SRX

 View Only

  • 1.  SRX cannot ping it's Gateway

    This message was posted by a user wishing to remain anonymous
    Posted 10-31-2023 20:05
    This message was posted by a user wishing to remain anonymous

    Hi Everyone,

    I am new to SRX. Looking forward for your help.

    I have setup a Lab where there is an IOS device and an SRX with point to point IP

    SRX - 172.16.0.2/24

    Cisco Router - 172.16.0.1/24

    I cannot ping the SRX's IP when trying it to the cisco router.

    Here are the configurations:

    Cisco Router

    interface GigabitEthernet0/1
     ip address 172.16.0.1 255.255.255.0
     duplex auto
     speed auto

    SRX

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set interfaces ge-0/0/0 unit 0 family inet address 172.16.0.2/24

    Looking forward for your response. Thanks



  • 2.  RE: SRX cannot ping it's Gateway

    Posted 11-01-2023 06:21

    Hi, 

    When removing the lines:

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all

    Are you able to ping across the P2P, or not when those lines are removed? I also presume the interfaces are UP and not disabled/shut?

    Could you also try to 'trust' the interfaces rather than untrust? I've just found this document that states this configuration:

    https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US#zone

    HTH,



    ------------------------------
    Ethan Jackson
    ------------------------------

    Original Message


  • 3.  RE: SRX cannot ping it's Gateway

    Posted 11-02-2023 09:40

    If you can ping from the SRX to the Cisco but not from the Cisco to the SRX, your problem is security policy. Your host-inbound-traffic settings should be sufficient. 

    You may also want to check on both platforms  whether you are learning the MAC address of the other device.



    ------------------------------
    JASON
    ------------------------------

    Original Message


  • 4.  RE: SRX cannot ping it's Gateway

    Posted 8 days ago

    Have you checked flow sessions

    run show security flow session source-prefix 172.16.0.1/32

    do above while you ping from cisco

    -------------------------------------------

    Original Message


  • 5.  RE: SRX cannot ping it's Gateway

    Posted 6 days ago

    Check the ARP tables on both ends (show arp no-resolve interface ge-0/0/0.0). If they cannot see each other, you have a connectivity issue.

    Both units are misconfigured, but equally so, so it should work. In the drawing, you have 172.16.0.1/29, but both units have a /24 mask. This is not the end of the world normally, but if you do have other interfaces with overlapping subnets (using anything else in the 172.16.0.x range), one of the units may be confused.

    Do you have a policy that allows the traffic? Normally, traffic going to the SRX is controlled with host-inbound-traffic system-services and protocols, so that shouldn't be the issue. Traffic from the SRX itself (ping in the CLI for instance) is permitted by default. One way to control this better is to use the junos-host security zone. This special zone controls what goes to and comes from the SRX itself. Just like having a policy "from-zone trust to-zone untrust" or similar, you can use for instance the combination "from-zone untrust to-zone junos-host".

    https://supportportal.juniper.net/s/article/SRX-Configuration-Example-How-to-limit-self-traffic-using-Security-Policies

    One last thing to check is if you have an input filter on interface lo0:

    show interfaces lo0

    If no filters are configured, you're fine. They are used as a last resort filter mechanism to the RE/CPU of the SRX.

    When you're totally stuck, boot up a PC and set the IP of the Cisco on it and connect the PC to the SRX. Now test the ping, ARP etc. If all is good, set the IP of the SRX on the PC and connect it to the Cisco.

    -------------------------------------------

    Original Message


  • 6.  RE: SRX cannot ping it's Gateway

    Posted 6 days ago

    The best exercise I can think of, if you really want it to flow properly is to find an old 10mbps hub. This hub will have a coax connection to simulate cable. Then teach the srx this topology. That address is like this for this reason. Hope you learn.

    Oh, the ports must be ethernet 10mbps. The coax would be considered T1 .

    No other speeds plz.

    You don't have to use the T1 for this exercise, unless you got two hubs similar/exact.

    You're making your life harder by not using 172.16.1.1 .



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------

    Original Message


  • 7.  RE: SRX cannot ping it's Gateway

    Posted 5 days ago

    Notice the fittings.

    https://ebay.us/m/aKpWi3

    https://ebay.us/m/6sjT9n

    Old I know.

    Use temporarily till srx gets it.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------

    Original Message