE-POOL
set access firewall-authentication web-authentication default-profile DYN-REMOTE-VPN

Here is a caveat:
If your remote clients is going to be in the same pool as you internal clients, you would need to use the nat proxy-arp. This is only needed if one of the interfaces is directly connected to the SRX because the SRX would need to respond to the ARP requests by the clients. Otherwise, it is not needed. 

Example 7.1
set security nat proxy-arp interface fe-0/0/0.0 address 192.168.3.100 to 192.168.3.110

 

Now, we need to associate the VPN user(s) to the dymanic-vpn configurations. At this point, I just to make things clear here, the remote-protected-resources are the IP or subnets internal to your network. Meaning, if the remote user trying to download something from your server via VPN, the server IP or subnet needs to be under the remote-protected-resources.

To enable split-tunneling, you would need to use the remote-exceptions. Therefore, all the traffic that is not destine to the IP or subnets specified in remote-protected-resources will be routed to the remote client’s local network (client’s router to the Internet, etc). In this example, any (0.0.0.0/0) traffic destination is not 192.168.0.0/24 or 192.168.1.100/32 will not be sent to the tunnel.

Example 8

[edit]
root# show security dynamic-vpn
access-profile DYN-REMOTE-VPN;
clients {
   DYN-REMOTE-ACCESS-VPN {
       remote-protected-resources {
           192.168.2.0/24;
           192.168.1.100/32;
       }
       remote-exceptions {
           0.0.0.0/0;          
       }
       ipsec-vpn IPSEC-DYN-VPN;
       user {
           user01;
       }
   }
}
[edit]
root#
set security dynamic-vpn access-profile DYN-REMOTE-VPN
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN remote-protected-resources 192.168.2.0/24
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN remote-protected-resources 192.168.1.100/32
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN ipsec-vpn IPSEC-DYN-VPN
set secuity dynamic-vpn clients DYN-REMOTE-ACCESS-VPN user user01

 

Now, to get the dynamic VPN working, a security policy is needed to allow the traffic coming from the Internet into your internal network. In this case, the destination is in the trust zone; therefore, the from-zone is untrust and the to-zone is trust.

Example 9

[edit]
root# show security policies
from-zone untrust to-zone trust {
   policy DYN-untrust_TO_trust {
       description "TO ALLOW TRAFFIC FROM DYNAMIC VPN TO PASS TRAFFIC THROUGH";
       match {
           source-address any;
           destination-address any;
           application any;
       }
       then {
           permit {
               tunnel {
                   ipsec-vpn IPSEC-DYN-VPN;
               }
           }
       }
   }
}
[edit]
root#
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust description "TO ALLOW TRAFFIC FROM DYNAMIC VPN TO PASS TRAFFIC THROUGH"
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust match source-address any
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust match destination-address any
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust match application any
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust then permit tunnel ipsec-vpn IPSEC-DYN-VPN

 

If you follow along, you should be able to establish a dynamic VPN using either of one the mentioned desktop client at the beginning of this post. HOWEVER, you won’t be able to access anything behind the SRX, your internal network, and your remote clients won’t receive an IP address from the DHCP we configured earlier.

First let’s get the DHCP working for remote user(s) assuming the SRX is the DHCP server. For the SRX to respond to the DHCP request from the client, the security-zone host-inbound-traffic should be configured to allow dhcp on the dynamic-vpn interface.

Example 10

[edit]
root# show security zones security-zone DYN-VPN-ZONE
host-inbound-traffic {
   system-services {
       all;
   }
   protocols {
       all;
   }
}
interfaces {
   vlan.9 {
       host-inbound-traffic {
           system-services {
               dhcp;
           }
       }
   }
}
[edit]
root#
set security zones security-zone DYN-VPN-ZONE interfaces vlan.9 host-inbound-traffic system-services dhcp

 

Once the DHCP has been added to the dynamic vpn interface under the security-zone, the SRX should respond to remote client(s)’ DHCP request.

In this post, if you have not noticed, I have the dynamic VPN interface on a different security-zone than the trust zone as shown in Figure 1 topology. So I have to create another security policy to allow traffic from the security-zone where the dynamic VPN interface is to the destination which is the trust zone.

Example 11

[edit]
root# show security policies
from-zone DYN-VPN-ZONE to-zone trust {
   policy DYN-USERS_TO_NIXDOMAIN {
       match {
           source-address any;
           destination-address any;
           application any;
       }
       then {
           permit;
       }
   }
}
[edit]
root#
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN description "ALLOW DYNAMIC VPN TO REACH THE TRUST ZONE RESOURCES"
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match source-address any
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match destination-address any
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match application any
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN then permit

 

This is it. We have finished configuring our home SRX for dynamic VPN. At this point, the remote user should be able to establish a dynamic VPN to the SRX and able to access the resources based on the 2nd security policy. 

This post is getting longer, please see Part 2 for verification and troubleshooting.

 

Cheers!

Posted in Firewall, Juniper, Misc. | Tagged , , , , , , , , , , , | 4 Comments