SRX

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

------------------------------
Allyn Crowe

Original Message:
Sent: 07-02-2024 16:03
From: YOOSUF BATLIWALA
Subject: Unable to ping SRX380 from laptop while plugged into it and in the same subnet

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

------------------------------
YOOSUF BATLIWALA
------------------------------

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

Looking at that interface config it shows that the interface is using 802.1q tags (that's the vlan-tagging command) to receive traffic from 2 separate VLANS (vlan-id 50 and vlan-id 200). This is colloquially called a trunk port. 

As the description is "To Switch" I'm guessing this is meant to connect to a switch. On the switch you would need to define a port to tag traffic for both of those vlans and connect it to that SRX port. Then you would define an access port on the vlan you're interested in and then try your ping again.

If you try to connect your laptop directly to that port, the switch doesn't know which subinterface (or VLAN) the traffic is meant for and will drop it. Think of the port like an apartment building with a common entrance. Without the vlan tag, you've delivered a package to the front door, but now none of the occupants don't know who it belongs to so they throw it in the trash. With the vlan tag they know which apartment it's for and can deliver it properly.

------------------------------
Allyn Crowe

Original Message:
Sent: 07-02-2024 17:24
From: YOOSUF BATLIWALA
Subject: Unable to ping SRX380 from laptop while plugged into it and in the same subnet

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

------------------------------
YOOSUF BATLIWALA

Original Message:
Sent: 07-02-2024 17:06
From: Allyn Crowe
Subject: Unable to ping SRX380 from laptop while plugged into it and in the same subnet

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

------------------------------
Allyn Crowe

Original Message:
Sent: 07-02-2024 16:03
From: YOOSUF BATLIWALA
Subject: Unable to ping SRX380 from laptop while plugged into it and in the same subnet

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

------------------------------
YOOSUF BATLIWALA
------------------------------

The apartment analogy explained things very well for me, thank you! 

I connected up to the switch and SSH'd into it from ge-0/0/12 (which is configured for SSH access). ge-0/0/9 (on the switch) is configured for connection to the SRX. I'm having a similar issue (this time the ping just never returns an error; it just stays blank). I'll include the switch config below:

show configuration | no-more...interfaces {...ge-0/0/9 {        description "JUNIPER SRX";        unit 0 {            accept-source-mac {                mac-address (removed);                mac-address (removed);            }            family ethernet-switching {                interface-mode trunk;                vlan {                    members [ Management KGnet ];                }                storm-control default;            }        }    }...}...vlans {...KGnet {        vlan-id 200;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }Management {        vlan-id 50;        l3-interface irb.0;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }...}

Looking at that interface config it shows that the interface is using 802.1q tags (that's the vlan-tagging command) to receive traffic from 2 separate VLANS (vlan-id 50 and vlan-id 200). This is colloquially called a trunk port. 

As the description is "To Switch" I'm guessing this is meant to connect to a switch. On the switch you would need to define a port to tag traffic for both of those vlans and connect it to that SRX port. Then you would define an access port on the vlan you're interested in and then try your ping again.

If you try to connect your laptop directly to that port, the switch doesn't know which subinterface (or VLAN) the traffic is meant for and will drop it. Think of the port like an apartment building with a common entrance. Without the vlan tag, you've delivered a package to the front door, but now none of the occupants don't know who it belongs to so they throw it in the trash. With the vlan tag they know which apartment it's for and can deliver it properly.

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

So, looking at that switchport config, it does match the SRX config for VLANs. I'm guessing the config for port ge-0/0/12 is an access port in the management VLAN. So you should be able to ping 10.10.1.9 from your host and whatever the IP on irb.0 on the switch is (I'm assuming it's in the same 10.10.1.9/26 network). It might help if you post the ping command you're running to confirm. 

If that's still not working then you'll probably need to start looking at security logs to see if/why the traffic is being dropped

The apartment analogy explained things very well for me, thank you! 

