I have a clustered SRX 550 pair.  They are uplinked to a pair of fabriced Brocade VDX 6740s.  Uplinked from there is a Brocade NetIron CER.  

I've configured OSPF on each device and made sure they are in the same area.  I've also added interfaces to the area and added network statements.  The firewall and router are both staying in the ExStart State like this:

===========================================================================

root@SRX> show ospf neighbor
Address          Interface        State        ID                    Pri        Dead
192.168.1.1     reth0.0           ExStart    192.168.1.1     1           36

===========================================================================

SSH@CER#show ip ospf neighbor
Number of Neighbors is 1, in FULL state 0

Port      Address            Pri       State Neigh       Address              Neigh ID               Ev Opt      Cnt
v99      192.168.1.1     128      EXST/BDR          192.168.1.1       192.168.1.1          15382       0

 =========================================================================

I know that MTU size tends to cause this problem so I've checked all MTU settings.  Some were different but I forced them all to be 1548.  So that is no longer an issue. 

Any other ideas?

I'm trying to source what the possible problem of why I'm unable to ping from the Fortigate to Juniper ge-0/1/3 with IP 192.168.199.254.  Any chance someone can point out why I'm unable to ping from the fortigate Mail VLAN > 192.168.199.254 (Juniper).  I'm trying to access the Juniper to manage it or just ping the interface.  I've even added a laptop on ge-0/0/0 with IP 192.168.199.45 and was unable to ping 192.168.199.254 - any help appreciated

Fortigate (Port 18 -Fibre) IP 1.1.1.4 255.255.2555.255

Fortigate (Mail VLAN 25) 192.168.199.1 255.255.255.0     >   Juniper ge-0/1/3 

interface-range Mail_SRV {
member-range ge-0/0/0 to ge-0/0/12;
unit 0 {
family ethernet-switching {
vlan {
members Mail;
}
interface-range Mail_IMP {
member-range ge-0/0/13 to ge-0/0/23;
unit 0 {
family ethernet-switching {
vlan {
members IMP;

ge-0/0/0  - xe-0/1/2 {unit 0 {family ethernet-switching (All Interfaces accept ge-0/1/3)

ge-0/1/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ IMP Mail ];

xe-0/1/3 {
unit 0 {
family ethernet-switching;

vlan {
unit 0 {
family inet;
}
unit 25 {
family inet {
address 192.168.199.254/24;

Hi 

AS tested, it will be normal while I changed private IP to 172.x.x.x. And my IGP(IS-IS) also choose public IP as connecting.

But I still wish to figure out any other way to keep origin private IP address.

Is there any better method to make IS-IS or RSVP establish with public IP first ?

Thanks

Cloud 

SRX is in which mode packet mode or Flow mode?

If it is in flow mode, have you allow host-inbound-system protocols ospf for reth.0?

If still it is stuck in ExStart, can you change from reth0 to ge-x/x/x to trouble it further?

Also paste your configuration to understand it better.

Hi 

For option 1, I set VPLS in KR and added L2circuit in HK. but still not work as follow.

Would like someone give me some suggesstion.

> show l2circuit connections

Neighbor: 182.54.131.11
Interface Type St Time last up # Up trans
ae3.11(vc 10011) rmt OL

And how to advertise irb from VPLS to int.0. Seem that can't use rib-group.

Or need to creating L3VPN like VRF to advertise it ? 

Many thanks 

Cloud

----- KR -------------

instance-type vpls;
vlan-id 11;
routing-interface irb.11;
no-local-switching;
route-distinguisher 102.36.50.9:776;
vrf-target target:2024:776;
protocols {
vpls {
no-tunnel-services;
vpls-id 10011;
mtu 1600;
neighbor 173.198.146.6 {
encapsulation-type ethernet-vlan;
}

----- HK -------

> show configuration interfaces ae3

flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
link-speed 10g;
lacp {
active;
periodic fast;
}
}

unit 11 {
encapsulation vlan-ccc;
vlan-id 11;

> show configuration protocols l2circuit

neighbor 172.54.131.11 {
interface ae3.11 {
virtual-circuit-id 10011;
control-word;
mtu 1600;
encapsulation-type ethernet-vlan;
ignore-mtu-mismatch;
pseudowire-status-tlv;
}
}

---

 wrote:

Hello,

I could think of 2 ways to do it:

1/ classic way : You establish L2circuit between HK and KR routers. On HK router, configure the server-facing interface as L2cuircuit UNI. On KR router, configure LDP VPLS instance with IRB, assign an IP/IPv6 address to that IRB and make sure the IRB subnet is advertised to the outside world.

 depending on encapsulation type and possible amount of vlan headers junos sometimes have a diffrent actual MTU than displayed

try the value corercted by -8, -4, +4, +8 on one side of the link

pls tell me if sucessfull

regards

alexander

Hi Folks!

