SRX

Expand all | Collapse all

irb interface ping loss

Jump to Best Answer
  • 1.  irb interface ping loss

    Posted 06-29-2017 01:29

    HI.. everyone

    I have some problem with SRX300 configration.

     

    Problem is..

    irb.0 interface ip 10.47.0.177

    trust 10.47.0.181 --> 10.47.0.177 ping loss

    untrust st0.1 (10.47.0.11) --> 10.47.0.177 ping success

     

    please fix config

     

    -----------------------------------------------------------------------------------

     

    set version 15.1X49-D45

    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system name-resolution no-resolve-on-input

    set system services ssh
    set system services telnet
    set system services web-management http interface irb.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface irb.0
    set system services web-management https interface st0.1
    set system services web-management https interface ge-0/0/0.0
    set system services web-management session idle-timeout 60
    set system services dhcp pool 10.47.0.176/28 address-range low 10.47.0.178
    set system services dhcp pool 10.47.0.176/28 address-range high 10.47.0.187
    set system services dhcp pool 10.47.0.176/28 domain-name encoreplus.co.kr
    set system services dhcp pool 10.47.0.176/28 name-server 168.126.63.1
    set system services dhcp pool 10.47.0.176/28 name-server 168.95.1.1
    set system services dhcp pool 10.47.0.176/28 router 10.47.0.177
    set system services dhcp propagate-settings ge-0/0/0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server time.bora.net
    set security ike respond-bad-spi 1
    set security ike proposal pre-g2-des-md5 authentication-method pre-shared-keys
    set security ike proposal pre-g2-des-md5 dh-group group2
    set security ike proposal pre-g2-des-md5 authentication-algorithm md5
    set security ike proposal pre-g2-des-md5 encryption-algorithm des-cbc
    set security ike policy fromGumi mode main
    set security ike policy fromGumi proposals pre-g2-des-md5
    set security ike policy fromGumi pre-shared-key ascii-text "$9$ZVj.5CA0RhruOX-wgUD369A0B1RSv8769"
    set security ike gateway fromGumi ike-policy fromGumi
    set security ike gateway fromGumi address 210.210.210.202
    set security ike gateway fromGumi nat-keepalive 5
    set security ike gateway fromGumi external-interface ge-0/0/0.0
    set security ipsec vpn-monitor-options
    set security ipsec policy policy-fromGumi perfect-forward-secrecy keys group2
    set security ipsec policy policy-fromGumi proposal-set standard
    set security ipsec vpn fromGumi bind-interface st0.1
    set security ipsec vpn fromGumi vpn-monitor
    set security ipsec vpn fromGumi ike gateway fromGumi
    set security ipsec vpn fromGumi ike no-anti-replay
    set security ipsec vpn fromGumi ike ipsec-policy policy-fromGumi
    set security ipsec vpn fromGumi establish-tunnels immediately
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set nat-trust from zone trust
    set security nat source rule-set nat-trust to zone Internet
    set security nat source rule-set nat-trust rule nat-trust-rule match source-address 0.0.0.0/0
    set security nat source rule-set nat-trust rule nat-trust-rule then source-nat interface
    set security policies from-zone trust to-zone Internet policy trust-policy match source-address any
    set security policies from-zone trust to-zone Internet policy trust-policy match destination-address any
    set security policies from-zone trust to-zone Internet policy trust-policy match application any
    set security policies from-zone trust to-zone Internet policy trust-policy then permit
    set security policies from-zone trust to-zone vpn policy trust-vpn match source-address any
    set security policies from-zone trust to-zone vpn policy trust-vpn match destination-address any
    set security policies from-zone trust to-zone vpn policy trust-vpn match application any
    set security policies from-zone trust to-zone vpn policy trust-vpn match source-identity any
    set security policies from-zone trust to-zone vpn policy trust-vpn then permit
    set security policies from-zone vpn to-zone trust policy vpn-trust match source-address any
    set security policies from-zone vpn to-zone trust policy vpn-trust match destination-address any
    set security policies from-zone vpn to-zone trust policy vpn-trust match application any
    set security policies from-zone vpn to-zone trust policy vpn-trust match source-identity any
    set security policies from-zone vpn to-zone trust policy vpn-trust then permit
    set security zones security-zone Internet screen untrust-screen
    set security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services all
    set security zones security-zone vpn interfaces st0.1 host-inbound-traffic system-services all
    set interfaces ge-0/0/0 unit 0 family inet address 59.120.55.235/24
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces irb unit 0 family inet address 10.47.0.177/28
    set interfaces st0 unit 1 description Gumi
    set interfaces st0 unit 1 family inet
    set interfaces st0 unit 1 family inet6

