Hi I've some trouble configuring active-directory connection on one SRX.
What about the other SRX without routing instance, same configuration NO problem.
In this case with routing instance yes...
I've already configure for other staff, (SNMP, Connection to JSA and so on), routing import, l0 to make the connection reachable.
In fact these connection are working correctly.
For active-directory NO.
In case of SNMP for example, junos has got the possibilty to choiche the correct routing-instance to be reachable or syslog has got the possibility to choiche the correct source address / Interface.
Active directory, seems not! Infact here I found my trouble and problem.
Domain controller is not reachable, and ad-connection result "disconnected".
If I start ping "normal" I've request timeout.
If I start ping source interface, ping is working good.
Here below some test and relevant configuration:
[active directory configuration connection] set services user-identification active-directory-access traceoptions file ad-trace set services user-identification active-directory-access traceoptions file size 25m set services user-identification active-directory-access traceoptions level all set services user-identification active-directory-access traceoptions flag all set services user-identification active-directory-access domain domain.local user test set services user-identification active-directory-access domain domain.local user password dsdasfsafssdad" set services user-identification active-directory-access domain domain.local domain-controller dc.estremo.local address 10.20.20.100 set services user-identification active-directory-access domain domain.local ip-user-mapping discovery-method wmi event-log-scanning-interval 10 set services user-identification active-directory-access domain domain.local ip-user-mapping discovery-method wmi initial-event-log-timespan 1 set services user-identification active-directory-access domain domain.local user-group-mapping ldap authentication-algorithm simple set services user-identification active-directory-access domain domain.local user-group-mapping ldap base dc=domain,dc=local set services user-identification active-directory-access authentication-entry-timeout 30 set services user-identification active-directory-access wmi-timeout 10
set routing-options static route 10.20.20.100/32 next-table juniper-default.inet.0 set routing-instances juniper-default routing-options static route 10.20.20.0/24 next-hop 10.10.10.20 set routing-instances juniper-default routing-options instance-import juniper-default-INET set policy-options policy-statement INET-juniper-default term 1 from instance juniper-default set policy-options policy-statement INET-juniper-default term 1 from protocol direct set policy-options policy-statement INET-juniper-default term 1 from protocol local set policy-options policy-statement INET-juniper-default term 1 then accept set policy-options policy-statement INET-juniper-default term default then reject set policy-options policy-statement juniper-default-INET term 1 from instance master set policy-options policy-statement juniper-default-INET term 1 from protocol direct set policy-options policy-statement juniper-default-INET term 1 from protocol local set policy-options policy-statement juniper-default-INET term 1 then accept set policy-options policy-statement juniper-default-INET term default then reject set interfaces lo0 unit 0 family inet address 10.10.10.2/32 set security policies from-zone junos-host to-zone CONTACT-INSIDE policy FWedge_to_DC match source-address any set security policies from-zone junos-host to-zone CONTACT-INSIDE policy FWedge_to_DC match destination-address dc set security policies from-zone junos-host to-zone CONTACT-INSIDE policy FWedge_to_DC match application smb-dc-login set security policies from-zone junos-host to-zone CONTACT-INSIDE policy FWedge_to_DC match application junos-ping set security policies from-zone junos-host to-zone CONTACT-INSIDE policy FWedge_to_DC then permit
TESTING:
ping 10.20.20.100 PING 10.20.20.100 (10.20.20.100): 56 data bytes ^C --- 10.20.20.100 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss ------------------------------------------------------------------ ping source 10.10.10.1 10.20.20.100 PING 10.20.20.100 (10.20.20.100): 56 data bytes 64 bytes from 10.20.20.100: icmp_seq=0 ttl=127 time=5.798 ms 64 bytes from 10.20.20.100: icmp_seq=1 ttl=127 time=4.766 ms 64 bytes from 10.20.20.100: icmp_seq=2 ttl=127 time=5.035 ms
any ideas?
regardsd