Any body using Junos 17.3R2.10 on ACX (2200)s?

It seems, since upgrading, that all our LAG bundles are only using a single interface in the bundle causing capacity issues...

I've configured the hashing in forwarding-options, but it made no difference.

Anybody else seen this? Anybody else got any ideas?

Thanks in advance for any trouble taken...!

We have configure several ospf sessions in IPv6 but one of them does not work. In router 1, it remains in the init state and in the router 2 nothing appears. The strange thing is that in both routers there are other ospf sessions that work correctly.

please, can you help us?

Thank you.

Hi CICA,

If the neighbor doesn't even appear on one router, that's the problem.  Please ensure you see the required interfaces from "show ospf3 interface" on both routers.

-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Hello there,

---

 wrote:

 

 

> show l2circuit connections

Neighbor: 182.54.131.11
Interface Type St Time last up # Up trans
ae3.11(vc 10011) rmt OL

 

 

---

1/ Do you have MPLS (LDP or RSVP) all the way through between HK and KR?

2/ Do You have "interface lo0.0" under "protocols ldp" on HK and KR?

HTH

Thx
Alex

So I've tried all of these values.  Three of them stop neighbor relationships altogether and 1 of them has the relationship state as '2Way'.

set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic protocols ospf
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services traceroute
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic protocols ospf

I have indeed added ospf as a protocol on both the interface and the zone itself.

set version 12.3X48-D25.3
set groups node0 system host-name DC-CFW-01
set groups node0 interfaces fxp0 unit 0 family inet address 10.251.200.5/16
set groups node1 system host-name DC-CFW-02
set groups node1 interfaces fxp0 unit 0 family inet address 10.251.200.6/16
set apply-groups "${node}"
set system host-name DC-NJ-CFW
set system root-authentication encrypted-password "$1$NBfm/zUG$fBrtCik0lNc35pZ6EZBQK."
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set chassis cluster reth-count 5
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/6 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/7 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/6 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/7 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/8 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/9 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/8 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/9 weight 255
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then deny
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces reth1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic protocols ospf
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services traceroute
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic protocols ospf
set security zones security-zone planet-data interfaces reth2.0
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-0/0/5 gigether-options redundant-parent reth0
set interfaces ge-0/0/6 gigether-options redundant-parent reth1
set interfaces ge-0/0/7 gigether-options redundant-parent reth1
set interfaces ge-0/0/8 gigether-options redundant-parent reth2
set interfaces ge-0/0/9 gigether-options redundant-parent reth2
set interfaces ge-9/0/4 gigether-options redundant-parent reth0
set interfaces ge-9/0/5 gigether-options redundant-parent reth0
set interfaces ge-9/0/6 gigether-options redundant-parent reth1
set interfaces ge-9/0/7 gigether-options redundant-parent reth1
set interfaces ge-9/0/8 gigether-options redundant-parent reth2
set interfaces ge-9/0/9 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-9/0/2
set interfaces fab1 fabric-options member-interfaces ge-9/0/3
set interfaces fxp0 unit 0 family inet
set interfaces lo0 unit 0 family inet address 2.2.2.2/24
set interfaces reth0 description UNTRUST
set interfaces reth0 mtu 1522
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 redundant-ether-options lacp passive
set interfaces reth0 unit 0 family inet address 192.168.1.6/29
set interfaces reth1 description TRUST
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 unit 0 family inet
set routing-options router-id 192.168.1.6
set protocols ospf export EXPORT-OSPF
set protocols ospf area 0.0.0.20 area-range 192.168.1.0/29
set protocols ospf area 0.0.0.20 interface reth0.0
set protocols ospf area 0.0.0.20 interface lo0.0
set protocols stp
set policy-options prefix-list EXPORT-OSPF 1.1.1.0/24
set policy-options prefix-list EXPORT-OSPF 2.2.2.0/24
set policy-options prefix-list EXPORT-OSPF 192.168.1.0/29
set policy-options policy-statement EXPORT-OSPF term acceptDefault1 from protocol direct
set policy-options policy-statement EXPORT-OSPF term acceptDefault1 from prefix-list EXPORT-OSPF
set policy-options policy-statement EXPORT-OSPF term acceptDefault1 then accept
set policy-options policy-statement EXPORT-OSPF term acceptStatic1 from protocol static
set policy-options policy-statement EXPORT-OSPF term acceptStatic1 from prefix-list EXPORT-OSPF
set policy-options policy-statement EXPORT-OSPF term acceptStatic1 then accept
set policy-options policy-statement EXPORT-OSPF then reject

Does the zone that interface xe-0/1/3.25 belongs to allow ping on host inbound traffic?

have you mapped vlan.25 to the Mail vlan? That could explain why it doesn't work neither via xe-0/1/3 and ge-0/0/0

vlans {
    Mail {
        vlan-id XX;
        l3-interface vlan.25;
    }
}

Secondly; please verify that the last SFP+ port on the EX3300 isn't configured for virtual-chassis. You can see it by validating if xe-0/1/3 is shown via 'show interface xe-0/1/3'.

