Knowledge Search


×
 

[SRX] License updates via routing instances

  [KB34725] Show Article Properties


Summary:

This article provides information about a limitation in license updates on SRX devices when routing instances are involved and how to implement a workaround.

 

Symptoms:

Example Topology

 
[LAN]---------------------------ge-0/0/1 [SRX] ge-0/0/0--------------------------------ISP
           192.168.1.0/24                                                    1.1.1.1/24
 

SRX Configuration

  • DNS is configured as follows:

set system name-server 8.8.8.8
  • License auto-update is enabled:

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
  • The routing-instance configuration is as follows:

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.10/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-instances custom-vr instance-type virtual-router
set routing-instances custom-vr interface ge-0/0/0.0

As you can see in the above configuration, the SRX device is able to reach out to the Internet via a custom routing instance.

However, when the SRX firewall is configured for license auto-update, the Routing Engine generates the request from the default routing instance. Because there is no Internet connectivity via the default routing instance, the license update fails.

 

Cause:

License auto-updates are always triggered from the default routing table (inet.0). This is expected behavior.

 

Solution:

For instructions on configuring SRX devices for automatic license renewal, refer to KB14103 - [SRX] How to install license after registering product and to change renew condition.

To perform successful license auto-updates on SRX devices, you must have connectivity to the license server, ae1.juniper.net, via a default routing instance.

If your default routing instance does not have an interface or does not have Internet connectivity via inet.0, as a workaround, you can create a loopback interface to source the packet and route it to the custom routing instance.

A sample configuration is as follows:

  • Configuring the interface

set interfaces lo0 unit 0 family inet address 192.168.10.1/24

  • Assigning security zones

set security zones security-zone trust interfaces lo0.0 

  • Adding a route in inet.0 to use custom-vr.inet.0

set routing-options static route 0.0.0.0/0 next-table custom-vr.inet.0

  • Policy statements to import routes from the default routing instance to a custom routing instance

set policy-options policy-statement master-to-custom term 1 from instance master
set policy-options policy-statement master-to-custom term 1 then accept
set routing-instances custom-vr routing-options instance-import master-to-custom

  • NAT configuration

When a license update request is generated by the Routing Engine (RE), it will use the loopback IP address as the source. Hence, a source NAT is required to translate this to an IP address that is routed over the Internet.

set security nat source rule-set interfacebasednat from zone junos-host
set security nat source rule-set interfacebasednat to routing-instance custom-vr
set security nat source rule-set interfacebasednat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set interfacebasednat rule 1 then source-nat interface

With the above change, you will see the following route in inet.0:

root> show route 0.0.0.0

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 19:23:31
                       to table custom-vr.inet.0

custom-vr.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 19:23:31
                    >  to 1.1.1.1 via ge-0/0/0.0
 

Updating the license manually

  • You can use the request system license update command to update the license keys manually.

root@SRX340-1> request system license update
Trying to update license keys from https://ae1.juniper.net, use 'show system license' to check status.

  • You can enable traceoptions as shown to check if the licenses are available and being downloaded. 

license {
    autoupdate {
        url https://ae1.juniper.net/junos/key_retrieval;
    }
    traceoptions {
        file license_trace;
        flag all;
    }
}

  • The trace file will be saved under /var/log. When the connection to the License Server is successful, a trace, such as the one shown below, will be generated:

root> show log license_trace
Jun 20 08:43:06 Received SIGUSR1 signal, license download start...

 

Related Links: