Mailing List Archive

Based on what you described, it sounds like you already got your MPLS/LDP running in a packet-mode routing-instance, as otherwise MPLS is dropped on an SRX in flow mode.

No obvious ideas with the output provided otherwise.
Do the flows in your IPSEC instance get created?

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Aaron Gould
Sent: Thursday, July 11, 2019 12:27 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn

Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
such that I have an l3vpn functional into the SRX.



I have a lo0.99 interface as the external interface used for ike/ipsec.
Seems that I'm pretty close to getting this done, as i have ike phase 1 up
and ike phase 2 up, but only seeing encrypted packets as I try to ping
between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
side (mx104 with ms-mic-16g)



Let me know what I'm missing.



I'm seeing drops in these to show outputs. which seems to coincide with a
100-packet ping test...





root@demo-srx300> show security flow statistics

Current sessions: 9

Packets forwarded: 417926

Packets dropped: 15604

Fragment packets: 0

Pre fragments generated: 0

Post fragments generated: 0



root@demo-srx300> show security flow status

Flow forwarding mode:

Inet forwarding mode: flow based

Inet6 forwarding mode: drop

MPLS forwarding mode: drop

ISO forwarding mode: drop

Enhanced route scaling mode: Disabled

Flow trace status

Flow tracing status: off

Flow session distribution

Distribution mode: RR-based

GTP-U distribution: Disabled

Flow ipsec performance acceleration: off

Flow packet ordering

Ordering mode: Hardware



root@demo-srx300> show security ipsec statistics

ESP Statistics:

Encrypted bytes: 252264

Decrypted bytes: 0

Encrypted packets: 1618

Decrypted packets: 0

AH Statistics:

Input bytes: 0

Output bytes: 0

Input packets: 0

Output packets: 0

Errors:

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0

Bad headers: 0, Bad trailers: 0



root@demo-srx300> show security flow statistics | grep rop

Packets dropped: 15650



root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
count 100

PING 10.102.199.66 (10.102.199.66): 56 data bytes

............................................................................
........................

--- 10.102.199.66 ping statistics ---

100 packets transmitted, 0 packets received, 100% packet loss



root@demo-srx300> show security ipsec statistics

ESP Statistics:

Encrypted bytes: 267864

Decrypted bytes: 0

Encrypted packets: 1718

Decrypted packets: 0

AH Statistics:

Input bytes: 0

Output bytes: 0

Input packets: 0

Output packets: 0

Errors:

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0

Bad headers: 0, Bad trailers: 0



root@demo-srx300> show security flow statistics | grep rop

Packets dropped: 15755



-Aaron



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
have change from SRX flow-mode default. But I do have ldp neighbor up and
mpls forwarding is occurring via mpls l3vpn vrf . ....and I do believe the
ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
but I just don't seem to be able to ping from one side of the st0 tunnel
interface to the other.

See...

root@demo-srx300> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware


root@demo-srx300> show route table mpls.0

mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0 *[MPLS/0] 04:51:07, metric 1
Receive
1 *[MPLS/0] 04:51:07, metric 1
Receive
2 *[MPLS/0] 04:51:07, metric 1
Receive
13 *[MPLS/0] 04:51:07, metric 1
Receive
16 *[VPN/0] 04:51:07
to table one.inet.0, Pop
345552 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16507
345568 *[LDP/9] 04:43:04, metric 4, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16508
345584 *[LDP/9] 04:43:04, metric 2, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16512
345600 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16513
345616 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16516
345632 *[LDP/9] 04:43:04, metric 4, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16517
345648 *[LDP/9] 04:43:04, metric 3, tag 0
> to 10.101.14.197 via ge-0/0/0.0, Swap 16518

root@demo-srx300> show route table mpls.0 terse

mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 0 M 0 1 Receive
* ? 1 M 0 1 Receive
* ? 2 M 0 1 Receive
* ? 13 M 0 1 Receive
* ? 16 V 0 Table
* ? 345552 L 9 3 >10.101.14.197
* ? 345568 L 9 4 >10.101.14.197
* ? 345584 L 9 2 >10.101.14.197
* ? 345600 L 9 3 >10.101.14.197
* ? 345616 L 9 3 >10.101.14.197
* ? 345632 L 9 4 >10.101.14.197
* ? 345648 L 9 3 >10.101.14.197
* ? 345664 L 9 7 >10.101.14.197
* ? 345680 L 9 6 >10.101.14.197
* ? 345696 L 9 7 >10.101.14.197
* ? 345712 L 9 7 >10.101.14.197
* ? 345728 L 9 6 >10.101.14.197
* ? 345744 L 9 7 >10.101.14.197

root@demo-srx300> show route table mpls.0 terse | count
Count: 528 lines

root@demo-srx300> show ldp neighbor
Address Interface Label space ID Hold time
10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10

root@demo-srx300>



-----Original Message-----
From: Emille Blanc [mailto:emille@abccommunications.com]
Sent: Thursday, July 11, 2019 3:04 PM
To: Aaron Gould; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn

Based on what you described, it sounds like you already got your MPLS/LDP
running in a packet-mode routing-instance, as otherwise MPLS is dropped on
an SRX in flow mode.

