This example illustrates how to configure a GRE tunnel between a Juniper SRX220 running iOS version 11.4 and ZENs in the Zscaler service. As shown in the figure, primary and secondary GRE tunnels are configured from the gateway port of the Juniper SRX to two ZENS in the Zscaler service. The public IP address of the gateway port, ge-0/0/0 on the router is 192.0.2.2.

Zscaler has assigned the following IP addresses for the GRE tunnels:

  • Tunnel Source IP: 192.0.2.2
  • Internal Range: 172.18.58.120 - 172.18.58.127 

 

  • Primary Destination: 216.66.5.49
  • Internal Router IP: 172.18.58.121/30
  • Internal ZEN IP: 172.18.58.122/30

 

  • Secondary Destination: 199.168.149.179
  • Internal Router IP: 172.18.58.125/30
  • Internal ZEN IP: 172.18.58.126/30

The router receives ingress traffic on port ge-0/0/4. It forwards outbound traffic to ge-0-0-0 in the Untrust Zone, which uses the two sub-interfaces unit0 and unit1 to send Internet traffic through the GRE tunnel to the Zscaler service. It performs NAT on the traffic that it sends directly to the Internet.

Following are the steps and commands that were used to configure the GRE tunnels in this example, from a Juniper SRX220 router running iOS version 11.4 to ZENs in different data centers. Refer to the Juniper documentation for information about the commands.

Note that the Juniper SRX220 does not support GRE keepalives. So ICMP probes are used for monitoring instead.

Configure the following sub-interfaces on ge-0/0/0 (192.0.2.2):

  • ge-0/0/0 unit0
    • Secondary tunnel interface
    • Its IP address is 172.18.58.125, and its destination address is 199.168.149.179
  • ge-0/0/0 unit1
    • Primary tunnel interface
    • Its IP address is 172.18.58.121, and its destination address is 216.66.5.49
root# run show configuration interfaces
..
.. 
ge-0/0/0 {
 	unit 0 {
 		family inet {
 			dhcp;
 		}
 	} 
}
gr-0/0/0 {
	unit 0 {
 		description backup-tunnel;
 		tunnel {
 			source 192.0.2.2;
 			destination 199.168.149.179;
 		}
 		family inet {
 			mtu 1500;
 			address 172.18.58.125/30;
 		}
 	}
 	unit 1 {
 		description primary-tunnel; 
 		tunnel {
 			source 192.0.2.2;
 			destination 216.66.5.49;
 		}
 		family inet {
 		mtu 1500;
 		address 172.18.58.121/30;
 		}
 	}

Create a routing instance for the GRE tunnel. Though you can send all Internet-bound traffic through the GRE tunnel to the Zscaler service, in this example, we are redirecting only HTTP and HTTPS traffic to the GRE tunnel. It will also be used for probing, if the probes do not use the source address. Ensure that the route for the secondary tunnel, which is through gr-0/0/0.0, has a higher preference number so that it will be given less preference in routing with respect to the primary route, which is through gr-0/0/0.1.

root# run show configuration routing-instances
traffic_tunnel {
 	instance-type forwarding;
 	routing-options {
 		static {
 			route 0.0.0.0/0 {
 				qualified-next-hop gr-0/0/0.0 {
 					preference 200;
 				}
 				qualified-next-hop gr-0/0/0.1;
 			}
 		}
 	}
}

 

Ensure that the inet.0 routes are also added into the routing table of the GRE tunnel routing instance.

root# run show configuration routing-options
interface-routes {
 	rib-group inet global-rib;
}
rib-groups {
 	global-rib {
 		import-rib [ inet.0 traffic_tunnel.inet.0 ];
 	}
}

At this point, the GRE tunnel has been created and the routes have been inserted. Create two ICMP-based probes to monitor the GRE end points on the Zscaler service (172.18.58.122 and 172.18.58.126).

root# run show configuration services rpm
probe icmp_gre {
 	test icmp {
 		probe-type icmp-ping;
 		target address 172.18.58.122
 		probe-count 5;
 		probe-interval 5;
 		test-interval 10;
 		source-address 172.18.58.121;
 		thresholds {
 			successive-loss 5;
 			total-loss 5;
 		}
 	}
}
probe icmp_gre_backup {
 	test icmp_backup {
 		probe-type icmp-ping;
 		target address 172.18.58.126
 		probe-count 5;
 		probe-interval 5;
 		test-interval 10;
 		source-address 172.18.58.125;
 		thresholds {
 			successive-loss 5;
 			total-loss 5;
 		}
 	}
}

 

Enable IP monitoring for the probe, so if the probe to the primary interface at 172.18.58.122 fails, then the other route (gr-0/0/0.0) is inserted in the GRE routing instance, ensuring that traffic is moved from the primary to the secondary tunnel.

root# run show configuration services ip-monitoring
policy failover {
 	match {
 		rpm-probe icmp_gre;
 	}
 	then {
 		preferred-route {
 			routing-instances traffic_tunnel {
 				route 0.0.0.0/0 {
 					next-hop 172.18.58.126;
 				}
 			}
 		}
 	}
}
policy failover_backup {
 	match {
 		rpm-probe icmp_gre_backup;
 	}
 	then {
 		preferred-route {
 			routing-instances traffic_tunnel {
 				route 0.0.0.0/0 {
 					next-hop 172.18.58.122;
 				}
 			}
 		}
 	}
}

 

Though your organization can send all Internet-bound traffic to the Zscaler service, this example shows how to use policy options to configure a routing policy that specifies that HTTP and HTTPS traffic from the internal network (192.168.0.0/16) will be sent through the GRE tunnel and all other traffic will use the inet.0 routing instance.

root# run show configuration policy-options
prefix-list zscalernoredirect {
 	13.13.13.0/24; 
}
prefix-list zscalerredirect {
 	192.168.0.0/16; 
}
[edit]
root# run show configuration firewall
filter zscalerredirect {
 	term zscalernoredirect {
 		from {
 			destination-prefix-list {
 				zscalernoredirect;
 			}
 		}
 		then accept;
 	}
 	term zscalerredirect {
 		from {
 			source-prefix-list {
 				zscalerredirect;
 			}
 			destination-port [ http https ];
 		}
 		then {
 			routing-instance traffic_tunnel;
 		}
 	}
 	term allow-everything-else {
 		from {
 			destination-port 0-65535;
 		}
      then accept;
   }
}

 

Ensure that the policy is applied on the interface that receives the ingress traffic that is to be sent through the GRE tunnel. Note that this command will not work for the Ethernet-switching family, but will work for inet family.

ge-0/0/4 {
 	unit 0 {
 		family inet {
 			filter {
 				input zscalerredirect;
 			}
 			address 192.168.1.101/24;
 		}
 	}
}

 

Ensure that all the security zones are created, and that they have the security policies that allow the specified traffic from the Trust to the Untrust zone and vice versa.

root# run show configuration security zones
security-zone trust {
 	address-book {
 		address local-net 192.168.0.0/16;
 	}
 	host-inbound-traffic {
 		system-services {
 			all;
 		}
 		protocols {
 			all;
 		}
 	}
interfaces {
 		vlan.0;
 		ge-0/0/4.0;
}
}
security-zone untrust {
 	screen untrust-screen;
 	host-inbound-traffic {
 		system-services {
 			all;
 		}
 	}
 	interfaces {
 		 ge-0/0/0.0 {
 			host-inbound-traffic {
 				system-services {
 					dhcp;
 					tftp;
 					all;
 				}
 			}
 		}
 		gr-0/0/0.0;
 		gr-0/0/0.1;
 	}
}

 

Configure security policies that allow the specified traffic from the Trust to the Untrust zone and vice versa.

root# run show configuration security policies
from-zone untrust to-zone trust {
 	policy untrust-to-trust {
 		match {
 			source-address any;
 			destination-address any;
 			application any;
 		}
 		then {
 			permit;
 		}
 	}
}
from-zone trust to-zone untrust {
 	policy any-permit {
 		match {
 			source-address any;
 			destination-address any;
 			application any;
 		}
 		then {
 			permit;
 		}
 	}
}

 

Troubleshooting the Configuration

Following are some sample commands that you can use to monitor and troubleshoot the GRE tunnel.

Ensure that you can ping the GRE endpoints on the Zscaler service:

root# run ping 172.18.58.126 source 172.18.58.125
PING 172.18.58.126 (172.18.58.126): 56 data bytes
64 bytes from 172.18.58.126: icmp_seq=0 ttl=64 time=8.029 ms
64 bytes from 172.18.58.126: icmp_seq=1 ttl=64 time=2.107 ms
^C
--- 172.18.58.126 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.107/5.068/8.029/2.961 ms
[edit]
root# run ping 172.18.58.122 source 172.18.58.121
PING 172.18.58.122 (172.18.58.122): 56 data bytes
64 bytes from 172.18.58.122: icmp_seq=0 ttl=64 time=2.337 ms
64 bytes from 172.18.58.122: icmp_seq=1 ttl=64 time=2.257 ms
64 bytes from 172.18.58.122: icmp_seq=2 ttl=64 time=2.423 ms
^C
--- 172.18.58.122 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.257/2.339/2.423/0.068 ms

Ensure that ip-monitoring is working:

root# run show services ip-monitoring status
Policy - failover (Status: PASS)
 RPM Probes:
 Probe name        Test Name     Address         Status
 --------------------------------------------------------------
 icmp_gre          icmp          172.18.58.122   PASS

Route-Action:
 route-instance    route         next-hop        state
 ---------------------------------------------------------------
 traffic_tunnel    0.0.0.0/0     172.18.58.126   NOT-APPLIED
Policy - failover_backup (Status: PASS)

RPM Probes:
 Probe name        Test Name     Address         Status
 --------------------------------------------------------------
 icmp_gre_backup  icmp_backup    172.18.58.126   PASS
 Route-Action:
 route-instance    route         next-hop        state
 ----------------- ---------------------------------------------
 traffic_tunnel    0.0.0.0/0     172.18.58.122   NOT-APPLIED
 [edit]

 

 

Check the routing table and the Zscaler GRE routing instance. In the following commands, traffic_tunnel.inet.0 is used for GRE traffic routing. It is pointing to gr-0/0/0.1 as the primary route and to gr-0/0/0.0 as the secondary route.

root# run show route

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0           *[Access-internal/12] 05:34:30
                    > to 10.96.13.254 via ge-0/0/0.0
10.32.32.0/24       *[Static/5] 05:34:30
                    > to 10.96.13.254 via ge-0/0/0.0
10.96.13.0/24       *[Direct/0] 05:34:30
                    > via ge-0/0/0.0
192.0.2.2/32        *[Local/0] 05:34:30
                       Local via ge-0/0/0.0
98.139.183.0/24     *[Static/5] 02:23:05
                    > via gr-0/0/0.1
172.18.58.144/30    *[Direct/0] 01:28:06
                    > via gr-0/0/0.1
172.18.58.121/32    *[Local/0] 01:28:06
                       Local via gr-0/0/0.1
172.18.58.148/30    *[Direct/0] 01:28:06
                    > via gr-0/0/0.0
172.18.58.125/32    *[Local/0] 01:28:06
                       Local via gr-0/0/0.0
192.168.1.1/32      *[Local/0] 05:34:51
                       Reject
192.168.1.101/32    *[Local/0] 01:58:54
                       Reject

