SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 16:57

    Hello all-

     

    I have 2 SRX 220's.

     

    They are both connected, via 100mbit switch, through ge-0/0/0.

     

    I think I have IP addresses correctly set on each:

     

    root@R1# show | display set
    set version 10.3R1.9
    set system host-name R1
    set system domain-name NDC.com
    set system root-authentication encrypted-password "$1$gXkJ.2BX$zmDsSjbaN6mwnMQaJXeTS1"
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/24


    root@R2# show | display set    
    set version 10.3R1.9
    set system host-name R2
    set system domain-name NDC.com
    set system root-authentication encrypted-password "$1$gXkJ.2BX$zmDsSjbaN6mwnMQaJXeTS1"
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24


    Each router has resolved the L2 address of the other:

     

    root@R1# run show arp
    MAC Address       Address         Name                      Interface           Flags
    28:c0:da:73:d8:00 10.0.0.2        10.0.0.2                  ge-0/0/0.0          none


    root@R2# run show arp
    MAC Address       Address         Name                      Interface           Flags
    28:c0:da:71:be:00 10.0.0.1        10.0.0.1                  ge-0/0/0.0          none


    Any tips would be appreciated.   Below is the detail for the interfaces:

     

    root@R1> show interfaces ge-0/0/0 detail
    Physical interface: ge-0/0/0, Enabled, Physical link is Up
      Interface index: 133, SNMP ifIndex: 508, Generation: 136
      Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,
      BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
      Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
      Remote fault: Online
      Device flags   : Present Running
      Interface flags: SNMP-Traps Internal: 0x0
      Link flags     : None
      CoS queues     : 8 supported, 8 maximum usable queues
      Hold-times     : Up 0 ms, Down 0 ms
      Current address: 28:c0:da:71:be:00, Hardware address: 28:c0:da:71:be:00
      Last flapped   : 2011-02-22 17:16:12 UTC (00:09:40 ago)
      Statistics last cleared: Never
      Traffic statistics:
       Input  bytes  :                 3768                    0 bps
       Output bytes  :                 2844                    0 bps
       Input  packets:                   59                    0 pps
       Output packets:                   26                    0 pps
      Egress queues: 8 supported, 4 in use
      Queue counters:       Queued packets  Transmitted packets      Dropped packets
        0 best-effort                    3                    3                    0
        1 expedited-fo                   0                    0                    0
        2 assured-forw                   0                    0                    0
        3 network-cont                  23                   23                    0
      Active alarms  : None
      Active defects : None

      Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509) (Generation 133)
        Flags: SNMP-Traps Encapsulation: ENET2
        Traffic statistics:
         Input  bytes  :                 3768
         Output bytes  :                 1924
         Input  packets:                   59
         Output packets:                   26
        Local statistics:
         Input  bytes  :                  120
         Output bytes  :                 1924
         Input  packets:                    2
         Output packets:                   26
        Transit statistics:
         Input  bytes  :                 3648                    0 bps
         Output bytes  :                    0                    0 bps
         Input  packets:                   57                    0 pps
         Output packets:                    0                    0 pps
        Security: Zone: Null
        Flow Statistics :                   
        Flow Input statistics :
          Self packets :                     0
          ICMP packets :                     0
          VPN packets :                      0
          Multicast packets :                0
          Bytes permitted by policy :        0
          Connections established :          0
        Flow Output statistics:
          Multicast packets :                0
          Bytes permitted by policy :        0
        Flow error statistics (Packets dropped due to):
          Address spoofing:                  0
          Authentication failed:             0
          Incoming NAT errors:               0
          Invalid zone received packet:      0
          Multiple user authentications:     0
          Multiple incoming NAT:             0
          No parent for a gate:              0
          No one interested in self packets: 0       
          No minor session:                  0
          No more sessions:                  0
          No NAT gate:                       0
          No route present:                  0
          No SA for incoming SPI:            0
          No tunnel found:                   0
          No session for a gate:             0
          No zone or NULL zone binding       34
          Policy denied:                     0
          Security association not active:   0
          TCP sequence number out of window: 0
          Syn-attack protection:             0
          User authentication errors:        0
        Protocol inet, MTU: 1500, Generation: 146, Route table: 0
          Flags: Sendbcast-pkt-to-re, Is-Primary
          Addresses, Flags: Is-Default Is-Preferred Is-Primary
            Destination: 10.0.0/24, Local: 10.0.0.1, Broadcast: 10.0.0.255,
            Generation: 144

    root@R1>


    R2 looks similar.

     

     

    Thanks for taking a moment to look at this.


    #SRX220


  • 2.  RE: Noob Question. Why can't I ping my directly connected neighbor?
    Best Answer

    Posted 05-05-2011 17:32

    Hi,


    Assuming your ge-0/0/0's are in the trust zone, try the following:

     

    set security zones security-zone trust host-inbound-traffic system services all

    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

    commit

     

    -John



  • 3.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 19:47

     


    @firewall72 wrote:

    Hi,


    Assuming your ge-0/0/0's are in the trust zone, try the following:

     

    set security zones security-zone trust host-inbound-traffic system services all

    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

    commit

     

    -John


     

     

    @firewall72-

     

    Thank you.  That solution worked.   There were no zones set up.   After adding your recommendation:

     

    root@R2# run ping 10.0.0.1
    PING 10.0.0.1 (10.0.0.1): 56 data bytes
    64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=5.552 ms
    64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.758 ms

     

    Thank you very much for the assistance, and in taking time to look at it.

     



  • 4.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 09-16-2020 19:41

    Solution worked perfectly for me @firewall72...



  • 5.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 17:37

    If that is the whole configuration you posted, you'll either have to configure security zones with policies allowing traffic from one box to the other

     

    or you can run it as a normal router in packet-mode without the security features by issuing

     

    set security forwarding-options family mpls mode packet-based

     

    on both boxes.

     

     



  • 6.  RE: Noob Question. Why can't I ping my directly connected neighbor?

    Posted 05-05-2011 19:41

     


    @BlazP wrote:

    If that is the whole configuration you posted, you'll either have to configure security zones with policies allowing traffic from one box to the other

     

    or you can run it as a normal router in packet-mode without the security features by issuing

     

    set security forwarding-options family mpls mode packet-based

     

    on both boxes.

     

     


    @BlazP

     

     

    It's a beautiful thing.

     

    I added the statement to bypass the need for the security zones, and:

     

    root@R1# run ping 10.0.0.2
    PING 10.0.0.2 (10.0.0.2): 56 data bytes
    64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=23.792 ms
    64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.487 ms

     

    Thank you.   There were no security zones configured on the box.

     

    I appreciate the assistance.