Dear community,

I'm evaluating the following:

- v5600 routers deployed in NFV style (Industry-Standard Hardware, deployed on KVM hypervisors, DPDK to enable multiple Virtual Routers on one physical hypervisor)

- IPSec Site-2-Site VPNs in hub-spoke architecture (about 400 sites terminating at 1 headquarter datacenter)

- NFV orchestration with HPE NFV Director (automation to deploy v5600 nodes)

What IPSec performance can I expect for one vSR 5600 Software Router?

Are there any HW Encryption cards supported (Intel Quick Assist)?

What is the ideal setup for this NFV deployment that is proven and you would recommend?#

Please support me, I'm new to Brocade products.

Kind regards,

Michael

Hello,

This post is in relation to a previous post

Brocade vRouter 5410 6.7 R11S3 AWS VPN with Public IP Encryption Domain

Unfortunately, I had been assigned to another project so this issue was parked until now.

A little recap on what I am trying to achieve.

• 2 VPN tunnels between a single vRouter hosted in AWS to customer site 1 and 2.
• There is an EC2 instance on the AWS side, in a private subnet, the subnet has routes describe to route encryption domain IP for site 1 and site 2 to the vRouter.
• This EC2 instance private IP has been nat'ed to an encryption domain on the AWS side.
• IPSEC tunnels are established between the vRouter and customer site 1 and 2. 
• If I run 'show nat source translation' I can see the ec2 instance local address of 10.168.65.200 translate to the AWS encryption domain ip .54.194.1.2).
• But there is no traffic metric recorded 'show vpn ipsec sa' and I am unable to telnet to the either of the customers encryption domain IPs on port 8000 (the customer service runs on port 8000).
• See attached topology diagram for reference. 

The vRouter for this environment has been upgraded 5600 17.1.1 with some config changes to support the new CLI.

If anyone can assist with debugging this issue that would appreciated. All addresses have been anonymised.

Than you,

Scott

We have plan migrating from v5400 to 5600 because of Vyatta 5400 EOS..

I want to know consideration to migrate 5600 and known bugs....

Also when will be release new version ?

please let me know..

Both the vRouter (Vyatta) 5400 and 5600 are going EOL/EOS in a very short time per http://www.brocade.com/en/support/product-end-of-life.html.

What if any other product is replacing them?

If there is no replacement, what is Brocade's advisement to customers?

Hello,

I seem to be having trouble changing eth0 from dhcp to a static address. When changed using the below commands the Vyatta starts the process then become unavailable.  A reboot is then required to restore the last known saved config before the commit.

delete interface ethernet eth0 dhcp

set interface ethernet eth0 address 10.168.64.4/28

commit

The CLI returns

[ interfaces ethernet eth0 address dhcp ]

Stopping DHCP client on eth0 ...

This has been tested on vRouter 4500 and vRouter 5600 with the same outcome.  All vyattas are running on AWS.

I have a vRouter 4500 in a HA configuration which was implemented before my time and it has a static address assigned to both instance. Can anyone explain why this might be happening?

My environment is hosted in AWS.

Thanks,

Scott

Hi ,

I have configured L2tp / ipsec Remote access VPN on vyatta5400 router , I am able to establish l2tp connection and client user can be seen conneted on vpn status , however I am unable to ping or ssh from client window7 host ip 192.168.100.101 ( asigned after connecting to remote access vpn ) to reach destination ip 10.170.114.22 ,

I am able to ping remote-address x.x.x.x .

Strange thing is server 10.170.114.22 i log in and can ing 192.168.100.101 but vice versa is not happening .

Is remote-nexthop command required , i have added it and name server also .

what could be the issue to look into , any chnges at client host ip  192.168.100.101 to be made ?

exact similar config done . no firewall port is blocked .

set vpn ipsec ipsec-interfaces interface <OUTSIDE PUBLIC INT>
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access outside-address <OUTSIDE PUBLIC IP>
set vpn l2tp remote-access client-ip-pool start <x.x.x.x>
set vpn l2tp remote-access client-ip-pool stop <x.x.x.x>

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <passphrase>
set vpn l2tp remote-access authentication mode local

set vpn l2tp remote-access authentication local-users username test password abc123

Hello

I am configuring vRouter 5600 (5.2R5) , especcialy Interface-based firewall.

I have heard of specification change regarding stateful firewall from Release 5.1
(The vRouter with the stateful firewall feature enabled globally doesn't generate accept rules automatically for the return packets which arrive at outside interface)

I have a question about the firewall configuration to permit traffic initiated by vRouter itself.
(such as NTP, dns lookup, icmp, ssh login to other routers)

When above types of communications are issued , they bypass "local" firewall and "in" firewall, then the return packets are dropped by
"local" firewall or "in" firewall.

If I added accept rules for the return packets, these traffics come to not to be dropped, but I want to avoid this configuration because  it's complicated.

Is it possible to configure firewall to accept return packets without adding accept rules ?

Thank you

Im trying to figure out how to apply a local-zone filter in a zone policy on the 5600. I want to fitler the inbound traffic to the vyatta itself. On the 5400 that was accomplished by creating zone local on the interface, which does not seem to be possible on the 5600. I realize that I can still apply a local filter in an interface based policy but I would like to be able to filter via zone-base. I hope there is a distinction between local traffic and forwarded traffic per interface in zone configuration.

Hi all,

I need some help configuring Vyatta.

Site A has a Cisco router and can ping site B (Vyatta)
Site A also has a Mikrotik router and can ping site  C (cloud provider 2 - AWS gateway working fine) 

but I am not able to ping from site B to site C and vice versa.


As far as I understand, I need to add a route on Vyatta to forward all packets destined for C to A but I am not having much luck with this.

Happy to post config once I know what information is needed...

If I do ip route show all i get the following 3 among others..

172.20.0.0/16 dev eth0  proto zebra
172.30.200.0/24 dev eth1  proto kernel  scope link  src 172.30.200.254
192.168.0.0/16 dev eth0  scope link  src 172.30.200.254

I need to change the 172.20.0.0/16 to look like the 192.168.0.0/26 route.

Hi Experts ,

   There is some serious threat or issue if u turned on set service listen-address x.x.x.xfor Web Gui or web server for management or configs of vyatta , then number of attackers or malicious ip establised ssh connection to your vyatta v5400 as well as v5600 , any thought or idea.

Trying to understand how opening https for API or web gui causing ssh session even we have ssh username and password commands set .

vyatta~$ show system connections | grep ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34802 ESTABLISHED
tcp 0 0 127.0.0.1:34796 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34792 ESTABLISHED
tcp 0 0 127.0.0.1:34799 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34795 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34799 ESTABLISHED
tcp 0 0 168.1.X.X:22 191.96.249.38:38846 ESTABLISHED
tcp 0 0 127.0.0.1:34792 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34801 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34793 ESTABLISHED
tcp 0 0 127.0.0.1:34793 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34801 ESTABLISHED
tcp 0 0 168.1.X.X:22 58.218.198.142:62307 ESTABLISHED----->from china (58.218.198.142)
tcp 0 0 127.0.0.1:199 127.0.0.1:34795 ESTABLISHED
tcp 0 0 127.0.0.1:34802 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34796 ESTABLISHED
tcp 0 68 168.1.114.92:22 58.218.198.142:57032 ESTABLISHED
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show system connections | grep ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34802 ESTABLISHED
tcp 0 0 127.0.0.1:34796 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34792 ESTABLISHED
tcp 0 0 127.0.0.1:34799 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34795 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34799 ESTABLISHED
tcp 0 0 127.0.0.1:34792 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34801 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34793 ESTABLISHED
tcp 0 0 127.0.0.1:34793 127.0.0.1:199 ESTABLISHED
tcp 0 720 168.1.X.X:22 191.96.249.38:53234 ESTABLISHED----> from Russia (191.96.249.38)
tcp 0 0 127.0.0.1:199 127.0.0.1:34801 ESTABLISHED
tcp 0 52 168.1.X.X:22 216.85.5.86:54368 ESTABLISHED --->legitimate connection 
tcp 0 0 127.0.0.1:199 127.0.0.1:34795 ESTABLISHED
tcp 0 0 127.0.0.1:34802 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34796 ESTABLISHED


vyatta:~$ show configuration commands | grep http
set service https listen-address '10.118.125.97'
vyatta@:~$ configure
[edit]
vyatta@# delete service https listen-address  ---->After deleting or disabling https listen address no ssh session from Malicious IP .