I connected up to the switch and SSH'd into it from ge-0/0/12 (which is configured for SSH access). ge-0/0/9 (on the switch) is configured for connection to the SRX. I'm having a similar issue (this time the ping just never returns an error; it just stays blank). I'll include the switch config below:

show configuration | no-more...interfaces {...ge-0/0/9 {        description "JUNIPER SRX";        unit 0 {            accept-source-mac {                mac-address (removed);                mac-address (removed);            }            family ethernet-switching {                interface-mode trunk;                vlan {                    members [ Management KGnet ];                }                storm-control default;            }        }    }...}...vlans {...KGnet {        vlan-id 200;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }Management {        vlan-id 50;        l3-interface irb.0;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }...}

Looking at that interface config it shows that the interface is using 802.1q tags (that's the vlan-tagging command) to receive traffic from 2 separate VLANS (vlan-id 50 and vlan-id 200). This is colloquially called a trunk port. 

As the description is "To Switch" I'm guessing this is meant to connect to a switch. On the switch you would need to define a port to tag traffic for both of those vlans and connect it to that SRX port. Then you would define an access port on the vlan you're interested in and then try your ping again.

If you try to connect your laptop directly to that port, the switch doesn't know which subinterface (or VLAN) the traffic is meant for and will drop it. Think of the port like an apartment building with a common entrance. Without the vlan tag, you've delivered a package to the front door, but now none of the occupants don't know who it belongs to so they throw it in the trash. With the vlan tag they know which apartment it's for and can deliver it properly.

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

Let me show the ge-0/0/12 config just to be sure:

interfaces {...ge-0/0/12 {        description "RDP Workstation #2";        enable;        unit 0 {            inactive: accept-source-mac {                mac-address (removed);            }            family ethernet-switching {                interface-mode access;                vlan {                    members Management;                }                storm-control default;            }        }    }...}

and here is the ping command I'm running:

> ping 10.10.1.9

additionally, I'm not sure if this is what you're referring to by "IP on irb.0", but here are the details I found in the config:

show interfaces | no-more...Logical interface irb.0 (Index 601) (SNMP ifIndex 504)    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2    Bandwidth: 1Gbps    Routing Instance: default-switch Bridging Domain: Management    Input packets : 3561    Output packets: 6108    Protocol inet, MTU: 1500    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 2, Curr new hold cnt: 0, NH drop cnt: 0      Flags: Sendbcast-pkt-to-re, Is-Primary      Addresses, Flags: Is-Default Is-Preferred Is-Primary        Destination: 10.10.1.0/26, Local: 10.10.1.1, Broadcast: 10.10.1.63...

So, looking at that switchport config, it does match the SRX config for VLANs. I'm guessing the config for port ge-0/0/12 is an access port in the management VLAN. So you should be able to ping 10.10.1.9 from your host and whatever the IP on irb.0 on the switch is (I'm assuming it's in the same 10.10.1.9/26 network). It might help if you post the ping command you're running to confirm. 

If that's still not working then you'll probably need to start looking at security logs to see if/why the traffic is being dropped

The apartment analogy explained things very well for me, thank you! 

I connected up to the switch and SSH'd into it from ge-0/0/12 (which is configured for SSH access). ge-0/0/9 (on the switch) is configured for connection to the SRX. I'm having a similar issue (this time the ping just never returns an error; it just stays blank). I'll include the switch config below:

show configuration | no-more...interfaces {...ge-0/0/9 {        description "JUNIPER SRX";        unit 0 {            accept-source-mac {                mac-address (removed);                mac-address (removed);            }            family ethernet-switching {                interface-mode trunk;                vlan {                    members [ Management KGnet ];                }                storm-control default;            }        }    }...}...vlans {...KGnet {        vlan-id 200;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }Management {        vlan-id 50;        l3-interface irb.0;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }...}

Looking at that interface config it shows that the interface is using 802.1q tags (that's the vlan-tagging command) to receive traffic from 2 separate VLANS (vlan-id 50 and vlan-id 200). This is colloquially called a trunk port. 

As the description is "To Switch" I'm guessing this is meant to connect to a switch. On the switch you would need to define a port to tag traffic for both of those vlans and connect it to that SRX port. Then you would define an access port on the vlan you're interested in and then try your ping again.