No obvious ideas with the output provided otherwise.
Do the flows in your IPSEC instance get created?

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of
Aaron Gould
Sent: Thursday, July 11, 2019 12:27 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn

Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
such that I have an l3vpn functional into the SRX.



I have a lo0.99 interface as the external interface used for ike/ipsec.
Seems that I'm pretty close to getting this done, as i have ike phase 1 up
and ike phase 2 up, but only seeing encrypted packets as I try to ping
between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
side (mx104 with ms-mic-16g)



Let me know what I'm missing.



I'm seeing drops in these to show outputs. which seems to coincide with a
100-packet ping test...





root@demo-srx300> show security flow statistics

Current sessions: 9

Packets forwarded: 417926

Packets dropped: 15604

Fragment packets: 0

Pre fragments generated: 0

Post fragments generated: 0



root@demo-srx300> show security flow status

Flow forwarding mode:

Inet forwarding mode: flow based

Inet6 forwarding mode: drop

MPLS forwarding mode: drop

ISO forwarding mode: drop

Enhanced route scaling mode: Disabled

Flow trace status

Flow tracing status: off

Flow session distribution

Distribution mode: RR-based

GTP-U distribution: Disabled

Flow ipsec performance acceleration: off

Flow packet ordering

Ordering mode: Hardware



root@demo-srx300> show security ipsec statistics

ESP Statistics:

Encrypted bytes: 252264

Decrypted bytes: 0

Encrypted packets: 1618

Decrypted packets: 0

AH Statistics:

Input bytes: 0

Output bytes: 0

Input packets: 0

Output packets: 0

Errors:

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0

Bad headers: 0, Bad trailers: 0



root@demo-srx300> show security flow statistics | grep rop

Packets dropped: 15650



root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
count 100

PING 10.102.199.66 (10.102.199.66): 56 data bytes

............................................................................
........................

--- 10.102.199.66 ping statistics ---

100 packets transmitted, 0 packets received, 100% packet loss



root@demo-srx300> show security ipsec statistics

ESP Statistics:

Encrypted bytes: 267864

Decrypted bytes: 0

Encrypted packets: 1718

Decrypted packets: 0

AH Statistics:

Input bytes: 0

Output bytes: 0

Input packets: 0

Output packets: 0

Errors:

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0

Bad headers: 0, Bad trailers: 0



root@demo-srx300> show security flow statistics | grep rop

Packets dropped: 15755



-Aaron



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Is the other end of this also an SRX configured in a similar way, or
something else? This seems to contradict basically any Juniper docs on SRX
around MPLS traffic re: flow/packet mode. Specifically given that it's
showing "drop" for MPLS traffic, I would be confused about how it's passing
MPLS-encap'd traffic.

Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it)
across the l3vpn to validate bidirectional traffic passing?

--
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal

On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1@gvtc.com> wrote:

