Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Can not ping SRX traffic interface and vice versa

    Posted 08-04-2021 09:00
    Hi,
    Can someone help me here to find problem with setup of SRX5600 where we trying to ping SRX interface from the switch but can't ping and vice versa. The status is same towards upstream router as well. 
    When we checked the flow session table, there is no session being created when we ping the firewall reth interface IP from the switch.  At the same time when we ping switch IP from firewall we got the session with 0 packets received (Both outputs are pasted in the message).

    Below is the connectivity setup -


    Session when tried ping from firewall to switch -

    Flow Sessions on FPC0 PIC2:
    Session ID: 134217731, Policy name: self-traffic-policy/1, State: Active, Timeout: 58, Valid
    In: 10.154.144.193/11493 --> 10.154.144.194/2;icmp, Conn Tag: 0x0, If: .local..12, Pkts: 1, Bytes: 84, CP Session ID: 3
    Out: 10.154.144.194/2 --> 10.154.144.193/11493;icmp, Conn Tag: 0x0, If: reth1.140, Pkts: 0, Bytes: 0, CP Session ID: 3
    Total sessions: 1

    Flow Sessions on FPC0 PIC3:
    Session ID: 201326594, Policy name: self-traffic-policy/1, State: Active, Timeout: 58, Valid
    In: 10.154.144.193/11493 --> 10.154.144.194/1;icmp, Conn Tag: 0x0, If: .local..12, Pkts: 1, Bytes: 84, CP Session ID: 2
    Out: 10.154.144.194/1 --> 10.154.144.193/11493;icmp, Conn Tag: 0x0, If: reth1.140, Pkts: 0, Bytes: 0, CP Session ID: 2
    Total sessions: 1

    Flow Sessions on FPC1 PIC0:
    Session ID: 268435459, Policy name: self-traffic-policy/1, State: Active, Timeout: 56, Valid
    In: 10.154.144.193/11493 --> 10.154.144.194/0;icmp, Conn Tag: 0x0, If: .local..12, Pkts: 1, Bytes: 84, CP Session ID: 3
    Out: 10.154.144.194/0 --> 10.154.144.193/11493;icmp, Conn Tag: 0x0, If: reth1.140, Pkts: 0, Bytes: 0, CP Session ID: 3
    Total sessions: 1

    Only logs when tried pinging SRX IP from nexus switch -

    Aug 4 10:15:02 fw01 clear-log[60139]: logfile cleared
    Aug 4 10:15:27 10:15:27.266162:CID-02:FPC-02:PIC-02:THREAD_ID-27:LSYS_ID-00:RT:<10.154.144.194/27711->10.154.144.193/0;1,0x0> matched filter f2:
    Aug 4 10:15:27 10:15:27.266303:CID-02:FPC-02:PIC-02:THREAD_ID-27:LSYS_ID-00:RT:packet [84] ipid = 49508, @0xff06000f4
    Aug 4 10:15:27 10:15:27.266310:CID-02:FPC-02:PIC-02:THREAD_ID-27:LSYS_ID-00:RT:CP flow starts, mbuf=0x2aac0000, ifl_idx=292, ctxt_type=0xf
    Aug 4 10:15:27 10:15:27.266319:CID-02:FPC-02:PIC-02:THREAD_ID-27:LSYS_ID-00:RT:lpak_init: lpak 0xfdd3e9b30, paksize 84, machdr 0x20a42374, iphdr 0xff06000f4, conn-tag: 0x00000000
    Aug 4 10:15:27 10:15:27.266337:CID-02:FPC-02:PIC-02:THREAD_ID-27:LSYS_ID-00:RT:cp flow exit rc=0xffffffff
    Aug 4 10:15:29 10:15:29.265613:CID-02:FPC-00:PIC-02:THREAD_ID-09:LSYS_ID-00:RT:<10.154.144.194/27711->10.154.144.193/256;1,0x0> matched filter f2:
    Aug 4 10:15:29 10:15:29.265636:CID-02:FPC-00:PIC-02:THREAD_ID-09:LSYS_ID-00:RT:packet [84] ipid = 49509, @0xff0adf8f4
    Aug 4 10:15:29 10:15:29.265641:CID-02:FPC-00:PIC-02:THREAD_ID-09:LSYS_ID-00:RT:CP flow starts, mbuf=0x2aafe600, ifl_idx=292, ctxt_type=0xf
    Aug 4 10:15:29 10:15:29.265651:CID-02:FPC-00:PIC-02:THREAD_ID-09:LSYS_ID-00:RT:lpak_init: lpak 0xfdf7fbb30, paksize 84, machdr 0x0, iphdr 0xff0adf8f4, conn-tag: 0x00000000
    Aug 4 10:15:29 10:15:29.265667:CID-02:FPC-00:PIC-02:THREAD_ID-09:LSYS_ID-00:RT:cp flow exit rc=0xffffffff


    Can someone suggest what should i check to get this worked?


    Thanks.


  • 2.  RE: Can not ping SRX traffic interface and vice versa

    Posted 08-04-2021 19:45
    Ping to the SRX interface is controlled by the settings for the security zone itself.  The policies are for traffic that transits the SRX in one interface and out another.

    The SRX interface gets assigned to a zone
    under the zone you allow ping either for the whole zone or individual interface under host-inbound-traffic system-services ping

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Can not ping SRX traffic interface and vice versa

    Posted 08-05-2021 05:27
    Thanks for inputs sir,

    Ping service is allowed on the interface in the zone as below -
    set security zones security-zone RTP-DMZ interfaces reth1.140 host-inbound-traffic system-services any-service

    And between what i understand we can't ping SRX interface IP if service not allowed but it is failing to get any revert from next hop as well.

    What else should i check for?

    Thanks


  • 4.  RE: Can not ping SRX traffic interface and vice versa

    Posted 08-05-2021 05:43
    What is the contents of the filter mentioned in the log and where is it applied on the SRX?

    What is the configuration of the interface with the ip address?

    What is the status of that interface with show interfaces?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Can not ping SRX traffic interface and vice versa

    Posted 08-05-2021 09:15
    Please find below, that is just basic i applied -

    set security flow traceoptions file monitortraffic
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter f1 source-prefix 10.154.144.193/32
    set security flow traceoptions packet-filter f1 destination-prefix 10.154.144.194/32
    set security flow traceoptions packet-filter f2 source-prefix 10.154.144.194/32
    set security flow traceoptions packet-filter f2 destination-prefix 10.154.144.193/32

    and the interface configuration -

    set interfaces reth1 description LAN_to_Nexus
    set interfaces reth1 vlan-tagging
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 redundant-ether-options lacp active
    set interfaces reth1 unit 140 description Ext_RTP1_FE1_Serv2_DMZ1
    set interfaces reth1 unit 140 vlan-id 140
    set interfaces reth1 unit 140 family inet address 10.154.144.193/26

    Interface status is up for same -



    We have other sub-interfaces on reth1 which all states as up/up.

    Thanks.