Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] License updates via routing instances

0

0

Article ID: KB34725 KB Last Updated: 03 Jul 2019Version: 1.0
Summary:

This article provides information about a limitation in license updates on SRX devices when routing instances are involved and how to implement a workaround.

 

Symptoms:

Example Topology

 
[LAN]---------------------------ge-0/0/1 [SRX] ge-0/0/0--------------------------------ISP
           192.168.1.0/24                                                    1.1.1.1/24
 

SRX Configuration

  • DNS is configured as follows:

set system name-server 8.8.8.8
  • License auto-update is enabled:

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
  • The routing-instance configuration is as follows:

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.10/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-instances custom-vr instance-type virtual-router
set routing-instances custom-vr interface ge-0/0/0.0

As you can see in the above configuration, the SRX device is able to reach out to the Internet via a custom routing instance.

However, when the SRX firewall is configured for license auto-update, the Routing Engine generates the request from the default routing instance. Because there is no Internet connectivity via the default routing instance, the license update fails.

 

Cause:

License auto-updates are always triggered from the default routing table (inet.0). This is expected behavior.

 

Solution:

For instructions on configuring SRX devices for automatic license renewal, refer to KB14103 - [SRX] How to install license after registering product and to change renew condition.

To perform successful license auto-updates on SRX devices, you must have connectivity to the license server, ae1.juniper.net, via a default routing instance.

If your default routing instance does not have an interface or does not have Internet connectivity via inet.0, as a workaround, you can create a loopback interface to source the packet and route it to the custom routing instance.

A sample configuration is as follows:

  • Configuring the interface

set interfaces lo0 unit 0 family inet address 192.168.10.1/24

  • Assigning security zones

set security zones security-zone trust interfaces lo0.0 

  • Adding a route in inet.0 to use custom-vr.inet.0

set routing-options static route 0.0.0.0/0 next-table custom-vr.inet.0

  • Policy statements to import routes from the default routing instance to a custom routing instance

set policy-options policy-statement master-to-custom term 1 from instance master
set policy-options policy-statement master-to-custom term 1 then accept
set routing-instances custom-vr routing-options instance-import master-to-custom

  • NAT configuration

When a license update request is generated by the Routing Engine (RE), it will use the loopback IP address as the source. Hence, a source NAT is required to translate this to an IP address that is routed over the Internet.

set security nat source rule-set interfacebasednat from zone junos-host
set security nat source rule-set interfacebasednat to routing-instance custom-vr
set security nat source rule-set interfacebasednat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set interfacebasednat rule 1 then source-nat interface

With the above change, you will see the following route in inet.0:

root> show route 0.0.0.0

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 19:23:31
                       to table custom-vr.inet.0

custom-vr.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 19:23:31
                    >  to 1.1.1.1 via ge-0/0/0.0
 

Updating the license manually

  • You can use the request system license update command to update the license keys manually.

root@SRX340-1> request system license update
Trying to update license keys from https://ae1.juniper.net, use 'show system license' to check status.

  • You can enable traceoptions as shown to check if the licenses are available and being downloaded. 

license {
    autoupdate {
        url https://ae1.juniper.net/junos/key_retrieval;
    }
    traceoptions {
        file license_trace;
        flag all;
    }
}

  • The trace file will be saved under /var/log. When the connection to the License Server is successful, a trace, such as the one shown below, will be generated:

root> show log license_trace
Jun 20 08:43:06 Received SIGUSR1 signal, license download start...

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search