>
>Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
>have change from SRX flow-mode default. But I do have ldp neighbor up and
>mpls forwarding is occurring via mpls l3vpn vrf . ....and I do believe the
>ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
>but I just don't seem to be able to ping from one side of the st0 tunnel
>interface to the other.
>
>See...
>
>root@demo-srx300> show security flow status
> Flow forwarding mode:
> Inet forwarding mode: flow based
> Inet6 forwarding mode: drop
> MPLS forwarding mode: drop
> ISO forwarding mode: drop
> Enhanced route scaling mode: Disabled
> Flow trace status
> Flow tracing status: off
> Flow session distribution
> Distribution mode: RR-based
> GTP-U distribution: Disabled
> Flow ipsec performance acceleration: off
> Flow packet ordering
> Ordering mode: Hardware
>
>
>root@demo-srx300> show route table mpls.0
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>0 *[MPLS/0] 04:51:07, metric 1
> Receive
>1 *[MPLS/0] 04:51:07, metric 1
> Receive
>2 *[MPLS/0] 04:51:07, metric 1
> Receive
>13 *[MPLS/0] 04:51:07, metric 1
> Receive
>16 *[VPN/0] 04:51:07
> to table one.inet.0, Pop
>345552 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
>345568 *[LDP/9] 04:43:04, metric 4, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
>345584 *[LDP/9] 04:43:04, metric 2, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
>345600 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
>345616 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
>345632 *[LDP/9] 04:43:04, metric 4, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
>345648 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
>
>root@demo-srx300> show route table mpls.0 terse
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>A V Destination P Prf Metric 1 Metric 2 Next hop AS path
>* ? 0 M 0 1 Receive
>* ? 1 M 0 1 Receive
>* ? 2 M 0 1 Receive
>* ? 13 M 0 1 Receive
>* ? 16 V 0 Table
>* ? 345552 L 9 3 >10.101.14.197
>* ? 345568 L 9 4 >10.101.14.197
>* ? 345584 L 9 2 >10.101.14.197
>* ? 345600 L 9 3 >10.101.14.197
>* ? 345616 L 9 3 >10.101.14.197
>* ? 345632 L 9 4 >10.101.14.197
>* ? 345648 L 9 3 >10.101.14.197
>* ? 345664 L 9 7 >10.101.14.197
>* ? 345680 L 9 6 >10.101.14.197
>* ? 345696 L 9 7 >10.101.14.197
>* ? 345712 L 9 7 >10.101.14.197
>* ? 345728 L 9 6 >10.101.14.197
>* ? 345744 L 9 7 >10.101.14.197
>
>root@demo-srx300> show route table mpls.0 terse | count
>Count: 528 lines
>
>root@demo-srx300> show ldp neighbor
>Address Interface Label space ID Hold time
>10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10
>
>root@demo-srx300>
>
>
>
>-----Original Message-----
>From: Emille Blanc [mailto:emille@abccommunications.com]
>Sent: Thursday, July 11, 2019 3:04 PM
>To: Aaron Gould; juniper-nsp@puck.nether.net
>Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Based on what you described, it sounds like you already got your MPLS/LDP
>running in a packet-mode routing-instance, as otherwise MPLS is dropped on
>an SRX in flow mode.
>
>No obvious ideas with the output provided otherwise.
>Do the flows in your IPSEC instance get created?
>
>-----Original Message-----
>From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of
>Aaron Gould
>Sent: Thursday, July 11, 2019 12:27 PM
>To: juniper-nsp@puck.nether.net
>Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
>such that I have an l3vpn functional into the SRX.
>
>
>
>I have a lo0.99 interface as the external interface used for ike/ipsec.
>Seems that I'm pretty close to getting this done, as i have ike phase 1 up
>and ike phase 2 up, but only seeing encrypted packets as I try to ping
>between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
>side (mx104 with ms-mic-16g)
>
>
>
>Let me know what I'm missing.
>
>
>
>I'm seeing drops in these to show outputs. which seems to coincide with a
>100-packet ping test...
>
>
>
>
>
>root@demo-srx300> show security flow statistics
>
> Current sessions: 9
>
> Packets forwarded: 417926
>
> Packets dropped: 15604
>
> Fragment packets: 0
>
> Pre fragments generated: 0
>
> Post fragments generated: 0
>
>
>
>root@demo-srx300> show security flow status
>
> Flow forwarding mode:
>
> Inet forwarding mode: flow based
>
> Inet6 forwarding mode: drop
>
> MPLS forwarding mode: drop
>
> ISO forwarding mode: drop
>
> Enhanced route scaling mode: Disabled
>
> Flow trace status
>
> Flow tracing status: off
>
> Flow session distribution
>
> Distribution mode: RR-based
>
> GTP-U distribution: Disabled
>
> Flow ipsec performance acceleration: off
>
> Flow packet ordering
>
> Ordering mode: Hardware
>
>
>
>root@demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
> Encrypted bytes: 252264
>
> Decrypted bytes: 0
>
> Encrypted packets: 1618
>
> Decrypted packets: 0
>
>AH Statistics:
>
> Input bytes: 0
>
> Output bytes: 0
>
> Input packets: 0
>
> Output packets: 0
>
>Errors:
>
> AH authentication failures: 0, Replay errors: 0
>
> ESP authentication failures: 0, ESP decryption failures: 0
>
> Bad headers: 0, Bad trailers: 0
>
>
>
>root@demo-srx300> show security flow statistics | grep rop
>
> Packets dropped: 15650
>
>
>
>root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
>count 100
>
>PING 10.102.199.66 (10.102.199.66): 56 data bytes
>
>............................................................................
>........................
>
>--- 10.102.199.66 ping statistics ---
>
>100 packets transmitted, 0 packets received, 100% packet loss
>
>
>
>root@demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
> Encrypted bytes: 267864
>
> Decrypted bytes: 0
>
> Encrypted packets: 1718
>
> Decrypted packets: 0
>
>AH Statistics:
>
> Input bytes: 0
>
> Output bytes: 0
>
> Input packets: 0
>
> Output packets: 0
>
>Errors:
>
> AH authentication failures: 0, Replay errors: 0
>
> ESP authentication failures: 0, ESP decryption failures: 0
>
> Bad headers: 0, Bad trailers: 0
>
>
>
>root@demo-srx300> show security flow statistics | grep rop
>
> Packets dropped: 15755
>
>
>
>-Aaron
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp

I've used a combo of a VR routing instance in flow mode to terminate the
ipsec traffic and lt interface pair to cycle the traffic back into the mpls
side of things.