[edit]
vyatta@# commi
commit commit-confirm
[edit]
vyatta@# commit
[ service https ]
Stopping web server: lighttpd.
Starting web server: lighttpd.
Stopping API PAGER server
Starting API PAGER server
spawn-fcgi: child spawned successfully: PID: 25607

[edit]
vyatta@# show system connections | grep ESTABLISHED

Configuration path: system [connections] is not valid
Show failed

[edit]
vyatta@# exit
Warning: configuration changes have not been saved.
exit
vyatta@:~$ show system connections | grep ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34802 ESTABLISHED
tcp 0 0 127.0.0.1:34796 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34792 ESTABLISHED
tcp 0 0 127.0.0.1:34799 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34795 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34799 ESTABLISHED
tcp 0 0 127.0.0.1:34792 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34801 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34793 ESTABLISHED
tcp 0 0 127.0.0.1:34793 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34801 ESTABLISHED
tcp 0 52 168.1.X.X:22 216.85.5.86:54368 ESTABLISHED --->legitimate connection 
tcp 0 0 127.0.0.1:199 127.0.0.1:34795 ESTABLISHED
tcp 0 0 127.0.0.1:34802 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34796 ESTABLISHED
vyatta@:~$ show system connections | grep ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34802 ESTABLISHED
tcp 0 0 127.0.0.1:34796 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34792 ESTABLISHED
tcp 0 0 127.0.0.1:34799 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34795 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34799 ESTABLISHED
tcp 0 0 127.0.0.1:34792 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34801 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34793 ESTABLISHED
tcp 0 0 127.0.0.1:34793 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34801 ESTABLISHED
tcp 0 52 168.1.X.X:22 216.85.5.86:54368 ESTABLISHED --->legitimate connection 
tcp 0 0 127.0.0.1:199 127.0.0.1:34795 ESTABLISHED
tcp 0 0 127.0.0.1:34802 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34796 ESTABLISHED
vyatta@:~$ show system connections | grep ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34802 ESTABLISHED
tcp 0 0 127.0.0.1:34796 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34792 ESTABLISHED
tcp 0 0 127.0.0.1:34799 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34795 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34799 ESTABLISHED
tcp 0 0 127.0.0.1:34792 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:34801 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34793 ESTABLISHED
tcp 0 0 127.0.0.1:34793 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34801 ESTABLISHED
tcp 0 52 168.1.X.X:22 216.85.5.86:54368 ESTABLISHED --->legitimate connection 
tcp 0 0 127.0.0.1:199 127.0.0.1:34795 ESTABLISHED
tcp 0 0 127.0.0.1:34802 127.0.0.1:199 ESTABLISHED
tcp 0 0 127.0.0.1:199 127.0.0.1:34796 ESTABLISHED

Hello
I have a question about interaction of NAT and IPsec-VPN on vrouter 5600

Regarding Interaction of NAT and IPsec-VPN,
it seems that specification is different between vrouter 5400 and vrouter 5600(5.2R5S3)
because the configuration same as vrouter 5400 didn't work.

In out system,
1.  2 sites are connected through IPsecVPN tunnel ,
2.  In both sites users communicate using global IP, so vrouter need to perform both IPsec-VPN and bidirectional NAT function.
3.  In vrouter configuration, IPsec tunnel is defined using local/prefix setting (not using VTI).

--In case of using vrouter 5400--
When I start communication from vrouter site to the opposite site or
when I start communication from the opposite site to vrouter site,  NAT with IPsec VPN works fine.


--In case of vrouter 5600--
When I start communication from vrouter site to the opposite site,
source NAT works but the packets doesn't go into the IPsec-VPN tunnel.
When I start communication from the opposite site to vrouter site,
the packets flow through the IPsec-VPN tunnel but destination NAT doesn't work

I'm concerned about the specification change from vrouter 5400 regarding interaction of NAT and IPsec-VPN.
Does anyone have information about this ?
Regarding interaction Between NAT, Routing, Firewall, I know the specifation change
( For example,
http://www1.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5600_manual_321R5/wwhelp/wwhimpl/js/html/wwhelp.htm#href=NAT/NAT%20Overview.2.17.html
)

Thank you .

