SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX 220 Two interfaces in untrusted zone

    Posted 02-05-2021 13:33

    Hello,

    I have a SRX 220H2-POE
    JUNOS Software Release [12.1X46-D65.4]

    My issue is in troubleshooting ICMP packets inbound from external pings on a NEW Interface.

    I have two interfaces (now) in my untrusted zone, both have their own distinct /30 PUBLIC subnets. The first one on ge/0/0/0 default route (working  fine)  and the new 2nd one on Ge-0/0/1 does not reply to ICMP pings to the interface from external remote testing. From the Juniper extended ping from this new interface, pinging out works just fine.  To bring UP this new interface I am using a cisco switch as a demark (only connected to the port)

    I have ping enable.

    interfaces {

                    ge-0/0/0.0;

                    ge-0/0/1.0 {

                        host-inbound-traffic {

                            system-services {

                                ping;

    Why can I not see the ICMP reply's from my remote work station testing inbound?

    My session Monitors show the following:

    Remote Ping to New Interface:

    Session ID: 96279, Policy name: self-traffic-policy/1, Timeout: 1800, Valid

      In: 108.31.33.120/36518 --> 128.177.117.134/22;tcp, If: ge-0/0/0.0, Pkts: 2852, Bytes: 171283

      Out: 128.177.117.134/22 --> 108.31.33.120/36518;tcp, If: .local..0, Pkts: 3052, Bytes: 470709

    Remote Ping to Router Default Interface (works)

    Session ID: 20354, Policy name: self-traffic-policy/1, Timeout: 4, Valid

      In: 108.31.33.120/3636 --> 128.177.117.134/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

      Out: 128.177.117.134/1 --> 108.31.33.120/3636;icmp, If: .local..0, Pkts: 1, Bytes: 60



    ------------------------------
    Scott Lucas
    ------------------------------


  • 2.  RE: SRX 220 Two interfaces in untrusted zone

    Posted 02-05-2021 19:48
    I'm guessing that the reply is going out your other interface due to the default route show that first internet as the valid reply path.

    Depending on your application for the dual internet you might use ecmp to keep both shared in the same routing table.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX 220 Two interfaces in untrusted zone

    Posted 02-07-2021 13:43
    Thank you for the reply Steve. This was working as a test several years ago, I'm not sure how that was set up, but I haven't figured out how to emulate that setup.  I don't think ECMP was used though and unfortunately that OLD config is long gone. Thanks again.
    Scott

    ------------------------------
    Scott Lucas
    ------------------------------