On Fri, 12 Jul 2019 at 16:26, Hugo Slabbert <hugo@slabnet.com> wrote:

> Is the other end of this also an SRX configured in a similar way, or
> something else? This seems to contradict basically any Juniper docs on
> SRX
> around MPLS traffic re: flow/packet mode. Specifically given that it's
> showing "drop" for MPLS traffic, I would be confused about how it's
> passing
> MPLS-encap'd traffic.
>
> Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it)
> across the l3vpn to validate bidirectional traffic passing?
>
> --
> Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
> pgp key: B178313E | also on Signal
>
> On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1@gvtc.com> wrote:
>
> >
> >Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
> >have change from SRX flow-mode default. But I do have ldp neighbor up and
> >mpls forwarding is occurring via mpls l3vpn vrf . ....and I do believe
> the
> >ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
> >but I just don't seem to be able to ping from one side of the st0 tunnel
> >interface to the other.
> >
> >See...
> >
> >root@demo-srx300> show security flow status
> > Flow forwarding mode:
> > Inet forwarding mode: flow based
> > Inet6 forwarding mode: drop
> > MPLS forwarding mode: drop
> > ISO forwarding mode: drop
> > Enhanced route scaling mode: Disabled
> > Flow trace status
> > Flow tracing status: off
> > Flow session distribution
> > Distribution mode: RR-based
> > GTP-U distribution: Disabled
> > Flow ipsec performance acceleration: off
> > Flow packet ordering
> > Ordering mode: Hardware
> >
> >
> >root@demo-srx300> show route table mpls.0
> >
> >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
> >+ = Active Route, - = Last Active, * = Both
> >
> >0 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >1 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >2 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >13 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >16 *[VPN/0] 04:51:07
> > to table one.inet.0, Pop
> >345552 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
> >345568 *[LDP/9] 04:43:04, metric 4, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
> >345584 *[LDP/9] 04:43:04, metric 2, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
> >345600 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
> >345616 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
> >345632 *[LDP/9] 04:43:04, metric 4, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
> >345648 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
> >
> >root@demo-srx300> show route table mpls.0 terse
> >
> >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
> >+ = Active Route, - = Last Active, * = Both
> >
> >A V Destination P Prf Metric 1 Metric 2 Next hop AS
> path
> >* ? 0 M 0 1 Receive
> >* ? 1 M 0 1 Receive
> >* ? 2 M 0 1 Receive
> >* ? 13 M 0 1 Receive
> >* ? 16 V 0 Table
> >* ? 345552 L 9 3 >10.101.14.197
> >* ? 345568 L 9 4 >10.101.14.197
> >* ? 345584 L 9 2 >10.101.14.197
> >* ? 345600 L 9 3 >10.101.14.197
> >* ? 345616 L 9 3 >10.101.14.197
> >* ? 345632 L 9 4 >10.101.14.197
> >* ? 345648 L 9 3 >10.101.14.197
> >* ? 345664 L 9 7 >10.101.14.197
> >* ? 345680 L 9 6 >10.101.14.197
> >* ? 345696 L 9 7 >10.101.14.197
> >* ? 345712 L 9 7 >10.101.14.197
> >* ? 345728 L 9 6 >10.101.14.197
> >* ? 345744 L 9 7 >10.101.14.197
> >
> >root@demo-srx300> show route table mpls.0 terse | count
> >Count: 528 lines
> >
> >root@demo-srx300> show ldp neighbor
> >Address Interface Label space ID Hold time
> >10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10
> >
> >root@demo-srx300>
> >
> >
> >
> >-----Original Message-----
> >From: Emille Blanc [mailto:emille@abccommunications.com]
> >Sent: Thursday, July 11, 2019 3:04 PM
> >To: Aaron Gould; juniper-nsp@puck.nether.net
> >Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
> >
> >Based on what you described, it sounds like you already got your MPLS/LDP
> >running in a packet-mode routing-instance, as otherwise MPLS is dropped on
> >an SRX in flow mode.
> >
> >No obvious ideas with the output provided otherwise.
> >Do the flows in your IPSEC instance get created?
> >
> >-----Original Message-----
> >From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf
> Of
> >Aaron Gould
> >Sent: Thursday, July 11, 2019 12:27 PM
> >To: juniper-nsp@puck.nether.net
> >Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
> >
> >Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the
> SRX
> >such that I have an l3vpn functional into the SRX.
> >
> >
> >
> >I have a lo0.99 interface as the external interface used for ike/ipsec.
> >Seems that I'm pretty close to getting this done, as i have ike phase 1 up
> >and ike phase 2 up, but only seeing encrypted packets as I try to ping
> >between the st0.0 interface and the ms-0/0/0.1 inside interface on the
> other
> >side (mx104 with ms-mic-16g)
> >
> >
> >
> >Let me know what I'm missing.
> >
> >
> >
> >I'm seeing drops in these to show outputs. which seems to coincide with a
> >100-packet ping test...
> >
> >
> >
> >
> >
> >root@demo-srx300> show security flow statistics
> >
> > Current sessions: 9
> >
> > Packets forwarded: 417926
> >
> > Packets dropped: 15604
> >
> > Fragment packets: 0
> >
> > Pre fragments generated: 0
> >
> > Post fragments generated: 0
> >
> >
> >
> >root@demo-srx300> show security flow status
> >
> > Flow forwarding mode:
> >
> > Inet forwarding mode: flow based
> >
> > Inet6 forwarding mode: drop
> >
> > MPLS forwarding mode: drop
> >
> > ISO forwarding mode: drop
> >
> > Enhanced route scaling mode: Disabled
> >
> > Flow trace status
> >
> > Flow tracing status: off
> >
> > Flow session distribution
> >
> > Distribution mode: RR-based
> >
> > GTP-U distribution: Disabled
> >
> > Flow ipsec performance acceleration: off
> >
> > Flow packet ordering
> >
> > Ordering mode: Hardware
> >
> >
> >
> >root@demo-srx300> show security ipsec statistics
> >
> >ESP Statistics:
> >
> > Encrypted bytes: 252264
> >
> > Decrypted bytes: 0
> >
> > Encrypted packets: 1618
> >
> > Decrypted packets: 0
> >
> >AH Statistics:
> >
> > Input bytes: 0
> >
> > Output bytes: 0
> >
> > Input packets: 0
> >
> > Output packets: 0
> >
> >Errors:
> >
> > AH authentication failures: 0, Replay errors: 0
> >
> > ESP authentication failures: 0, ESP decryption failures: 0
> >
> > Bad headers: 0, Bad trailers: 0
> >
> >
> >
> >root@demo-srx300> show security flow statistics | grep rop
> >
> > Packets dropped: 15650
> >
> >
> >
> >root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval
> .1
> >count 100
> >
> >PING 10.102.199.66 (10.102.199.66): 56 data bytes
> >
>
> >............................................................................
> >........................
> >
> >--- 10.102.199.66 ping statistics ---
> >
> >100 packets transmitted, 0 packets received, 100% packet loss
> >
> >
> >
> >root@demo-srx300> show security ipsec statistics
> >
> >ESP Statistics:
> >
> > Encrypted bytes: 267864
> >
> > Decrypted bytes: 0
> >
> > Encrypted packets: 1718
> >
> > Decrypted packets: 0
> >
> >AH Statistics:
> >
> > Input bytes: 0
> >
> > Output bytes: 0
> >
> > Input packets: 0
> >
> > Output packets: 0
> >
> >Errors:
> >
> > AH authentication failures: 0, Replay errors: 0
> >
> > ESP authentication failures: 0, ESP decryption failures: 0
> >
> > Bad headers: 0, Bad trailers: 0
> >
> >
> >
> >root@demo-srx300> show security flow statistics | grep rop
> >
> > Packets dropped: 15755
> >
> >
> >
> >-Aaron
> >
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


