vSRX

  • 1.  vSRX cannot ping even in the same zone

    Posted 08-06-2018 03:21

    Cannot ping the other. Non the other can ping it. It can only ping those interfaces on itself.

     

    Secuirty-zone interfaces host-inbound-traffic system-services ping was set.

    Security policies from-zone Internal to-zone Internal source, destination address, application, any permit was set.

     

    Is there anything I miss?



  • 2.  RE: vSRX cannot ping even in the same zone

     
    Posted 08-06-2018 04:59

    Hi Jlotag,

     

    Ideally when the ICMP is allowed in system services Ping should work. Can you please help me with the below logs so that I can further investigate the issue.

     

    + RSI <request support information>

    + Kindly collect the traceoptions following the below steps:

    Log into the SRX device and enter the configuration mode.

    + Specify the file that debugs will be stored for 'security flow' :
    # set security flow traceoptions file flow-trace
    This sets the file that for security flow debugging to the name flow-trace.

     

    +Set the traceoptions flag:
    # set security flow traceoptions flag basic-datapath
    This sets the traceoptions to perform the basic...

     

    +Use filters to reduce the volume of data
    # set security flow traceoptions packet-filter f0 destination-prefix X.X.X.X
    # set security flow traceoptions packet-filter f0 source-prefix Y.Y.Y.Y
    + Issue the commit to apply the configuration and exit the configuration mode. Logging starts after the commit.
    # commit and-quit

    + Intiate the Ping and collect the outout of traceoptions:

    # Show log flow-trace

     

    Regards,

    Rishi 

    JTAC

    [KUDOS PLEASE! If you think I earned it!

    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 3.  RE: vSRX cannot ping even in the same zone

    Posted 08-06-2018 21:04

    Hello there,

    I'd save the RSI to a txt file. But how to get that txt file out of vSRX?

    I try ping from vSRX to VM guest and vice versa after run "commit and-quit"

    Then I press "Ctrl-C" to quit the ping in vSRX after awhile (as it just stuck there)

    Then run "show log flow-trace" give me nothing (blank)



  • 4.  RE: vSRX cannot ping even in the same zone

     
    Posted 08-06-2018 21:19

    You can use some application like WinSCP to SFTP/FTP to vSRX and copy the files to your machine and attach it here.

     

    Also, if the flow-trace file is blank, you would need to verify if the filter configured in traceoptions matches the traffic you generated.



  • 5.  RE: vSRX cannot ping even in the same zone

    Posted 08-07-2018 02:04

    Hello pranita

    WinSCP/FTP seems not possible as noun of the ports on vSRX are going to work. Can't get anything out of it through network. I can only interact with it by console.

    In console. It can ping itself. It shows interfaces are up. Just can't communicate with any other devices that connected to it.



  • 6.  RE: vSRX cannot ping even in the same zone

     
    Posted 08-07-2018 02:21

    Hello,

     

    Can you please help me with the answer of below queries :

    + Which is the hypervisor where you have deployed the vSRX and also let me know the resources allocated to the same?

    + Could you verify that the NIC have the correct VLAN configuration?

    + Also check if the promiscous mode is enabled in the port group and vswitch settings?

    + Check if you are able to ping the default gateway from vSRX or not and whether the Arp is learned or not by the command <show arp no-resolve>

    + Kindly initiate the traffic from any other source external to the vSRX and As pranita suggested can you please apply the filters matching to the traffic source and destination and collect the traceoptions ?

    + Can you copy the logs <RSI and traceoptions> from the console and attach it to the thread?

     

    Regards,

    Rishi 

    JTAC

     



  • 7.  RE: vSRX cannot ping even in the same zone

    Posted 08-07-2018 23:28

    Hello Rsirana,

    I set it up for lab test in GNS3 before implement into the production environment.

    1. Hypervisor: VMware Workstation 12

    2. I allovate 4GB ram to GNS3VM. 2GB ram for vSRX

    3. No VLAN settings. Just directly connect vSRV to other virtual device or to local (loopback)

    4. No setting for promiscous mode in the vmx file. Don't know default is enable or disable

    5. I want the vSRV be the router + gateway + firewall. So, there's no other gateway in the network

    6. Run command "show arp no-resolve" return blank

    7. Will try to get RSI and traceoptions again soon



  • 8.  RE: vSRX cannot ping even in the same zone
    Best Answer

     
    Posted 08-08-2018 00:21

    Hello,

     

    Just to inform you that vSRX is not supported on VMware Workstation 12, you might run into different unexpected issues going ahead with this deployement which might not get fixed. vSRX is only supported on ESXi 5.1, 5.5, or 6.0. you can refer the below document for the same :

    https://www.juniper.net/documentation/en_US/vsrx/topics/reference/general/security-vsrx-vmware-system-requirement.html

     

    I request you to please perform the testing on the ESXi servers and in case we face any issues we can troubleshoot it further.

     

    Regards,

    Rishi 

    JTAC

    [KUDOS PLEASE! If you think I earned it!

    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 9.  RE: vSRX cannot ping even in the same zone

    Posted 01-14-2020 12:46

    I had same issue, and when i read the post that Vsrx does not work on VMWARE; I was ready to tear the whole setup apart. However, on mine it was ping that was blocked. 

    On my first lab i was trying vSRX with Cisco router, and didn't work so on the seperate lab i connected another 2 vSRX directly to each other and pinged didn't work; so i had to enable ping service on both vSRX. I am running vSRX on VMWARE version 14 as Qemu VMs. The regular VMware didn't work kept on giving so many errors.