I set up ISP failover on my SRX300 - and it works!! I can even ssh in from the selected IP addresses I put in the firewall filter for any remote administration I need to do.
Problem - I cannot ping anything on the Internet from the SRX, nor will the archival configuration work. (the second item is far more irritating than the first)
Remove the failover and use only one interface - things work.
ISP1 10.1.10.0/24 (dhcp)
office network 192.168.1.x/24
location of my archive server 10.3.10.112
I have no idea where to start. Can someone please point me in a direction to address this?
If you can't ping any destination from the SRX it means that route is not properly configured or the SRX can't find the route in its master routing table.
My questions are,
Note - all systems on my office/inside network are nat'ing correctly to the Internet. The only problem is running ping or ssh from the SRXFrom the SRX:
root@gw-myoffice> ssh email@example.com ssh: connect to host 10.3.10.112 port 22: Operation timed outroot@gw-myoffice> ping 10.3.10.112 ^C--- 10.3.10.112 ping statistics ---24 packets transmitted, 0 packets received, 100% packet loss
From my linux system that is being nat'ed by the SRX
[user@chewbaca ~]$ ssh -p 22 firstname.lastname@example.orgLast login: Tue Jul 21 10:40:53 2020 from 10.1.10.2 12:40:58 up 26 days, 22:30, 1 user, load average: 0.08, 0.04, 0.01USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuser pts/0 10.1.10.2 12:40 0.00s 0.03s 0.00s w[user@jbu ~]$ exit[user@chewbaca ~]$ ping -n 10.3.10.112PING 10.3.10.112 (10.3.10.112) 56(84) bytes of data.64 bytes from 10.3.10.112: icmp_seq=1 ttl=54 time=5.77 ms64 bytes from 10.3.10.112: icmp_seq=2 ttl=54 time=5.80 ms64 bytes from 10.3.10.112: icmp_seq=3 ttl=54 time=5.86 ms64 bytes from 10.3.10.112: icmp_seq=4 ttl=54 time=5.84 ms^C--- 10.3.10.112 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3005msrtt min/avg/max/mdev = 5.772/5.817/5.858/0.033 ms
The srx must be passing ping correctly for the failover to work, but I dont understand why you cant ping or ssh from the srx itself
I believe the traffic is being routed on your master routing instance inet.0 and considering that can you specify the interface or source IP address when pinging and SSH from the SRX.
Did you had a chance to check the flow session when pinging from the SRX?
Provide me with these outputs:
user@host> show interfaces terse | match inet
user@host> show route 10.3.10.112
user@host> show configuration firewall | display set
user@host> show configuration interfaces | display set | match filter
user@host> show security flow session destination-prefix 10.3.10.112 <<<<< This output has to be collected when you ping from the SRX
Thank you! you pointed me in the correct direction. There was some major problems with the configuration of my failover. I used a configuration I had found on another web site, but it turns out, that configuration had a bunch of stuff in it that I did not need. This is what I used to create a working configuration:
The above config is an example with 4 isp's so I just trimmed it down to two.
I'm glad the issue has been resolved 😀
Have a Nice Day!!!