--

Regards,

Craig Askings

io Networks

ion consulting Pty Ltd.



mobile: 0404 019365

phone: 1300 1 2 4 8 16


No Holidays scheduled
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Craig, how did you do the LT config to "cycle" traffic back through ? you
have a link/kb on how-to ? Actually I'm wondering if there's a more elegant
way then LT's (no offense since we all love accomplishing things and making
stuff work, but it seems that LT's and furthermore, physical cables lopped
from port to port on the front of the device, are usually ways to do things
that we can't figure out in software) :|

Hugo, The other end is an MX104 with services card for ipsec capability
(MS-MIC-16G)

I haven't yet put any customer edge interfaces behind the SRX or MX, but I
will do that this morning.... I simply wanted to put a subnet on the secure
tunnel interfaces and ping from st0.0 to ms-0/0/0.1 first, but I can do the
further edge config also.

-Aaron

-----Original Message-----
From: Hugo Slabbert [mailto:hugo@slabnet.com]
Sent: Friday, July 12, 2019 1:26 AM
To: Aaron Gould
Cc: 'Emille Blanc'; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] srx ipsec tunnel over mpls l3vpn

Is the other end of this also an SRX configured in a similar way, or
something else? This seems to contradict basically any Juniper docs on SRX
around MPLS traffic re: flow/packet mode. Specifically given that it's
showing "drop" for MPLS traffic, I would be confused about how it's passing
MPLS-encap'd traffic.

Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) across
the l3vpn to validate bidirectional traffic passing?

--
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal

On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1@gvtc.com> wrote:

