Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Adding a static default route will automatically unset the 'set add-default-route vrouter "untrust-vr"' command

0

0

Article ID: KB24498 KB Last Updated: 24 Jul 2019Version: 2.0
Summary:
This article describes the issue of ScreenOS automatically unsetting the set add-default-route vrouter "untrust-vr" command, when a default static route is added.
Symptoms:
Unable to add a route in the following format:
>set route 80.80.80.80/0 vr untrust
The firewall takes 80.80.80.80/0 as 0.0.0.0/0, which is logical. If a route is added, it populates a default route in the routing table:
set route 80.80.80.80/0 vr untrust
Solution:
The following is the behavior noticed on ScreenOS:
PTAC-SYS-NS500-1-> get route

IPv4 Dest-Routes for <trust-vr> (2 entries)
----------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
----------------------------------------------------
* 3 172.27.173.154/32 mgt 0.0.0.0 H 0 0 Root
* 2 172.27.173.0/24 mgt 0.0.0.0 C 0 0 Root

When a default route is added:
PTAC-SYS-NS500-1-> set vr trust
PTAC-SYS-NS500-1(trust-vr)-> set add-default-route vrouter "untrust-vr"
PTAC-SYS-NS500-1(trust-vr)-> exit
PTAC-SYS-NS500-1-> sa
Save System Configuration ...
Done
The added command added is found in the configuration:
PTAC-SYS-NS500-1-> get config | i add-default-route
set add-default-route vrouter "untrust-vr"
As per the behavior, it populates a default route:
PTAC-SYS-NS500-1-> get route
IPv4 Dest-Routes for <trust-vr> (3 entries)
--------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------
* 11 0.0.0.0/0 n/a untrust-vr S 20 0 Root
* 3 172.27.173.154/32 mgt 0.0.0.0 H 0 0 Root
* 2 172.27.173.0/24 mgt 0.0.0.0 C 0 0 Root
Adding the static route:
PTAC-SYS-NS500-1-> set route 80.80.80.80/0 vr untrust 
As per the behavior, you cannot have a default static route and the set add-default-route vrouter "untrust-vr"command together. When a default route is set, it automatically unsets the command. The route added in the 80.80.80.80/0 format is nothing but a 0.0.0.0/0 route. The Addition of the default static route unsets the command, which is by design.

The command is provided by ScreenOS as a substitute for adding the default static route. As the command and the default static route cannot co-exist, ScreenOS automatically unsets it.
PTAC-SYS-NS500-1-> get config | i add-default-route
unset add-default-route
PTAC-SYS-NS500-1-> get config | i 80.80.80.80
set route 80.80.80.80/0 vrouter "untrust-vr" preference 20
The removal of the route is actually the deletion of the default route itself, as shown below:
PTAC-SYS-NS500-1-> unset route 80.80.80.80/0
total routes deleted = 1
PTAC-SYS-NS500-1-> get route

IPv4 Dest-Routes for <trust-vr> (2 entries)
------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
------------------------------------------------
* 3 172.27.173.154/32 mgt 0.0.0.0 H 0 0 Root
* 2 172.27.173.0/24 mgt 0.0.0.0 C 0 0 Root
Recommendations:
 
  • It is recommended to add a default static route, instead of using the set add-default-route vrouter "untrust-vr" command, to populate the default route.

  • If the set add-default-route vrouter "untrust-vr" command is used, then any addition of a default static route will automatically unset the command.

  • If you are deleting a specific route, make sure that the route is unset with the complete command, instead of just mentioning the network (for example, unset route 80.80.80.80/0).
Modification History:
2019-05-22: Content reviewed for accuracy.  No changes.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search