If you try to connect your laptop directly to that port, the switch doesn't know which subinterface (or VLAN) the traffic is meant for and will drop it. Think of the port like an apartment building with a common entrance. Without the vlan tag, you've delivered a package to the front door, but now none of the occupants don't know who it belongs to so they throw it in the trash. With the vlan tag they know which apartment it's for and can deliver it properly.

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

Let me show the ge-0/0/12 config just to be sure:

interfaces {...ge-0/0/12 {        description "RDP Workstation #2";        enable;        unit 0 {            inactive: accept-source-mac {                mac-address (removed);            }            family ethernet-switching {                interface-mode access;                vlan {                    members Management;                }                storm-control default;            }        }    }...}

and here is the ping command I'm running:

> ping 10.10.1.9

additionally, I'm not sure if this is what you're referring to by "IP on irb.0", but here are the details I found in the config:

show interfaces | no-more...Logical interface irb.0 (Index 601) (SNMP ifIndex 504)    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2    Bandwidth: 1Gbps    Routing Instance: default-switch Bridging Domain: Management    Input packets : 3561    Output packets: 6108    Protocol inet, MTU: 1500    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 2, Curr new hold cnt: 0, NH drop cnt: 0      Flags: Sendbcast-pkt-to-re, Is-Primary      Addresses, Flags: Is-Default Is-Preferred Is-Primary        Destination: 10.10.1.0/26, Local: 10.10.1.1, Broadcast: 10.10.1.63...

So, looking at that switchport config, it does match the SRX config for VLANs. I'm guessing the config for port ge-0/0/12 is an access port in the management VLAN. So you should be able to ping 10.10.1.9 from your host and whatever the IP on irb.0 on the switch is (I'm assuming it's in the same 10.10.1.9/26 network). It might help if you post the ping command you're running to confirm. 

If that's still not working then you'll probably need to start looking at security logs to see if/why the traffic is being dropped

The apartment analogy explained things very well for me, thank you! 

I connected up to the switch and SSH'd into it from ge-0/0/12 (which is configured for SSH access). ge-0/0/9 (on the switch) is configured for connection to the SRX. I'm having a similar issue (this time the ping just never returns an error; it just stays blank). I'll include the switch config below:

show configuration | no-more...interfaces {...ge-0/0/9 {        description "JUNIPER SRX";        unit 0 {            accept-source-mac {                mac-address (removed);                mac-address (removed);            }            family ethernet-switching {                interface-mode trunk;                vlan {                    members [ Management KGnet ];                }                storm-control default;            }        }    }...}...vlans {...KGnet {        vlan-id 200;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }Management {        vlan-id 50;        l3-interface irb.0;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }...}

Looking at that interface config it shows that the interface is using 802.1q tags (that's the vlan-tagging command) to receive traffic from 2 separate VLANS (vlan-id 50 and vlan-id 200). This is colloquially called a trunk port. 

As the description is "To Switch" I'm guessing this is meant to connect to a switch. On the switch you would need to define a port to tag traffic for both of those vlans and connect it to that SRX port. Then you would define an access port on the vlan you're interested in and then try your ping again.

If you try to connect your laptop directly to that port, the switch doesn't know which subinterface (or VLAN) the traffic is meant for and will drop it. Think of the port like an apartment building with a common entrance. Without the vlan tag, you've delivered a package to the front door, but now none of the occupants don't know who it belongs to so they throw it in the trash. With the vlan tag they know which apartment it's for and can deliver it properly.

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you! 

also I'm assuming the mac addresses listed on port ge-0/0/9 under accept-source-mac are the correct mac addresses? If so everything "looks" good and you should see more under the security logs as Nikolay said. If the packets aren't being dropped by the SRX you may try disabling the mac filtering on the uplink port to the SRX on your switch.

