Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
My topology is:
ISP link (one physical cable) ----- EX2300 ge-0/0/0 (VLAN 11) -- EX2300 ge-0/0/1 & ge-0/0/2 members of VLAN11 (access ports) --- SRX345 HA node0 & node1 reth1 (ge-0/0/3 & ge-5/0/3) (ISP link)
Vlans are configured on EX2300 ports, not on SRX345 ports.
Reason for this is because currently I have one cable in server rack from ISP towards my equipment, and I need to connect SRX345 HA that requires 2 cables physically.
reth1 interface on SRX is placed in Untrust zone.
host-inbound-traffic for Untrust zone is allowed: ping, ike.
Only reth1 is in Untrust zone.
set security zones security-zone Untrust host-inbound-traffic system-services ikeset security zones security-zone Untrust host-inbound-traffic system-services pingset security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic system-services ikeset security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic system-services pingset security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic protocols all
lo0 interface is not defined nor is in any security zone.
However, I cannot ping my static public IP assigned to reth1 from internet.
Everything inbound and outbound works, ipsec tunnels get established, outbound traffic from LAN towards internet via reth1 works, reth1 interface can ping anything on the internet.
All of it seems okay, but cannot ping reth1 IP address from internet.
Interesting thing is when, for testing purposes, I unplug SRX345 from ex2300 ports, and in the same ports on ex2300 I plug in old SSG140 with same static public IP address and in the same Untrust zone, ping from internet to that IP works just fine, which can probably help me rule out EX2300 from the equation.
Any advice is welcomed.
As I first try, and just to be sure, you can connect your SRX345 interface that is master in Reth1 (I asume it is the one on node 0 : ge-0/0/3) directly the the ISP without using the EX switch that seems not to be the source of your problem.
By this way you will be 100% sure that the problem is on your SRX config.
After that I would advise to put some traces on the SRX on flows:
I believe you already know how to do it but just in case you can add these commands to activate tracing:
set security flow traceoptions file DebugTrafficset security flow traceoptions flag basic-datapath
Be carefull to remove this traceoptions if you are in production after your debug session.
Hope this can help