Hello,

Do You have a CoPP filter on Brocade side ?

If yes have You allowed subnet 192.168.1.0/29 is this filter?

OSPF DBD exchange is unicast, not multicast.

HTH

Thx

Alex

I've added this to the Mail Vlan but when i do a show vlan, I don't see ge-0/1/3.   

Since ge-0/1/3 is a trunk and I've assigned an IP address to that interface, I'd suspect this should suffice.  

I'm unsure of what I'm missing here as this should be pretty basic but this is my first Juniper experience.  What am I not having right here? 

ge-0/1/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ IMP Mail ];

vlans {
IMP {
vlan-id 24;
}
Mail {
vlan-id 25;
interface {
ge-0/1/3.0;
}
l3-interface vlan.25;
}
default {
l3-interface vlan.0;

root@STGPSW99> show vlans
Name Tag Interfaces
IMP 24
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0
Mail 25
ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0,
ge-0/0/12.0

----------------------

root@STGPSW99> show interfaces
Possible completions:
<[Enter]> Execute this command
<interface-name> Name of physical or logical interface
vcp-255/1/2
vcp-255/1/2.32768
vcp-255/1/3
vcp-255/1/3.32768
ge-0/0/0
ge-0/0/0.0
ge-0/0/1
ge-0/0/1.0
ge-0/0/2
ge-0/0/2.0
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/4.0
ge-0/0/5
ge-0/0/5.0
ge-0/0/6
ge-0/0/6.0
ge-0/0/7
ge-0/0/7.0
ge-0/0/8
ge-0/0/8.0
ge-0/0/9
ge-0/0/9.0
ge-0/0/10
ge-0/0/10.0
ge-0/0/11
ge-0/0/11.0
ge-0/0/12
ge-0/0/12.0
ge-0/0/13
ge-0/0/13.0
ge-0/0/14
ge-0/0/14.0
ge-0/0/15
ge-0/0/15.0
ge-0/0/16
ge-0/0/16.0
ge-0/0/17
ge-0/0/17.0
ge-0/0/18
ge-0/0/18.0
ge-0/0/19
ge-0/0/19.0
ge-0/0/20
ge-0/0/20.0
ge-0/0/21
ge-0/0/21.0
ge-0/0/22
ge-0/0/22.0
ge-0/0/23
ge-0/0/23.0
bme0
bme0.32768
dsc
gre
ipip
jsrv
jsrv.1
lo0
lo0.16384
lsi
me0
me0.0
mtun
pimd
pime
tap
vlan
vlan.0
vlan.25
vme
vme.0
brief Display brief output
controller Show controller information
descriptions Display interface description strings
destination-class Show statistics for destination class
detail Display detailed output
diagnostics Show interface diagnostics information
extensive Display extensive output
far-end-interval Show far end interval statistics
filters Show interface filters information
interval Show interval statistics
mac-database Show media access control database information
mc-ae Show MC-AE configured interface information
media Display media information
queue Show queue statistics for this interface
routing Show routing status
routing-instance Name of routing instance

Hi 

Yes, I have set up IS-IS and LDP with MPLS between these routers as follow:

That's why I don't understand. It should be working or display other alams.

Thus, I will need you all give me some suggestion. Maybe I got wrong configuration.

> show route 172.54.131.11

inet.0: 707619 destinations, 3933334 routes (704588 active, 36 holddown, 670303 hidden)
+ = Active Route, - = Last Active, * = Both

182.54.131.11/32 *[LDP/9] 5d 15:33:23, metric 27
> to 10.3.100.38 via ae8.1, Push 307344
   to 10.5.100.57 via xe-1/3/2.0, Push 310080
[IS-IS/18] 5d 15:33:24, metric 27
> to 10.3.100.38 via ae8.1
   to 10.5.100.57 via xe-1/3/2.0

Thanks

Cloud

Hello,

---

 wrote:

Maybe I got wrong configuration.

  

---

Then post both HR and KR _complete_ sanitized configurations here for us to examine.

"Complete" means including "protocols" and "interfaces" stanzas which You omitted.

HTH

Thx
Alex