My issue is that from SRX-01, I can't ping the loopback (lo0) address on SRX-03. From SRX-03, I can't ping the loopback (lo0) address on SRX-01. Oddly, from SRX-03 I am able to ping the loopback (lo0) on SRX-02. I have changed the flow mode to packet-based so the SRX acts as a router and transmits and receives the packets from outside.
Setup is as follows:
All devices are SRX-01, SRX-02, SRX-03 are actually SRX340's. Server-01, and Server-02 are SRX210's.
Names of 5 devices are: SRX-01, SRX-02, SRX-03, Server-01, Server-02. See attached pdf.
Connections are as follows.
SRX-01 (ge-0/0/2)-> directly connected to SRX-02 (ge-0/0/1)
SRX-01 (ge-0/0/3) ->directly connected to SRX-03 (ge-0/0/2)
SRX-01 (ge-0/0/1) ->directly connected to Server-01 (ge-0/0/1)
SRX-02 (ge-0/0/2) ->directly connected to Server-02 (ge-0/0/1)
SRX-02(ge-0/0/3)->directly connected to SRX-03 (ge-0/0/1)
SRX-02(ge-0/0/1)->directly connected to SRX-01
SRX-03 (ge-0/0/1) ->directly connected to Server-02 (ge-0/0/3)
SRX-03(ge-0/0/2)->directly connected to SRX-03 (ge-0/0/3)
The configuration for SRX-01 is as follows:
root@SRX-01> show configuration
## Last commit: 2020-12-23 13:44:04 UTC by root
version 1>directly connected to SRX-018.2R3-S2.9;
system {
login {
user nrinadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$5kkygreL$QmydgEwEyn1kCf3mEjUy11"; ## SECRET-DATA
}
}
}
root-authentication {
encrypted-password "$1$GXIww5rn$NtMcapLr2fiTryNqSSIuO/"; ## SECRET-DATA
}
host-name SRX-01;
backup-router 192.168.24.1;
services {
ftp;
ssh;
telnet;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.10.10.2/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.1.10/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.24.4/27;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.75.255.1/32;
}
}
}
}
routing-options {
static {
route 161.201.0.0/16 {
next-hop 192.168.24.1;
retain;
no-readvertise;
}
}
}
protocols {
ldp {
interface all;
}
lldp {
interface all;
}
}
root@SRX-01>
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Tap mode: disabled (default)
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Flow power mode IPsec: Disabled
root@SRX-01> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/2 - cc:e1:94:fc:ac:8a ge-0/0/1 SRX-02
ge-0/0/3 - cc:e1:94:fd:3b:8a ge-0/0/2 SRX-03
root@SRX-01>
root@SRX-01> show arp
MAC Address Address Name Interface Flags
cc:e1:94:fd:3b:0d 10.10.10.1 10.10.10.1 ge-0/0/3.0 none
44:d3:ca:40:cb:7f 192.168.24.1 192.168.24.1 fxp0.0 none
Total entries: 2
root@SRX-01> ping 10.75.255.2 count 3 // loopback address of SRX-03
PING 10.75.255.2 (10.75.255.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
--- 10.75.255.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
THE CONFIGURATION FOR SRX-02 IS AS FOLLOWS
nrinadmin@SRX-02> show configuration
## Last commit: 2020-12-22 16:12:04 gmt by root
version 15.1X49-D70.3;
system {
host-name SRX-02;
backup-router 192.168.24.1;
time-zone gmt-6;
root-authentication {
encrypted-password "$1$GXIww5rn$NtMcapLr2fiTryNqSSIuO/"; ## SECRET-DATA
}
login {
message "SRX-01 will be the time-server for this network";
user nrinadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$5kkygreL$QmydgEwEyn1kCf3mEjUy11"; ## SECRET-DATA
}
}
}
services {
ssh;
}
ntp {
server 10.75.255.1;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.1.3/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.100.2/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.24.3/27;
}
}
}
lo0 {
unit 0 {
description "loopback for main routing instance of SRX-02";
family inet {
address 10.75.255.2/32;
}
}
}
}
routing-options {
static {
route 161.201.0.0/16 {
next-hop 192.168.24.1;
retain;
no-readvertise;
}
}
}
protocols {
lldp {
interface all;
}
}
nrinadmin@SRX-02> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/2 - 3c:94:d5:98:e7:c0 ge-0/0/1.0 SERVER-02
ge-0/0/3 - cc:e1:94:fd:3b:8a ge-0/0/1 SRX-03
ge-0/0/1 - cc:e1:94:ff:7a:fc ge-0/0/2 SRX-01
nrinadmin@SRX-02> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
nrinadmin@SRX-02>
nrinadmin@SRX-02> show arp