>
>Thanks Emille, Ummm, I may be misunderstanding you , but I don't think
>I have change from SRX flow-mode default. But I do have ldp neighbor
>up and mpls forwarding is occurring via mpls l3vpn vrf . ....and I do
>believe the ike phase 1 and phase 2 is working over this mpls l3vpn within
the srx....
>but I just don't seem to be able to ping from one side of the st0
>tunnel interface to the other.
>
>See...
>
>root@demo-srx300> show security flow status
> Flow forwarding mode:
> Inet forwarding mode: flow based
> Inet6 forwarding mode: drop
> MPLS forwarding mode: drop
> ISO forwarding mode: drop
> Enhanced route scaling mode: Disabled
> Flow trace status
> Flow tracing status: off
> Flow session distribution
> Distribution mode: RR-based
> GTP-U distribution: Disabled
> Flow ipsec performance acceleration: off
> Flow packet ordering
> Ordering mode: Hardware
>
>
>root@demo-srx300> show route table mpls.0
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>0 *[MPLS/0] 04:51:07, metric 1
> Receive
>1 *[MPLS/0] 04:51:07, metric 1
> Receive
>2 *[MPLS/0] 04:51:07, metric 1
> Receive
>13 *[MPLS/0] 04:51:07, metric 1
> Receive
>16 *[VPN/0] 04:51:07
> to table one.inet.0, Pop
>345552 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
>345568 *[LDP/9] 04:43:04, metric 4, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
>345584 *[LDP/9] 04:43:04, metric 2, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
>345600 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
>345616 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
>345632 *[LDP/9] 04:43:04, metric 4, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
>345648 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
>
>root@demo-srx300> show route table mpls.0 terse
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>A V Destination P Prf Metric 1 Metric 2 Next hop AS path
>* ? 0 M 0 1 Receive
>* ? 1 M 0 1 Receive
>* ? 2 M 0 1 Receive
>* ? 13 M 0 1 Receive
>* ? 16 V 0 Table
>* ? 345552 L 9 3 >10.101.14.197
>* ? 345568 L 9 4 >10.101.14.197
>* ? 345584 L 9 2 >10.101.14.197
>* ? 345600 L 9 3 >10.101.14.197
>* ? 345616 L 9 3 >10.101.14.197
>* ? 345632 L 9 4 >10.101.14.197
>* ? 345648 L 9 3 >10.101.14.197
>* ? 345664 L 9 7 >10.101.14.197
>* ? 345680 L 9 6 >10.101.14.197
>* ? 345696 L 9 7 >10.101.14.197
>* ? 345712 L 9 7 >10.101.14.197
>* ? 345728 L 9 6 >10.101.14.197
>* ? 345744 L 9 7 >10.101.14.197
>
>root@demo-srx300> show route table mpls.0 terse | count
>Count: 528 lines
>
>root@demo-srx300> show ldp neighbor
>Address Interface Label space ID Hold time
>10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10
>
>root@demo-srx300>
>
>
>
>-----Original Message-----
>From: Emille Blanc [mailto:emille@abccommunications.com]
>Sent: Thursday, July 11, 2019 3:04 PM
>To: Aaron Gould; juniper-nsp@puck.nether.net
>Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Based on what you described, it sounds like you already got your
>MPLS/LDP running in a packet-mode routing-instance, as otherwise MPLS
>is dropped on an SRX in flow mode.
>
>No obvious ideas with the output provided otherwise.
>Do the flows in your IPSEC instance get created?
>
>-----Original Message-----
>From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On
>Behalf Of Aaron Gould
>Sent: Thursday, July 11, 2019 12:27 PM
>To: juniper-nsp@puck.nether.net
>Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled
>the SRX such that I have an l3vpn functional into the SRX.
>
>
>
>I have a lo0.99 interface as the external interface used for ike/ipsec.
>Seems that I'm pretty close to getting this done, as i have ike phase 1
>up and ike phase 2 up, but only seeing encrypted packets as I try to
>ping between the st0.0 interface and the ms-0/0/0.1 inside interface on
>the other side (mx104 with ms-mic-16g)
>
>
>
>Let me know what I'm missing.
>
>
>
>I'm seeing drops in these to show outputs. which seems to coincide with
>a 100-packet ping test...
>
>
>
>
>
>root@demo-srx300> show security flow statistics
>
> Current sessions: 9
>
> Packets forwarded: 417926
>
> Packets dropped: 15604
>
> Fragment packets: 0
>
> Pre fragments generated: 0
>
> Post fragments generated: 0
>
>
>
>root@demo-srx300> show security flow status
>
> Flow forwarding mode:
>
> Inet forwarding mode: flow based
>
> Inet6 forwarding mode: drop
>
> MPLS forwarding mode: drop
>
> ISO forwarding mode: drop
>
> Enhanced route scaling mode: Disabled
>
> Flow trace status
>
> Flow tracing status: off
>
> Flow session distribution
>
> Distribution mode: RR-based
>
> GTP-U distribution: Disabled
>
> Flow ipsec performance acceleration: off
>
> Flow packet ordering
>
> Ordering mode: Hardware
>
>
>
>root@demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
> Encrypted bytes: 252264
>
> Decrypted bytes: 0
>
> Encrypted packets: 1618
>
> Decrypted packets: 0
>
>AH Statistics:
>
> Input bytes: 0
>
> Output bytes: 0
>
> Input packets: 0
>
> Output packets: 0
>
>Errors:
>
> AH authentication failures: 0, Replay errors: 0
>
> ESP authentication failures: 0, ESP decryption failures: 0
>
> Bad headers: 0, Bad trailers: 0
>
>
>
>root@demo-srx300> show security flow statistics | grep rop
>
> Packets dropped: 15650
>
>
>
>root@demo-srx300> ping 10.102.199.66 routing-instance one rapid
>interval .1 count 100
>
>PING 10.102.199.66 (10.102.199.66): 56 data bytes
>
>...........................................................................
.
>........................
>
>--- 10.102.199.66 ping statistics ---
>
>100 packets transmitted, 0 packets received, 100% packet loss
>
>
>
>root@demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
> Encrypted bytes: 267864
>
> Decrypted bytes: 0
>
> Encrypted packets: 1718
>
> Decrypted packets: 0
>
>AH Statistics:
>
> Input bytes: 0
>
> Output bytes: 0
>
> Input packets: 0
>
> Output packets: 0
>
>Errors:
>
> AH authentication failures: 0, Replay errors: 0
>
> ESP authentication failures: 0, ESP decryption failures: 0
>
> Bad headers: 0, Bad trailers: 0
>
>
>
>root@demo-srx300> show security flow statistics | grep rop
>
> Packets dropped: 15755
>
>
>
>-Aaron
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Yes Hugo, I can pass non-ipsec encrypted traffic via the MPLS L3VPN inside
the SRX... isn't that what the IKE Phase 1 and IKE Phase 2 success is
proving ?