Let me show the ge-0/0/12 config just to be sure:

interfaces {...ge-0/0/12 {        description "RDP Workstation #2";        enable;        unit 0 {            inactive: accept-source-mac {                mac-address (removed);            }            family ethernet-switching {                interface-mode access;                vlan {                    members Management;                }                storm-control default;            }        }    }...}

and here is the ping command I'm running:

> ping 10.10.1.9

additionally, I'm not sure if this is what you're referring to by "IP on irb.0", but here are the details I found in the config:

show interfaces | no-more...Logical interface irb.0 (Index 601) (SNMP ifIndex 504)    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2    Bandwidth: 1Gbps    Routing Instance: default-switch Bridging Domain: Management    Input packets : 3561    Output packets: 6108    Protocol inet, MTU: 1500    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 2, Curr new hold cnt: 0, NH drop cnt: 0      Flags: Sendbcast-pkt-to-re, Is-Primary      Addresses, Flags: Is-Default Is-Preferred Is-Primary        Destination: 10.10.1.0/26, Local: 10.10.1.1, Broadcast: 10.10.1.63...

So, looking at that switchport config, it does match the SRX config for VLANs. I'm guessing the config for port ge-0/0/12 is an access port in the management VLAN. So you should be able to ping 10.10.1.9 from your host and whatever the IP on irb.0 on the switch is (I'm assuming it's in the same 10.10.1.9/26 network). It might help if you post the ping command you're running to confirm. 

If that's still not working then you'll probably need to start looking at security logs to see if/why the traffic is being dropped

The apartment analogy explained things very well for me, thank you! 

I connected up to the switch and SSH'd into it from ge-0/0/12 (which is configured for SSH access). ge-0/0/9 (on the switch) is configured for connection to the SRX. I'm having a similar issue (this time the ping just never returns an error; it just stays blank). I'll include the switch config below:

show configuration | no-more...interfaces {...ge-0/0/9 {        description "JUNIPER SRX";        unit 0 {            accept-source-mac {                mac-address (removed);                mac-address (removed);            }            family ethernet-switching {                interface-mode trunk;                vlan {                    members [ Management KGnet ];                }                storm-control default;            }        }    }...}...vlans {...KGnet {        vlan-id 200;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }Management {        vlan-id 50;        l3-interface irb.0;        forwarding-options {            dhcp-security {                arp-inspection;            }        }    }...}

Looking at that interface config it shows that the interface is using 802.1q tags (that's the vlan-tagging command) to receive traffic from 2 separate VLANS (vlan-id 50 and vlan-id 200). This is colloquially called a trunk port. 

As the description is "To Switch" I'm guessing this is meant to connect to a switch. On the switch you would need to define a port to tag traffic for both of those vlans and connect it to that SRX port. Then you would define an access port on the vlan you're interested in and then try your ping again.

If you try to connect your laptop directly to that port, the switch doesn't know which subinterface (or VLAN) the traffic is meant for and will drop it. Think of the port like an apartment building with a common entrance. Without the vlan tag, you've delivered a package to the front door, but now none of the occupants don't know who it belongs to so they throw it in the trash. With the vlan tag they know which apartment it's for and can deliver it properly.

Hey Allyn! I'll include the relevant portion of the interface config below. Also, what do you mean by "tag on your laptop"?

show interfaces | no-more...ge-0/0/3 {        description "To Switch";        vlan-tagging;        unit 50 {            description PROJECT_N;            vlan-id 50;            family inet {                address 10.10.1.9/26;            }        }        unit 200 {            description ENCRYPTOR_MGMT;            vlan-id 200;            family inet {                address 172.16.0.5/24;            }        }    }...

which sub-interface on ge-0/0/3? the zone config shows there are multiple (ge-0/0/3.50 and .200). If you're plugged directly into that port you'll need to tag on your laptop to match the interface configs. "destination host unreachable" is usually a routing error more than the host not complaining.

If you post the interface config it might help more :)

Hi!

I am trying to ping an interface (ge-/0/0/3) on an SRX but keep getting a "destination host unreachable" error. I am plugged into the interface through a laptop that is in the same subnet as the interface. The interface itself is in a security zone that allows ping and ssh (which is what I am ultimately trying to do: ssh into the router). I've poked around all over online but haven't been able to find the solution for this. I'll include the security and firewall configs with the post.

Thank you!