@Nelumbo wrote:
Hello,
Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following
> Remove the /24 entry
> commit the config
> Add the /24 address book entry
> Add the /24 address-book entry to the policy while removing the range entry
> commit full (note that dynamic routing and vpns may encounter a blip with this)
> Can you check if the policy detial shows the correct subnet?
root@srx> show security policies from-zone trust to-zone trust detail
Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
Subnet1(global): 192.168.10.0/24
Destination addresses:
Subnet2(global): 192.168.20.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
> Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help
I hope this helps.
Regards,
Vikas
Interesting!
I replaced the entry in my reply to Nellikka, and here's the detail:
root@srx240poe> show security policies from-zone trust to-zone trust detail
Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
Management-subnet(Trusted-Addresses): x.y.z.0/0.0.0.24
Destination addresses:
any-ipv4(Trusted-Addresses): 0.0.0.0/0
any-ipv6(Trusted-Addresses): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Source identities:
any
Per policy TCP Options: SYN check: No, SEQ check: No
The problem was I was using CIDR and not reading the description in the CLI nor the webUI's drop down "IP Address/Netmask"!
Duh.
Replacing x.y.z.0/24 with x.y.z.0/255.255.255.0 fixed it!
EDIT: You guys are real sharp. I think the reason why you wrote if there was a typo was the CLI config doesn't use CIDR but they are defined as
address Management-subnet {
wildcard-address x.y.z.0/255.255.255.0;
}
Thank you everyone.