Juniper J2320 does not route traffic

Hi,

I have a problem with configuration of my J2320 in Hub-Spoke envirorment. I am able to ping all destination via CLI on router, but i have not succeded to route anythin throug on different interfaces. When I capture some packets i get this information.

verbose output suppressed, use  or  for full protocol decodeAddress resolution is ON. Use  to avoid any reverse lookup delay.Address resolution timeout is 4s.Listening on reth0, capture size 96 bytes
Reverse lookup for 192.168.10.11 failed (check DNS reachability).Other reverse lookup failures will not be reported.Use  to avoid reverse lookups on IP addresses.19:37:09.038537 Out IP truncated-ip - 371 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 381
19:37:09.038653 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038689 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038719 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038740 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038771 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038806 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038826 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038932 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038967 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.038992 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039014 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039046 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039075 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039149 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039188 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039217 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039244 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039262 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039287 Out IP truncated-ip - 1450 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1460
19:37:09.039310 Out IP truncated-ip - 1374 bytes missing! 192.168.10.2.http > 192.168.10.11.5121: tcp 1384

192.168.10.2 is my Juniper box, and

I`m new to Juniper and Junos (Release [10.0R1.8]).

Any suggestions??

Regards Anders
andomanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetFixr-DaniCommented:
Hi,

A few things:

1) The output you pasted above appears to be traffic from your workstation (192.168.10.11) accessing the web-based management interface of the J-2320, is that correct?

2) With newer code (after 9.6) on the J-Series, the box no longer acts like a "router" by default, but rather acts like a "firewall."  Specifically it performs flow-based instead of packet-based forwarding, which is subject to traffic inspection policies.  There are a few ways to bypass/disable this behavior, I'm assuming in this lab environment, you simply want all traffic to pass through the device.  In that case, I'd recommend you set the following:
  2a) Place all interfaces in security zone "trust" (set security zones security-zones trust interface ge-x/y/z.0)
  2b) Confirm default policy is "permit all" (set security policies default-policy permit-all)
0
NetFixr-DaniCommented:
Oh, btw if that doesn't work - pls paste in your configuration...
0
scardaliCommented:
Your problem is most likely the flow-based part of JUNOS that comes with all J-Series routers => 9.4.  

Long story short, issue the following commands then commit and I think you'll see better results.

set system services ssh
set system services telnet
set system services web-management http interface ge-0/0/0.0
set system syslog file messages any any
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services any-service
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces all
set security policies default-policy permit-all
set security alg dns disable
set security alg ftp disable
set security alg h323 disable
set security alg mgcp disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg real disable
set security alg rsh disable
set security alg rtsp disable
set security alg sccp disable
set security alg sip disable
set security alg sql disable
set security alg talk disable
set security alg tftp disable
set security alg pptp disable
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family iso mode packet-based
set security flow allow-dns-reply
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.