    set routing-options static route 10.47.0.0/16 next-hop st0.1
    set routing-options static route 0.0.0.0/0 next-hop 59.120.55.254
    set protocols l2-learning global-mode switching
    set vlans vlan-trust0 vlan-id 3
    set vlans vlan-trust0 l3-interface irb.0

     



  • 2.  RE: irb interface ping loss

     
    Posted 06-29-2017 01:35

    On 10.47.0.181 do you see an arp entry for 10.47.0.177? 

     

    Anand



  • 3.  RE: irb interface ping loss

    Posted 06-29-2017 01:55

    yes.. dhcp is success. but ping loss



  • 4.  RE: irb interface ping loss

    Posted 06-29-2017 01:40

    Hi,

     

    Please upgrade to the latest Junos version for 300 devise.

    There were lot of irb related issues reported till 15.1X49-D60.

     

     

    regards,

    Guru Prasad

     



  • 5.  RE: irb interface ping loss

    Posted 06-29-2017 01:56

    Is it IOS bug ?



  • 6.  RE: irb interface ping loss

    Posted 06-29-2017 02:01

    Hi,

    Yes there were lot of bugs which were there before 15.1X49-D60 code. so please do upgrade to the latest 15.1X49 code and then test again aand update if the issue is resolved.

     

    warm regards,

    Guru Prasad

     



  • 7.  RE: irb interface ping loss

    Posted 06-29-2017 02:47

    I have IOS UPgrade 15.1X49-D60 but same things....

    Do I try IOS downgrade ?



  • 8.  RE: irb interface ping loss

    Posted 06-29-2017 04:39

    Hi,

     

    I requested to upgrade to the latest junos image which is the 15.1X49-D90 code. can you please upgrade the code to D90 and then update us.

     

     

    regards,

    Guru Prasad

     



  • 9.  RE: irb interface ping loss

    Posted 06-29-2017 04:49

    I am running 15.1X49-D90.7 on a SRX300, and it feels much more stable. J-Web is still struggling, however.

     

    I do not have any ping issues, the SRX300 is using Ethernet switching. irb is functioning as expected (note irb = International Rugby Board). I do still have issues connecting the playout centre through the SRX300, as multicast does not pass through correctly, it may be as simple as dropping a VLAN tag.



  • 10.  RE: irb interface ping loss

    Posted 06-29-2017 05:05

    Hi,

    Please open a SR with Juniper to troubleshoot the issue further.

     

    regads,

    Guru Prasad

     

     

     



  • 11.  RE: irb interface ping loss

     
    Posted 06-29-2017 12:52


  • 12.  RE: irb interface ping loss

    Posted 06-29-2017 05:01

    Hi,

     

    Can you also check if you are seeing Arp entries on the interface of the SRX and the client.

    on the SRX : sh arp no-resolve | match 10.47.0.181 

    and on the client similarly check if you are seeing the arp entry for 10.47.0.177

     

     

    regards,

    Guru Prasad

     



  • 13.  RE: irb interface ping loss

     
    Posted 06-30-2017 03:24

    Are you seeing same behavior with the client connected on all 5 member interface of vlan-trust0 ?

     

    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust0
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust0



  • 14.  RE: irb interface ping loss
    Best Answer

     
    Posted 06-30-2017 03:50

    I also see PR1218376 as a close match to your issue and the fix is available from 15.1X49-D70

     

    PR1218376 - [SRX] Packet is not transited by irb interface when l2-learning is in switching mode

     

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1218376&smlogin=true