MAC Address Address Name Interface Flags
cc:e1:94:ff:7a:7f 192.168.0.1 192.168.0.1 ge-0/0/1.0 none
44:d3:ca:40:cb:7f 192.168.24.1 192.168.24.1 fxp0.0 none
Total entries: 2
nrinadmin@SRX-02> ping 10.75.255.1 count 3
PING 10.75.255.1 (10.75.255.1): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
--- 10.75.255.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
nrinadmin@SRX-02> ping 10.10.10.2 count 3
PING 10.10.10.2 (10.10.10.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
--- 10.10.10.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
nrinadmin@SRX-02> ping 10.75.255.2 count 3
PING 10.75.255.2 (10.75.255.2): 56 data bytes
64 bytes from 10.75.255.2: icmp_seq=0 ttl=64 time=0.193 ms
64 bytes from 10.75.255.2: icmp_seq=1 ttl=64 time=0.142 ms
64 bytes from 10.75.255.2: icmp_seq=2 ttl=64 time=0.173 ms
--- 10.75.255.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.142/0.169/0.193/0.021 ms
nrinadmin@SRX-02> ping 172.16.100.1 count 3
PING 172.16.100.1 (172.16.100.1): 56 data bytes
64 bytes from 172.16.100.1: icmp_seq=0 ttl=64 time=23.153 ms
64 bytes from 172.16.100.1: icmp_seq=1 ttl=64 time=1.324 ms
64 bytes from 172.16.100.1: icmp_seq=2 ttl=64 time=0.871 ms
--- 172.16.100.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.871/8.449/23.153/10.399 ms
THE CONFIGURATION FOR SRX-03 IS AS FOLLOWS:
nrinadmin@SRX-03> show configuration
## Last commit: 2020-12-22 22:16:25 UTC by root
version 15.1X49-D70.3;
system {
host-name SRX-03;
root-authentication {
encrypted-password "$1$GXIww5rn$NtMcapLr2fiTryNqSSIuO/"; ## SECRET-DATA
}
login {
user nrinadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$5kkygreL$QmydgEwEyn1kCf3mEjUy11"; ## SECRET-DATA
}
}
}
services {
ssh;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.100.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.24.2/27;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.75.255.2/32;
}
}
}
}
routing-options {
static {
route 161.201.0.0/16 {
next-hop 192.168.24.1;
retain;
no-readvertise;
}
}
}
protocols {
lldp {
interface all;
}
}
nrinadmin@SRX-03> show arp
MAC Address Address Name Interface Flags
cc:e1:94:ff:7a:80 10.10.10.2 10.10.10.2 ge-0/0/2.0 none
cc:e1:94:fc:ac:0e 172.16.100.2 172.16.100.2 ge-0/0/1.0 none
44:d3:ca:40:cb:7f 192.168.24.1 192.168.24.1 fxp0.0 none
Total entries: 3
nrinadmin@SRX-03> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/1 - - cc:e1:94:fc:ac:8a ge-0/0/3 SRX-02
ge-0/0/2 - cc:e1:94:ff:7a:fc ge-0/0/3 SRX-01
nrinadmin@SRX-03>
nrinadmin@SRX-03> ping 10.10.10.2 count 3
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=3.749 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=6.437 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=0.899 ms
--- 10.10.10.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.899/3.695/6.437/2.261 ms
nrinadmin@SRX-03> ping 10.75.255.1 count 3
PING 10.75.255.1 (10.75.255.1): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
--- 10.75.255.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
nrinadmin@SRX-03> ping 172.16.1.2 count 3
PING 172.16.1.2 (172.16.1.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
--- 172.16.1.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
nrinadmin@SRX-03> ping 172.16.100.2 count 3
PING 172.16.100.2 (172.16.100.2): 56 data bytes
64 bytes from 172.16.100.2: icmp_seq=0 ttl=64 time=1.143 ms
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.937 ms
64 bytes from 172.16.100.2: icmp_seq=2 ttl=64 time=0.935 ms
--- 172.16.100.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.935/1.005/1.143/0.098 ms
nrinadmin@SRX-03> ping 10.75.255.2 count 3
PING 10.75.255.2 (10.75.255.2): 56 data bytes
64 bytes from 10.75.255.2: icmp_seq=0 ttl=64 time=0.192 ms
64 bytes from 10.75.255.2: icmp_seq=1 ttl=64 time=0.128 ms
64 bytes from 10.75.255.2: icmp_seq=2 ttl=64 time=0.173 ms
--- 10.75.255.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.128/0.164/0.192/0.027 ms
nrinadmin@SRX-03>
WHAT IS MISSING FROM MY CONFIGURATIONS?
------------------------------
Juniper-certified
------------------------------