SRX

Expand all | Collapse all

Noob Question. Why can't I ping my directly connected neighbor?

Jump to Best Answer
  • 1.  Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 16:57

    Hello all-

     

    I have 2 SRX 220's.

     

    They are both connected, via 100mbit switch, through ge-0/0/0.

     

    I think I have IP addresses correctly set on each:

     

    root@R1# show | display set
    set version 10.3R1.9
    set system host-name R1
    set system domain-name NDC.com
    set system root-authentication encrypted-password "$1$gXkJ.2BX$zmDsSjbaN6mwnMQaJXeTS1"
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/24


    root@R2# show | display set    
    set version 10.3R1.9
    set system host-name R2
    set system domain-name NDC.com
    set system root-authentication encrypted-password "$1$gXkJ.2BX$zmDsSjbaN6mwnMQaJXeTS1"
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24


    Each router has resolved the L2 address of the other:

     

    root@R1# run show arp
    MAC Address       Address         Name                      Interface           Flags
    28:c0:da:73:d8:00 10.0.0.2        10.0.0.2                  ge-0/0/0.0          none


    root@R2# run show arp
    MAC Address       Address         Name                      Interface           Flags
    28:c0:da:71:be:00 10.0.0.1        10.0.0.1                  ge-0/0/0.0          none


    Any tips would be appreciated.   Below is the detail for the interfaces:

     

    root@R1> show interfaces ge-0/0/0 detail
    Physical interface: ge-0/0/0, Enabled, Physical link is Up
      Interface index: 133, SNMP ifIndex: 508, Generation: 136
      Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,
      BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
      Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
      Remote fault: Online
      Device flags   : Present Running
      Interface flags: SNMP-Traps Internal: 0x0
      Link flags     : None
      CoS queues     : 8 supported, 8 maximum usable queues
      Hold-times     : Up 0 ms, Down 0 ms
      Current address: 28:c0:da:71:be:00, Hardware address: 28:c0:da:71:be:00
      Last flapped   : 2011-02-22 17:16:12 UTC (00:09:40 ago)
      Statistics last cleared: Never
      Traffic statistics:
       Input  bytes  :                 3768                    0 bps
       Output bytes  :                 2844                    0 bps
       Input  packets:                   59                    0 pps
       Output packets:                   26                    0 pps
      Egress queues: 8 supported, 4 in use
      Queue counters:       Queued packets  Transmitted packets      Dropped packets
        0 best-effort                    3                    3                    0
        1 expedited-fo                   0                    0                    0
        2 assured-forw                   0                    0                    0
        3 network-cont                  23                   23                    0
      Active alarms  : None
      Active defects : None

      Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509) (Generation 133)
        Flags: SNMP-Traps Encapsulation: ENET2
        Traffic statistics:
         Input  bytes  :                 3768
         Output bytes  :                 1924
         Input  packets:                   59
         Output packets:                   26
        Local statistics:
         Input  bytes  :                  120
         Output bytes  :                 1924
         Input  packets:                    2
         Output packets:                   26
        Transit statistics:
         Input  bytes  :                 3648                    0 bps
         Output bytes  :                    0                    0 bps
         Input  packets:                   57                    0 pps
         Output packets:                    0                    0 pps
        Security: Zone: Null
        Flow Statistics :                   
        Flow Input statistics :
          Self packets :                     0
          ICMP packets :                     0
          VPN packets :                      0
          Multicast packets :                0
          Bytes permitted by policy :        0
          Connections established :          0
        Flow Output statistics:
          Multicast packets :                0
          Bytes permitted by policy :        0
        Flow error statistics (Packets dropped due to):
          Address spoofing:                  0
          Authentication failed:             0
          Incoming NAT errors:               0
          Invalid zone received packet:      0
          Multiple user authentications:     0
          Multiple incoming NAT:             0
          No parent for a gate:              0
          No one interested in self packets: 0       
          No minor session:                  0
          No more sessions:                  0
          No NAT gate:                       0
          No route present:                  0
          No SA for incoming SPI:            0
          No tunnel found:                   0
          No session for a gate:             0
          No zone or NULL zone binding       34
          Policy denied:                     0
          Security association not active:   0
          TCP sequence number out of window: 0
          Syn-attack protection:             0
          User authentication errors:        0
        Protocol inet, MTU: 1500, Generation: 146, Route table: 0
          Flags: Sendbcast-pkt-to-re, Is-Primary
          Addresses, Flags: Is-Default Is-Preferred Is-Primary
            Destination: 10.0.0/24, Local: 10.0.0.1, Broadcast: 10.0.0.255,
            Generation: 144

    root@R1>


    R2 looks similar.

     

     

    Thanks for taking a moment to look at this.


    #SRX220


  • 2.  RE: Noob Question. Why can't I ping my directly connected neighbor?
    Best Answer

    Posted 05-05-2011 17:32

    Hi,


    Assuming your ge-0/0/0's are in the trust zone, try the following:

     

    set security zones security-zone trust host-inbound-traffic system services all

    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

    commit

     

    -John



  • 3.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 19:47

     


    @firewall72 wrote:

    Hi,


    Assuming your ge-0/0/0's are in the trust zone, try the following:

     

    set security zones security-zone trust host-inbound-traffic system services all

    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

    commit

     

    -John


     

     

    @firewall72-

     

    Thank you.  That solution worked.   There were no zones set up.   After adding your recommendation:

     

    root@R2# run ping 10.0.0.1
    PING 10.0.0.1 (10.0.0.1): 56 data bytes
    64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=5.552 ms
    64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.758 ms

     

    Thank you very much for the assistance, and in taking time to look at it.

     



  • 4.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 09-16-2020 19:41

    Solution worked perfectly for me @firewall72...



  • 5.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 17:37

    If that is the whole configuration you posted, you'll either have to configure security zones with policies allowing traffic from one box to the other

     

    or you can run it as a normal router in packet-mode without the security features by issuing

     

    set security forwarding-options family mpls mode packet-based

     

    on both boxes.

     

     



  • 6.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 19:41

     


    @BlazP wrote:

    If that is the whole configuration you posted, you'll either have to configure security zones with policies allowing traffic from one box to the other

     

    or you can run it as a normal router in packet-mode without the security features by issuing

     

    set security forwarding-options family mpls mode packet-based

     

    on both boxes.

     

     


    @BlazP

     

     

    It's a beautiful thing.

     

    I added the statement to bypass the need for the security zones, and:

     

    root@R1# run ping 10.0.0.2
    PING 10.0.0.2 (10.0.0.2): 56 data bytes
    64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=23.792 ms
    64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.487 ms

     

    Thank you.   There were no security zones configured on the box.

     

    I appreciate the assistance.