traffic_tunnel.inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0           *[Static/5] 02:23:05
                    > via gr-0/0/0.1
                    [Static/200] 05:34:41
                    > via gr-0/0/0.0
10.96.13.0/24       *[Direct/0] 05:34:30
                    > via ge-0/0/0.0
192.0.2.2/32        *[Local/0] 05:34:30
                       Local via ge-0/0/0.0
172.18.58.144/30    *[Direct/0] 01:28:06
                    > via gr-0/0/0.1
172.18.58.121/32    *[Local/0] 01:28:06
                       Local via gr-0/0/0.1
172.18.58.148/30    *[Direct/0] 01:28:06
                    > via gr-0/0/0.0
172.18.58.125/32    *[Local/0] 01:28:06
                       Local via gr-0/0/0.0
192.168.1.1/32      *[Local/0] 02:09:21
                       Reject
192.168.1.101/32    *[Local/0] 01:09:26
                       Reject

 

Check the probe status:

root# run show services rpm probe-results
 	Owner: icmp_gre, Test: icmp
 	Target address: 172.18.58.122, Source address: 172.18.58.121,
 	Probe type: icmp-ping, Test size: 5 probes
 	Probe results:
 	  Response received, Thu May 16 10:35:10 2013, No hardware timestamps
 	  Rtt: 7440 usec
 	Results over current test:
root# run show services rpm probe-results
 	Owner: icmp_gre, Test: icmp
 	Target address: 172.18.58.122, Source address: 172.18.58.121,
 	Probe type: icmp-ping, Test size: 5 probes
 	Probe results:
 	  Response received, Thu May 16 10:35:10 2013, No hardware timestamps
 	  Rtt: 7440 usec
 	Results over current test:
 	  Probes sent: 3, Probes received: 3, Loss percentage: 0
 	  Measurement: Round trip time
 	    Samples: 3, Minimum: 2041 usec, Maximum: 7440 usec, Average: 3874 usec,
 	    Peak to peak: 5399 usec, Stddev: 2522 usec, Sum: 11622 usec
 	  Results over last test:
 	    Probes sent: 5, Probes received: 5, Loss percentage: 0
 	    Test completed on Thu May 16 10:34:50 2013
 	    Measurement: Round trip time
 		Samples: 5, Minimum: 2102 usec, Maximum: 55952 usec,
 		Average: 13946 usec, Peak to peak: 53850 usec, Stddev: 21101 usec,
 		Sum: 69732 usec
 	  Results over all tests:
 	    Probes sent: 768, Probes received: 768, Loss percentage: 0
 	    Measurement: Round trip time
 		Samples: 768, Minimum: 1888 usec, Maximum: 236457 usec,
 		Average: 10119 usec, Peak to peak: 234569 usec, Stddev: 29646 usec,
 		Sum: 7771578 usec

 	Owner: icmp_gre_backup, Test: icmp_backup
 	Target address: 172.18.58.126, Source address: 172.18.58.125,
 	Probe type: icmp-ping, Test size: 5 probes
 	Probe results:
 	  Response received, Thu May 16 10:35:10 2013, No hardware timestamps
 	  Rtt: 2353 usec
 	Results over current test:
 	  Probes sent: 4, Probes received: 4, Loss percentage: 0
 	  Measurement: Round trip time
 	    Samples: 4, Minimum: 2080 usec, Maximum: 8282 usec, Average: 3703 usec,
 	    Peak to peak: 6202 usec, Stddev: 2646 usec, Sum: 14813 usec
 	Results over last test:
 	  Probes sent: 5, Probes received: 5, Loss percentage: 0
 	  Test completed on Thu May 16 10:34:45 2013
 	  Measurement: Round trip time
 		Samples: 5, Minimum: 1900 usec, Maximum: 2504 usec, Average: 2110 usec,
 		Peak to peak: 604 usec, Stddev: 211 usec, Sum: 10550 usec
 	Results over all tests:
 	  Probes sent: 754, Probes received: 754, Loss percentage: 0
 	  Measurement: Round trip time
 		Samples: 754, Minimum: 1836 usec, Maximum: 270644 usec,
 		Average: 6825 usec, Peak to peak: 268808 usec, Stddev: 21516 usec,
 		Sum: 5146145 usec

[edit]