SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX Unable to Ping Hosts on Networks Accessible by VPN

    Posted 06-08-2015 12:37

    I'm having an issue with some SRXs that cannot ping hosts that must be accessed across a VPN.

    End users can ping each other across the VPN, and the end users can ping the SRX 550s.  The SRXs can ping end users on networks they are physically connected to, but not hosts across the VPN.

    What could cause this?

    Below is rough diagram of the networks involved.

    Note: We are using traffic selectors in our ipsec configurations.

     

     

     

    Juniper_SRX_VPN_Routing_Issue.JPG


    #traffic-selector
    #SRX
    #vpn
    #IPSec
    #ike


  • 2.  RE: SRX Unable to Ping Hosts on Networks Accessible by VPN

     
    Posted 06-08-2015 20:12

    Hello ,

     

    As per your details , you are able to ping between End user 2 and 3 , but end user 1 cannot ping 2 or 3 .Correct me if I am wrong .

     

    Please share the folloing details from SRX550 connected to end user 1,2,3 ,

     

    >show security ipsec security-associations

    > show route <end user IP >

    > show security flow session destination-prifix <end user IP>

     

    If possible please share the configuration from the SRXs and the IP of each hosts .



  • 3.  RE: SRX Unable to Ping Hosts on Networks Accessible by VPN

    Posted 06-10-2015 05:16

    Hey Sam,

    All end users can ping each other, but the SRX's themselves cannot ping end users on the other side of the VPNs.

    If I log into the SRX for end user 1 and try to show route to end user 2, I see this:

     

    inet.0: 21 destinations, 31 routes (21 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.10.0.0/16 *[Static/5] 11:45:32
    > via st0.0
    [Static/5] 11:45:32
    > via st0.0

     

    This is correct as st0.0 is the VPN interface on the SRX to get to that 10.10.0.0/16 network on the other side of the VPN, but I still cannot ping anything on that network.



  • 4.  RE: SRX Unable to Ping Hosts on Networks Accessible by VPN

     
    Posted 06-10-2015 05:35

    Hello ,

     

     

    Try to ping the  other end user IP by sourcing with out trusted interface IP .

     

     

    ping  <user 2 IP > source  <trust interface IP >

     

    This is because , when the return packet comes in , it will be the external interface IP and it may not go through the tunnel from other end. So source it with Trust Interface IP  ( where the user 1 is conencted ) and try . It will work .



  • 5.  RE: SRX Unable to Ping Hosts on Networks Accessible by VPN

    Posted 06-10-2015 05:49

    Well, that definitely works, but if I'm trying to send something other than ICMP (i.e. FTP a config or syslog) to a host across the VPN... How would that work?



  • 6.  RE: SRX Unable to Ping Hosts on Networks Accessible by VPN
    Best Answer

     
    Posted 06-10-2015 06:11

    Hello ,

     

    For that , you can take an unused LAN IP and assign the same to the loopback IP in SRX so that any self generated traffic will take the default source as Loopback .

     

    or configure the following to take loopback IP as default source IP :

     

    #set system default-address-selection

     

    Ref :  http://www.juniper.net/documentation/en_US/junos13.1/topics/reference/configuration-statement/default-address-selection-edit-system.html



  • 7.  RE: SRX Unable to Ping Hosts on Networks Accessible by VPN

    Posted 06-10-2015 07:15

    Thank you!