Thanks for the additional details. This would be the general troubleshooting process for lack of access.
First for SRX interfaces themselves the security zone they are assigned to must allow ping. So use the procedure above to identify the interface and zone and confirm that is permitted.
Next a security policy should be in place on the SRX to allow the traffic. The general procedure is to confirm which two zones are involved again by looking up the assignments of the two interfaces from-zone and to-zone. In your case the LAN - st.0 for the oracle traffic. then look up that the security policy is created for this.
The final command for security flow shows if the session was created and will display if response packets are seen. You could have a valid policy but the Oracle side routing is not working.
In your case you can also check the vpn status using the
phase one
show security ike security-associations
phase two
show security ipsec security-associations
more details here if they are down.
https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 07-02-2023 20:22
From: MUHAMMAD KAZIM
Subject: Cannot ping from vlan 1 inter face to my wan interface ip and gateway
Thanks for your kind reply
i think you got wrong. Let me explian in details
my wan ip 10.0.10.14 and gateway is 10.0.10.1 interface ge-0/0/0.0
My lan ip 192.168.1.1 assigned to vlan.1 And 192.168.1.5 is my pc ip.
we have also vpn to Oracle cloud both the tunnels are up. we have forwarded route 10.100.100.0/24 to st0.1
0 And st0.0
i can ping 8.8.8.8 And internet is working no issue with internet from my pc
but i cannot ping 10.0.10.14 juniper wan ip and there gateway 10.0.10.1 and also Cannot ping 10.100.100.100 Oracle cloud side local ip from my pc is well as in juniper
i hope you got my issue.
is there Need to forward 192.168.1.0/24 to 0.0.0.0/0 ?
------------------------------
MUHAMMAD KAZIM
Original Message:
Sent: 06-30-2023 07:15
From: spuluka
Subject: Cannot ping from vlan 1 inter face to my wan interface ip and gateway
I'm not sure the status you are asking about here, but I think you are saying on the cli of the SRX you can ping the internet 8.8.8.8 but from a host on the vlan 1 LAN side you cannot ping 8.8.8.8
If so the troubleshooting would start from that client
can you ping the SRX gateway 192.168.1.1 and confirm that connection is working
If not, check the following
Status of the interface with this address
show interface terse
If this is not up/up and is the vlan.# then check the physical interfaces in the same vlan
If working check the security zones and policy
Find which security zone the gateway interface is assigned to and the security zone of the default gateway egress WAN interface
show security zones
confirm the default route is active to the WAN interface
show route
Check there is a security policy from the LAN to WAN zone allowing internet traffic
show security policies
If all that checks out confirm a session is created, start the ping and look for the session
show security flow session source-address 192.168.1.5/32
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 06-29-2023 18:16
From: MUHAMMAD KAZIM
Subject: Cannot ping from vlan 1 inter face to my wan interface ip and gateway
i have srx 240ah .
i can ping 8.8.8.8 internet is working but couldnot ping from my lan ip 192.168.1.5
vlan 1 ip 192.168.1.1/24
wan ip 10.0.10.14
wan gateway 10.0.10.1
as i am new to juniper please help to solve this isuue
------------------------------
MUHAMMAD KAZIM
------------------------------