(athirano1 from Japan)

Vyatta 5600 - What is the maximum number of firewall rules allowed for the Vyatta 5600?  What is the "recommended" maximum number of firewall rules for the Vyatta 5600 - we want to avoid performance issues as related to too many rules?

Hello,

I have a vyatta box version 5600 and need to separate management traffic from customer traffic but both traffic arrive on the same interface in different ip subnet. There are several IP subnets on the same bonding interface configured.

Is it possible to assign only one or more  IP subnet to a VRF instead of interfaces?

I found only commands to add interfaces to VRFs.

If yes, it would be very helpful to get the correct commands.

Thanks for your help.

Best regards

Roger

Hi

Please help me on below issue.

I have one user with operator privileage, but he can not run the operator command "show config-sync status" error is as below.

Sorry, user readonly is not allowed to execute '/usr/bin/sg vyattacfg umask 0002 ;export VYATTA_TEMP_CONFIG_DIR=/opt/vyatta/config/active; /opt/vyatta/sbin/vyatta-save-config.pl /tmp/local.boot ' as root on socieg-pari-fr-havya1.sgibfs.softlayer.com.
Error!  Unable to open file "/tmp/local.boot".  No such file or directory at /opt/vyatta/share/perl5/XorpConfigParser.pm line 465.

Thanks advance for your time and help.

Tony

 hi，Who can share it！

                                                               thank you

I have an Virtual Traffic Manager Appliance1000 M11.1 and I am looking to monitor the number of concurrent connections.

I had not been able to find how this would be done. I'd tried forum searches, but they have been yielding results related to the "max. number of connections". 

Please bear with as I am a software developer who'd been tasked with, "find a way to monitor our number of concurrent connections". Since this network appliance is at the front gates, I figured I'd see if it was capable of providing me such optics.

I have the Brocade Virtual Traffic Manager: User's Guide, v11.0 PDF and had found information on SLAs and other types of optics / alerting, bandwidth limits, etc, but nothing glaring about "monitoring the number of connections".

Please let me know if this is something this appliance is capable of, and if so, what terminology I would use to find documentation / resources.

Thank you!

Hi all,

I cannot download 5600 vrouter ISO file. Can anyone guide me how I can do that?

Hello,

I have configured a GRE Tunnel between a Vyatta and Cisco router. First it was the version 5400 of the Vyatta Firewall and the tunnel configuration works fine with the VRRP address of my firewall cluster. The OSPF Neighbor was ready and exchanged routes.

After the upgrade of the Vyatta to version 5600 this configuration didn´t work any more. The GRE Tunnel is up but the OSPF neighborshipment is lost every 10 - 20 seconds and so the exchange of routes didn´t work.

I have now configured two GRE tunnels from the Cisco router towards the interface IP of the Vyattas. The first tunnel works well but if the active Vyatta fails there is no IP communication possible over the seond GRE Tunnel.

Has anybody an idea or a soluton for that?

Best regards

Roger

Hello,

for a customer project I need to separate routing tables because of overlapping IP addresses. There is an underlay and an overlay and the overlaps happens on underlay with some remote customer locations.

I planned to established two VRFs as the route leaking between one VRF and the default didn´t really work.

I must add all the interface into a VRF. There is a few VPN IPSEC site-to-site tunnels.

Can I move these tunnels to one VRF?

How can I realize the management and the sync of the Vyatta firewall cluster over a VRF?

I hope somebody can help me.

Best regards

Roger

Hello,

I have the situation that I have a VRF and an IPSEC tunnel in the default VRF.

I tried to assign the VPN interface into the VRF but then the VPN tunnel didn´t come up.

I also tried to create routings between the VRF and default for the VPN tunnel. No IP communication possible.

Is there any solution for a communication between the IPSEC Tunnel (Kernel route) and the VRF networks?

I hope to hear any suggestion.

Best regards

Roger