Juniper SRX eBGP peering not working

Moderator: mike

Post Reply
venerzky
Posts: 35
Joined: Sat Jun 03, 2017 3:18 pm

Juniper SRX eBGP peering not working

Post by venerzky » Wed Feb 19, 2020 1:27 am

Hi guys,

Is this something that eve-ng is not capable or is this a bug? Please help as I'm unable to do eBGP peering but config are all correct. See details below.
root@vSRX1> show configuration | display set
set version 12.1X47-D20.7
set system host-name vSRX1
set system root-authentication encrypted-password "$1$x.A0LJlO$5Bz3OQh4fEkrzZneTq6AC0"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set routing-options autonomous-system 100
set protocols bgp group EXTERNAL_PEERS type external
set protocols bgp group EXTERNAL_PEERS peer-as 200
set protocols bgp group EXTERNAL_PEERS neighbor 10.10.10.2
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

root@vSRX1>

root@vSRX2> show configuration | display set | no-more
set version 12.1X47-D20.7
set system host-name vSRX2
set system root-authentication encrypted-password "$1$40xZZXtF$1FZ/78Sqq/9Ytw8McSBn50"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/24
set routing-options autonomous-system 200
set protocols bgp group EXTERNAL_PEERS type external
set protocols bgp group EXTERNAL_PEERS peer-as 100
set protocols bgp group EXTERNAL_PEERS neighbor 10.10.10.1
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

root@vSRX2>

venerzky
Posts: 35
Joined: Sat Jun 03, 2017 3:18 pm

Re: Juniper SRX eBGP peering not working

Post by venerzky » Wed Feb 19, 2020 1:28 am

both are reachable
root@vSRX1> ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=8.499 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=11.918 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=11.709 ms
^C
--- 10.10.10.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.499/10.709/11.918/1.565 ms

root@vSRX1>

root@vSRX1> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.10.10.2 200 0 0 0 0 9:52 Active

root@vSRX1>

root@vSRX1>

root@vSRX1> show bgp neighbor
Peer: 10.10.10.2 AS 200 Local: 10.10.10.1 AS 100
Type: External State: Active Flags: <ImportEval>
Last State: Idle Last Event: Start
Last Error: None
Options: <Preference PeerAS Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 0

root@vSRX1>

venerzky
Posts: 35
Joined: Sat Jun 03, 2017 3:18 pm

Re: Juniper SRX eBGP peering not working

Post by venerzky » Wed Feb 19, 2020 1:32 am

2-19-2020 9-31-28 AM.png
You do not have the required permissions to view the files attached to this post.

venerzky
Posts: 35
Joined: Sat Jun 03, 2017 3:18 pm

Re: Juniper SRX eBGP peering not working

Post by venerzky » Sun Feb 23, 2020 10:54 am

Anyone? Do I need to add security policy and allow TCP/179?

venerzky
Posts: 35
Joined: Sat Jun 03, 2017 3:18 pm

Re: Juniper SRX eBGP peering not working

Post by venerzky » Sun Feb 23, 2020 11:35 am

SOLVED: need to add the following command

set security zones security-zone untrust host-inbound-traffic protocols bgp

Chris929
Posts: 83
Joined: Tue Jun 27, 2017 8:51 am

Re: Juniper SRX eBGP peering not working

Post by Chris929 » Thu Apr 09, 2020 9:12 pm

Yes - the vSRX is a FIREWALL - if you want it to run bgp you need to allow services needed ;)
If you just want a lightweight Router, you can put the SRX in packet-mode:
https://kb.juniper.net/InfoCenter/index ... id=KB30461

Post Reply