-Aaron


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I wish there was a more elegant way, but when we approached JTAC and our
Juniper SE about it. They confirmed it was the only method, which meant we
were burning twice as many security zones per client L3VPN -> IPSEC tunnel
service. My email search fu is failing in finding the kb article on it.

On Fri, 12 Jul 2019 at 23:20, Aaron Gould <aaron1@gvtc.com> wrote:

> Craig, how did you do the LT config to "cycle" traffic back through ? you
> have a link/kb on how-to ? Actually I'm wondering if there's a more
> elegant
> way then LT's (no offense since we all love accomplishing things and making
> stuff work, but it seems that LT's and furthermore, physical cables lopped
> from port to port on the front of the device, are usually ways to do things
> that we can't figure out in software) :|
>
> Hugo, The other end is an MX104 with services card for ipsec capability
> (MS-MIC-16G)
>
> I haven't yet put any customer edge interfaces behind the SRX or MX, but I
> will do that this morning.... I simply wanted to put a subnet on the secure
> tunnel interfaces and ping from st0.0 to ms-0/0/0.1 first, but I can do the
> further edge config also.
>
> -Aaron
>
> -----Original Message-----
> From: Hugo Slabbert [mailto:hugo@slabnet.com]
> Sent: Friday, July 12, 2019 1:26 AM
> To: Aaron Gould
> Cc: 'Emille Blanc'; juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
> Is the other end of this also an SRX configured in a similar way, or
> something else? This seems to contradict basically any Juniper docs on SRX
> around MPLS traffic re: flow/packet mode. Specifically given that it's
> showing "drop" for MPLS traffic, I would be confused about how it's passing
> MPLS-encap'd traffic.
>
> Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it)
> across
> the l3vpn to validate bidirectional traffic passing?
>
> --
> Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
> pgp key: B178313E | also on Signal
>
> On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1@gvtc.com> wrote:
>
> >
> >Thanks Emille, Ummm, I may be misunderstanding you , but I don't think
> >I have change from SRX flow-mode default. But I do have ldp neighbor
> >up and mpls forwarding is occurring via mpls l3vpn vrf . ....and I do
> >believe the ike phase 1 and phase 2 is working over this mpls l3vpn within
> the srx....
> >but I just don't seem to be able to ping from one side of the st0
> >tunnel interface to the other.
> >
> >See...
> >
> >root@demo-srx300> show security flow status
> > Flow forwarding mode:
> > Inet forwarding mode: flow based
> > Inet6 forwarding mode: drop
> > MPLS forwarding mode: drop
> > ISO forwarding mode: drop
> > Enhanced route scaling mode: Disabled
> > Flow trace status
> > Flow tracing status: off
> > Flow session distribution
> > Distribution mode: RR-based
> > GTP-U distribution: Disabled
> > Flow ipsec performance acceleration: off
> > Flow packet ordering
> > Ordering mode: Hardware
> >
> >
> >root@demo-srx300> show route table mpls.0
> >
> >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
> >+ = Active Route, - = Last Active, * = Both
> >
> >0 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >1 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >2 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >13 *[MPLS/0] 04:51:07, metric 1
> > Receive
> >16 *[VPN/0] 04:51:07
> > to table one.inet.0, Pop
> >345552 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
> >345568 *[LDP/9] 04:43:04, metric 4, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
> >345584 *[LDP/9] 04:43:04, metric 2, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
> >345600 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
> >345616 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
> >345632 *[LDP/9] 04:43:04, metric 4, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
> >345648 *[LDP/9] 04:43:04, metric 3, tag 0
> > > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
> >
> >root@demo-srx300> show route table mpls.0 terse
> >
> >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
> >+ = Active Route, - = Last Active, * = Both
> >
> >A V Destination P Prf Metric 1 Metric 2 Next hop AS
> path
> >* ? 0 M 0 1 Receive
> >* ? 1 M 0 1 Receive
> >* ? 2 M 0 1 Receive
> >* ? 13 M 0 1 Receive
> >* ? 16 V 0 Table
> >* ? 345552 L 9 3 >10.101.14.197
> >* ? 345568 L 9 4 >10.101.14.197
> >* ? 345584 L 9 2 >10.101.14.197
> >* ? 345600 L 9 3 >10.101.14.197
> >* ? 345616 L 9 3 >10.101.14.197
> >* ? 345632 L 9 4 >10.101.14.197
> >* ? 345648 L 9 3 >10.101.14.197
