Expand all | Collapse all

can't ping to from source interface

  • 1.  can't ping to from source interface

    Posted 05-07-2018 20:39

    I confused what i'm wrong.

    I can ping successful but when I try to add source interface, It doesn't work.



    All policies are permited and route table is correct.

    Please see the configuration and ping test result as below. What i miss?



    root> ping
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=57 time=29.966 ms
    64 bytes from icmp_seq=1 ttl=57 time=30.709 ms
    64 bytes from icmp_seq=2 ttl=57 time=28.260 ms

    --- ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 28.260/29.645/30.709/1.025 ms

    root> ping source
    PING ( 56 data bytes
    --- ping statistics ---
    8 packets transmitted, 0 packets received, 100% packet loss


    root> show interfaces irb.55 terse
    Interface Admin Link Proto Local Remote
    irb.55 up up inet


    root> show security zones

    Security zone: trust
    Send reset for non-SYN session TCP packets: Off
    Policy configurable: Yes
    Interfaces bound: 3

    Security zone: untrust
    Send reset for non-SYN session TCP packets: Off
    Policy configurable: Yes
    Screen: untrust-screen
    Interfaces bound: 4


    root> show security policies from-zone trust to-zone untrust
    From zone: trust, To zone: untrust
    Policy: trust-to-untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit, log, count


    root> show route

    inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both *[Static/5] 16:11:53
    > to via ge-0/0/3.0 *[Direct/0] 16:11:53
    > via ge-0/0/4.0 *[Local/0] 16:11:59
    Local via ge-0/0/4.0 *[Direct/0] 16:11:53
    > via irb.44 *[Local/0] 16:12:08
    Local via irb.44 *[Direct/0] 16:11:53
    > via irb.55 *[Access-internal/12] 16:08:35
    > to via irb.55 *[Local/0] 16:12:08
    Local via irb.55

  • 2.  RE: can't ping to from source interface

    Posted 05-07-2018 21:34


    The default route is pointed to via ge-0/0/3.0 (untrust zone). So when you ping without source interface srx will use the ip address of the exiting interface (ge-0/0/3.0) as source interface and this is also a Public IP.

    In second case, you are pinging with a private ip ( from trust zone, which should be natted to public ip so that Ping can work.

    Refer this KB to configure source NAT for self generated traffic :