[j-nsp] netscreen issue

Ben Dale ben.dale at lanlink.com.au
Sun Jan 1 23:29:52 EST 2006 

Hi Snort,

First of all, test to see which VR is going to be used to find the host
you are trying to ping:

ns50-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address         Zone        MAC            VLAN State
VSD     
eth1           10.5.1.251/24      Trust       0010.db35.51b0    -   U   - 
eth2           192.168.6.97/29    test        0010.db35.51b5    -   U   - 
eth3           1.1.1.1/30         Untrust     0010.db35.51b6    -   U   - 
eth4           0.0.0.0/0          Null        0010.db35.51b7    -   D   - 
tun.1          unnumbered         Untrust     ethernet3         -   R   - 
vlan1          0.0.0.0/0          VLAN        0010.db35.51bf    1   D   - 
null           0.0.0.0/0          Null        0000.5e00.0100    -   U   0 
ns50-> get route ip 192.168.6.98
Dest Routes for 192.168.6.98 in NULL
------------------------------------------------
trust-vr       : => 0.0.0.0/0 (id=11) via 1.1.1.1 (vr: trust-vr)
                    Interface ethernet3 , metric 1

potential routes in other vrouters:

testbed-vr     : => 192.168.6.97/29 (id=1) via 0.0.0.0 (vr: testbed-vr)
                    Interface ethernet2 , metric 0
ns50->

In this example, even though 192.168.6.98 is directly connected, a ping
off the box itself is still preferring the default route via trust-vr.

There is a command similar to what you're looking for though:

ping 192.168.6.98 from eth2

This will ping the host from the interface itself (which will ensure the
correct VR is used).

HTH,

Ben Dale
Network Engineer
Lanlink an integ Company

snort bsd wrote:

>Hi:
>
>I have a strange issue on my netscreen boxes. Besides
>two default virtual routers "untrust-vr" and
>"trust-vr", I created a third virtual router
>"testbed-vr" as out of band mannagment access,
>assigned a zone to it (binded an interface to that
>zone too) and it works in the sense that I can access
>the boxes remotely via ssh (I certainly can ping that
>interface from remote). Of vcourse I have a static
>route for that interface. 
>
>now here is strange part: everything seems to be fine
>except I can't ping the next-hop gateway, or any IP
>addresses from the inside of those netscreen boxes.
>
>Obviously it is not the routing issue otherwise I
>would not be able to access the boxes from remote
>locations. The testbed-vr has onw routing table and
>netscreen has no commands similar like juniper-m
>series "ping logical-router r1 xxx.xxx.xxx.xxx". More
>there is no relationship between testbed routing table
>and two other virtual routers' routing table,ie, the
>testbed is standing alone virtual router. 
>
>this issue doesn't affect the operation, but I am
>perplexed by the behaviour.
>
>Any help would be greatly appreciated.
>
>Thanks
>
>PS: there are no policies configured except "set
>policy default-permit-all"
>
>
>Send instant messages to your online friends http://au.messenger.yahoo.com 
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>

More information about the juniper-nsp mailing list