> >* ? 345664 L 9 7 >10.101.14.197
> >* ? 345680 L 9 6 >10.101.14.197
> >* ? 345696 L 9 7 >10.101.14.197
> >* ? 345712 L 9 7 >10.101.14.197
> >* ? 345728 L 9 6 >10.101.14.197
> >* ? 345744 L 9 7 >10.101.14.197
> >
> >root@demo-srx300> show route table mpls.0 terse | count
> >Count: 528 lines
> >
> >root@demo-srx300> show ldp neighbor
> >Address Interface Label space ID Hold time
> >10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10
> >
> >root@demo-srx300>
> >
> >
> >
> >-----Original Message-----
> >From: Emille Blanc [mailto:emille@abccommunications.com]
> >Sent: Thursday, July 11, 2019 3:04 PM
> >To: Aaron Gould; juniper-nsp@puck.nether.net
> >Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
> >
> >Based on what you described, it sounds like you already got your
> >MPLS/LDP running in a packet-mode routing-instance, as otherwise MPLS
> >is dropped on an SRX in flow mode.
> >
> >No obvious ideas with the output provided otherwise.
> >Do the flows in your IPSEC instance get created?
> >
> >-----Original Message-----
> >From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On
> >Behalf Of Aaron Gould
> >Sent: Thursday, July 11, 2019 12:27 PM
> >To: juniper-nsp@puck.nether.net
> >Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
> >
> >Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled
> >the SRX such that I have an l3vpn functional into the SRX.
> >
> >
> >
> >I have a lo0.99 interface as the external interface used for ike/ipsec.
> >Seems that I'm pretty close to getting this done, as i have ike phase 1
> >up and ike phase 2 up, but only seeing encrypted packets as I try to
> >ping between the st0.0 interface and the ms-0/0/0.1 inside interface on
> >the other side (mx104 with ms-mic-16g)
> >
> >
> >
> >Let me know what I'm missing.
> >
> >
> >
> >I'm seeing drops in these to show outputs. which seems to coincide with
> >a 100-packet ping test...
> >
> >
> >
> >
> >
> >root@demo-srx300> show security flow statistics
> >
> > Current sessions: 9
> >
> > Packets forwarded: 417926
> >
> > Packets dropped: 15604
> >
> > Fragment packets: 0
> >
> > Pre fragments generated: 0
> >
> > Post fragments generated: 0
> >
> >
> >
> >root@demo-srx300> show security flow status
> >
> > Flow forwarding mode:
> >
> > Inet forwarding mode: flow based
> >
> > Inet6 forwarding mode: drop
> >
> > MPLS forwarding mode: drop
> >
> > ISO forwarding mode: drop
> >
> > Enhanced route scaling mode: Disabled
> >
> > Flow trace status
> >
> > Flow tracing status: off
> >
> > Flow session distribution
> >
> > Distribution mode: RR-based
> >
> > GTP-U distribution: Disabled
> >
> > Flow ipsec performance acceleration: off
> >
> > Flow packet ordering
> >
> > Ordering mode: Hardware
> >
> >
> >
> >root@demo-srx300> show security ipsec statistics
> >
> >ESP Statistics:
> >
> > Encrypted bytes: 252264
> >
> > Decrypted bytes: 0
> >
> > Encrypted packets: 1618
> >
> > Decrypted packets: 0
> >
> >AH Statistics:
> >
> > Input bytes: 0
> >
> > Output bytes: 0
> >
> > Input packets: 0
> >
> > Output packets: 0
> >
> >Errors:
> >
> > AH authentication failures: 0, Replay errors: 0
> >
> > ESP authentication failures: 0, ESP decryption failures: 0
> >
> > Bad headers: 0, Bad trailers: 0
> >
> >
> >
> >root@demo-srx300> show security flow statistics | grep rop
> >
> > Packets dropped: 15650
> >
> >
> >
> >root@demo-srx300> ping 10.102.199.66 routing-instance one rapid
> >interval .1 count 100
> >
> >PING 10.102.199.66 (10.102.199.66): 56 data bytes
> >
>
> >...........................................................................
> .
> >........................
> >
> >--- 10.102.199.66 ping statistics ---
> >
> >100 packets transmitted, 0 packets received, 100% packet loss
> >
> >
> >
> >root@demo-srx300> show security ipsec statistics
> >
> >ESP Statistics:
> >
> > Encrypted bytes: 267864
> >
> > Decrypted bytes: 0
> >
> > Encrypted packets: 1718
> >
> > Decrypted packets: 0
> >
> >AH Statistics:
> >
> > Input bytes: 0
> >
> > Output bytes: 0
> >
> > Input packets: 0
> >
> > Output packets: 0
> >
> >Errors:
> >
> > AH authentication failures: 0, Replay errors: 0
> >
> > ESP authentication failures: 0, ESP decryption failures: 0
> >
> > Bad headers: 0, Bad trailers: 0
> >
> >
> >
> >root@demo-srx300> show security flow statistics | grep rop
> >
> > Packets dropped: 15755
> >
> >
> >
> >-Aaron
> >
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>

--

Regards,

Craig Askings

io Networks

ion consulting Pty Ltd.



mobile: 0404 019365

phone: 1300 1 2 4 8 16


No Holidays scheduled
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp