SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  I have ISP failover working, but now the archive-sites and ping does not work

    Posted 07-21-2020 08:49
      |   view attached

    I set up ISP failover on my SRX300 - and it works!! I can even ssh in from the selected IP addresses I put in the firewall filter for any remote administration I need to do.

     

    Problem - I cannot ping anything on the Internet from the SRX, nor will the archival configuration work. (the second item is far more irritating than the first)

     

    Remove the failover and use only one interface - things work.

     

    ISP1  10.1.10.0/24  (dhcp)

      gateway 10.1.10.1

    ISP2  10.2.10.140/30

      gateway 10.2.10.141

     

    office network 192.168.1.x/24

    location of my archive server   10.3.10.112

     

    I have no idea where to start. Can someone please point me in a direction to address this?

     

    Thx!

    Attachment(s)

    txt
    ISPFailoverConfig.txt   10 KB 1 version


  • 2.  RE: I have ISP failover working, but now the archive-sites and ping does not work

    Posted 07-21-2020 09:09

    Hello, 

     

    If you can't ping any destination from the SRX it means that route is not properly configured or the SRX can't find the route in its master routing table.

     

    My questions are,

    • Where is your default route pointed at? Is it in master routing-table inet.0 or in any routing instance?
    • If the 0.0.0.0/0 is in any routing-instance, you need to specify the routing-instance while you ping. e.g. user@host> ping 8.8.8.8 routing-instance <instance-name>
    • Try taking SSH of your archival destination manually from the SRX and check whether it works or not.
    • When you are pinging or taking SSH from the SRX, open another terminal and check the session output. e.g. user@host> show security flow session source-prefix <source-ip> destination-prefix <destination-ip>


  • 3.  RE: I have ISP failover working, but now the archive-sites and ping does not work

    Posted 07-21-2020 10:02

    Note - all systems on my office/inside network are nat'ing correctly to the Internet. The only problem is running ping or ssh from the SRX

    From the SRX:

     


    root@gw-myoffice> ssh user@10.3.10.112
    ssh: connect to host 10.3.10.112 port 22: Operation timed out
    root@gw-myoffice> ping 10.3.10.112
    ^C
    --- 10.3.10.112 ping statistics ---
    24 packets transmitted, 0 packets received, 100% packet loss

     

     

    From my linux system that is being nat'ed by the SRX

    [user@chewbaca ~]$ ssh -p 22 user@10.3.10.112
    Last login: Tue Jul 21 10:40:53 2020 from 10.1.10.2
    12:40:58 up 26 days, 22:30, 1 user, load average: 0.08, 0.04, 0.01
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    user pts/0 10.1.10.2 12:40 0.00s 0.03s 0.00s w
    [user@jbu ~]$ exit


    [user@chewbaca ~]$ ping -n 10.3.10.112
    PING 10.3.10.112 (10.3.10.112) 56(84) bytes of data.
    64 bytes from 10.3.10.112: icmp_seq=1 ttl=54 time=5.77 ms
    64 bytes from 10.3.10.112: icmp_seq=2 ttl=54 time=5.80 ms
    64 bytes from 10.3.10.112: icmp_seq=3 ttl=54 time=5.86 ms
    64 bytes from 10.3.10.112: icmp_seq=4 ttl=54 time=5.84 ms
    ^C
    --- 10.3.10.112 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 5.772/5.817/5.858/0.033 ms

     

    The srx must be passing ping correctly for the failover to work, but I dont understand why you cant ping or ssh from the srx itself

     



  • 4.  RE: I have ISP failover working, but now the archive-sites and ping does not work
    Best Answer

    Posted 07-21-2020 10:10

    I believe the traffic is being routed on your master routing instance inet.0 and considering that can you specify the interface or source IP address when pinging and SSH from the SRX.

     

    Did you had a chance to check the flow session when pinging from the SRX?

     

    Provide me with these outputs:

     

    user@host> show interfaces terse | match inet

    user@host> show route 10.3.10.112

    user@host> show configuration firewall | display set

    user@host> show configuration interfaces | display set | match filter

    user@host> show security flow session destination-prefix 10.3.10.112     <<<<< This output has to be collected when you ping from the SRX



  • 5.  RE: I have ISP failover working, but now the archive-sites and ping does not work

    Posted 07-23-2020 17:20

    Thank you! you pointed me in the correct direction. There was some major problems with the configuration of my failover. I used a configuration I had found on another web site, but it turns out, that configuration had a bunch of stuff in it that I did not need. This is what I used to create a working configuration:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32556

    The above config is an example with 4 isp's so I just trimmed it down to two.

     

     



  • 6.  RE: I have ISP failover working, but now the archive-sites and ping does not work

    Posted 07-23-2020 20:41

    Hi,

     

    I'm glad the issue has been resolved 😀

     

    Have a Nice Day!!!