I am testing out a setup in GNS3. I added2 vSRX 18.4R3 3.0 devices, connected to a standard switch. I added the simplest of simple configs:
vSRX1:
set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.4/28 vrrp-group 1 virtual-address 10.0.10.2
set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.4/28 vrrp-group 1 priority 220
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic protocols vrrp
root> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/4.0 up 1 master Active A 0.691 lcl 10.0.10.4
vip 10.0.10.2
vSRX2:
set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.3/28 vrrp-group 1 virtual-address 10.0.10.2
set interfaces ge-0/0/4 unit 0 family inet address 10.0.10.3/28 vrrp-group 1 priority 200
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic protocols vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/4.0 up 1 backup Active D 2.900 lcl 10.0.10.3
vip 10.0.10.2
mas 10.0.10.4
So all seems to work OK concerning vrrp. I can see the 224.0.0.18 packets containing vrrp info with the packt tracer, and all seems to work ok.
Now comes the fun part. The sirtual IP can only be pinged from inside the master box, at this moment vSRX1. From the vSRX2 the ping gets no reply. I can see the packet going towards the vSRX1, but no reply. Now I let the ping go and start a monitor traffic on the ge-0/0/4 interface on vSRX1 to see the ping coming in. And ping starts to work.
vSRX2:
root> ping 10.0.10.2
PING 10.0.10.2 (10.0.10.2): 56 data bytes
^C
--- 10.0.10.2 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
root> ping 10.0.10.2
PING 10.0.10.2 (10.0.10.2): 56 data bytes
64 bytes from 10.0.10.2: icmp_seq=11 ttl=64 time=4.874 ms
64 bytes from 10.0.10.2: icmp_seq=12 ttl=64 time=1.585 ms
64 bytes from 10.0.10.2: icmp_seq=13 ttl=64 time=3.560 ms
64 bytes from 10.0.10.2: icmp_seq=14 ttl=64 time=1.719 ms
64 bytes from 10.0.10.2: icmp_seq=15 ttl=64 time=1.730 ms
64 bytes from 10.0.10.2: icmp_seq=16 ttl=64 time=1.879 ms
64 bytes from 10.0.10.2: icmp_seq=17 ttl=64 time=1.604 ms
^C
--- 10.0.10.2 ping statistics ---
109 packets transmitted, 7 packets received, 93% packet loss
round-trip min/avg/max/stddev = 1.585/2.422/4.874/1.192 ms
root>
vSRX1:
root> ping 10.0.10.2
PING 10.0.10.2 (10.0.10.2): 56 data bytes
64 bytes from 10.0.10.2: icmp_seq=0 ttl=64 time=0.329 ms
64 bytes from 10.0.10.2: icmp_seq=1 ttl=64 time=0.043 ms
^C
--- 10.0.10.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.043/0.186/0.329/0.143 ms
root> monitor traffic interface ge-0/0/4 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/4, capture size 96 bytes
12:28:18.829984 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
12:28:19.594558 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
12:28:20.537789 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
12:28:21.506782 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
12:28:22.469059 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
12:28:23.343387 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
12:28:24.344707 Out IP 10.0.10.4 > 224.0.0.18: VRRPv2-advertisement 20: vrid=1 prio=220 authtype=none intvl=1
^C
7 packets received by filter
0 packets dropped by kernel
root>
Am I missing some firewall settings to make icmp work? Also routing to this virtual IP does not work (the reason I am testing this), but during the monitor routing does work.
------------------------------
Ben Ooijevaar
------------------------------