SRX

Hi all!

 I have a problem when i tried to configure VRRP on SRX with simple topo: SRX1 --- Switch --- SRX2

- SRX1 conf:

interfaces ge-0/0/1
unit 0 {
    family inet {
        address 192.168.1.253/24 {
            vrrp-group 1 {
                virtual-address 192.168.1.1;
                priority 254;
                preempt;

-SRX2:

 interfaces ge-0/0/1
  unit 0 {
    family inet {
        address 192.168.1.254/24 {
            vrrp-group 1 {
                virtual-address 192.168.1.1;
                priority 200;

When I show vrrp status: 2 SRX become master, Ping between 2 SRX is ok:

root@srx-345-01> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up              1   master   Active      A  0.494 lcl    192.168.1.253
                                                                vip    192.168.1.1

root@srx-345-02> show vrrp summary
Interface     State       Group   VR state       VR Mode    Type   Address
ge-0/0/1.0    up              1   master          Active    lcl    192.168.1.254
                                                            vip    192.168.1.1

Somebody help me, please?

Hi,

Did you allow 'vrrp' protocol in host-inbound traffic on both SRX?

 set security zones security-zone <zone-name>  host-inbound-traffic protocols vrrp

Hi Nellikka!

 Thank you very much! exactly! I've fixed problem.

Regards,

Hi all!

 I've fixed with problem vrrp master/back up. But Client still not ping to VRRP VIP: 192.168.1.1

- SRX-01:

root@srx-345-01> show configuration interfaces ge-0/0/1
unit 0 {
    family inet {
        address 192.168.1.253/24 {
            vrrp-group 1 {
                virtual-address 192.168.1.1;
                priority 254;
                preempt;
                accept-data;

zones {
    security-zone trust {
        tcp-rst;
        host-inbound-traffic {
            protocols {
                vrrp;
            }
        }
        interfaces {
            ge-0/0/1.0 {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
            }
            ge-0/0/0.0 {
                host-inbound-traffic {
                    system-services {
                        ping;

root@srx-345-01> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up              1   master   Active      A  0.370 lcl    192.168.1.253
                                                                vip    192.168.1.1

- SRX-02:

root@srx-345-02> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up              1   backup   Active      D  3.172 lcl    192.168.1.254
                                                                vip    192.168.1.1
                                                                mas    192.168.1.253

root@srx-345-02> show configuration interfaces ge-0/0/1
unit 0 {
    family inet {
        address 192.168.1.254/24 {
            vrrp-group 1 {
                virtual-address 192.168.1.1;
                priority 200;
                accept-data;

zones {
    security-zone trust {
        tcp-rst;
        host-inbound-traffic {
            protocols {
                vrrp;
            }
        }
        interfaces {
            ge-0/0/1.0 {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
            }
            ge-0/0/0.0 {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }

Thanks!

You are probably missing vrrp under 'host-inbound-services'

set security zones security-zone <zone> host-inbound-traffic protocols vrrp

..or under the specific interface in the zone

set security zones security-zone <zone> interface ge-0/0/1.0 host-inbound-traffic protocols vrrp

Hi jonashauge!

I've fixed that problem. But from client pc still cannot ping to VRRP VIP 192.168.1.1.

Can you help me?

Thanks

you are missing the 'accept-data' in your vrrp-configuration:

user@fw# show interfaces ge-0/0/1
unit 0 {
    family inet {
        address 192.168.1.253/24 {
            vrrp-group 1 {
                accept-data;
            }
        }

Hi,
By default Virtual IP address does not respond to the ping requests. You may need to allow it by configuring below mentoned command:
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/32 vrrp-group 1 accept-data

Hi all!

 I've already config accep-data on vrrp group. But still cannot ping. @@.

NAME        : VPCS[1]
IP/MASK     : 192.168.1.10/24
GATEWAY     : 192.168.1.1
DNS         :
MAC         : 00:50:79:66:68:0e
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS> ping 192.168.1.1

192.168.1.1 icmp_seq=1 timeout
192.168.1.1 icmp_seq=2 timeout
192.168.1.1 icmp_seq=3 timeout
192.168.1.1 icmp_seq=4 timeout
192.168.1.1 icmp_seq=5 timeout

VPCS> ping 192.168.1.253

84 bytes from 192.168.1.253 icmp_seq=1 ttl=64 time=1.026 ms
84 bytes from 192.168.1.253 icmp_seq=2 ttl=64 time=0.350 ms
84 bytes from 192.168.1.253 icmp_seq=3 ttl=64 time=0.451 ms

VPCS> ping 192.168.1.254

84 bytes from 192.168.1.254 icmp_seq=1 ttl=64 time=0.858 ms
84 bytes from 192.168.1.254 icmp_seq=2 ttl=64 time=0.369 ms
84 bytes from 192.168.1.254 icmp_seq=3 ttl=64 time=0.358 ms

Hi,

Are you using GNS3 VPC host as a client? If yes, try to use another client like router

Monitor the traffic srx interface while pinging from PC and see whether SRX is resonding to ARP and ping requests

monitor traffic interface ge-0/0/1.0 no-resolve

Hi Nellikka!

 I used another router and it's work.

Thanks for your help!