To troubleshoot communications not work you will need to see if the desired traffic is hitting which policy using
show security flow session
This can be restricted using either or both of the restrictions for source and destination prefix.
show security flow session source-prefix 192.168.1.1/32 destination-prefix 192.168.2.1/32
The result will identify the policy used and any nat applied to the traffic
The other check is to confirm the routing table entries active are sending the destination traffic to the desired interface
show route 192.168.1.1
This will confirm the destination traffic to the correct zone. If the source is directly attached the source zone will be that interface.
We also need to confirm that both devices have their default gateway set to the SRX interface for their subnet.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 03-14-2023 16:12
From: Anonymous
Subject: Communication through 2 srx not establishing
This message was posted by a user wishing to remain anonymous
Hi,
Proper security zones, from and to policies are defined in both firewalls.
Even if we permit-all still issue is there.
I suspect the issue is with mstp or static route between vrrp. Kindly advise .
Original Message:
Sent: 03-13-2023 08:10
From: spuluka
Subject: Communication through 2 srx not establishing
There would need to be a security policy on both SRX for the transit zone traffic to be permitted.
Policy is from the perspective of the first packet initiating the communications between the two hosts.
First SRX will have a policy from zone of the host to zone of the link between SRX which I assume is the srx345 zone noted above.
Second SRX will have a policy from zone of the link srx345 to the zone where the destination host is connected.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 03-13-2023 05:16
From: Anonymous
Subject: Communication through 2 srx not establishing
Original Message:
Sent: 03-08-2023 09:06
From: spuluka
Subject: Communication through 2 srx not establishing
This message was posted by a user wishing to remain anonymous
Hi,
Communication from different zones are blocked.
Self traffic between SRX is working properly but all other traffic from zones are not sending and receiving the packets.
VRRP, Static Route and MSTP are configured in the firewalls .
What is the communication that is currently blocked?
What is permitted on the link will depend on whether it is transit traffic through the SRX zones or self traffic between the devices and what the protocols involved are.
What you show so far should cover things like ospf between the SRX and other protocols but any transit traffic would also need a security policy created.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 03-07-2023 22:59
From: Anonymous
Subject: Communication through 2 srx not establishing
This message was posted by a user wishing to remain anonymous
Hi,
Two srx not communicating,the ports are configured as trunk with allowed vlans.
The SRX models are SRX 550 and SRX 345, SRX connected each other using fiber link.
Please find attached screenshot and advise.
SRX 550 Config
set interfaces ge-0/0/8 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members srx550
set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 virtual-address 10.0.0.1
set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 priority 202
set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 preempt
set interfaces irb unit 90 family inet address 10.0.0.3/24 vrrp-group 1 accept-data
set security zones security-zone srx550 host-inbound-traffic system-services all
set security zones security-zone srx550 host-inbound-traffic protocols all
set security zones security-zone srx550 interfaces irb.90
set vlans srx550 vlan-id 90
set vlans srx550 l3-interface irb.90
SRX 345 Config
set interfaces ge-0/0/12 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members srx345
set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 virtual-address 10.0.0.2
set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 priority 202
set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 preempt
set interfaces irb unit 90 family inet address 10.0.0.4/24 vrrp-group 1 accept-data
set security zones security-zone srx345 host-inbound-traffic system-services all
set security zones security-zone srx345 host-inbound-traffic protocols all
set security zones security-zone srx345 interfaces irb.90
set vlans s345 vlan-id 90
set vlans s345 l3-interface irb.90