[j-nsp] "ping: sendto: Operation not permitted" in LAN

Martin T m4rtntns at gmail.com
Thu Aug 18 08:21:50 EDT 2011 

I have a ge-0/0/0 interface in Juniper M20(JUNOS 9.4R4.5), which has
unit 10 configured to it. Configuration of the interface is basically
following:

    ge-0/0/0 {
        unit 10 {
            family inet {
                rpf-check;
                mtu 1500;
                filter {
                    output fw-out;
                }
                address 192.168.1.14/28;
            }
        }
    }


As you can see, there is a firewall applied to ge-0/0/0.10.
Configuration of the "fw-out" is following:

firewall {
    filter fw-out {
        term GoogleDNS {
            from {
                source-address {
                    8.8.8.8/32;
                    8.8.4.4/32;
                }
                protocol udp;
                source-port 53;
            }
            then {
                count GoogleDNS;
                accept;
            }
        }
        term established {
            from {
                tcp-established;
            }
            then {
                count established;
                accept;
            }
        }
        term management {
            from {
                source-address {
                    10.10.10.0/24;
                }
            }
            then {
                count management;
                accept;
            }
        }
        term drop {
            then {
                count drop;
                discard;
            }
        }
    }
}


In case I ping between servers in 192.168.1.0/28 network, the
connection is fine. There is no packet loss between them. However, if
I ping for example 192.168.1.3 from M20, the results are following:


PING 192.168.1.3 (192.168.1.3): 1400 data bytes
1408 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=2.301 ms
ping: sendto: Operation not permitted
1408 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=1.440 ms
1408 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=1.454 ms
1408 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=1.491 ms
1408 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=1.433 ms
1408 bytes from 192.168.1.3: icmp_seq=6 ttl=64 time=1.411 ms
ping: sendto: Operation not permitted
1408 bytes from 192.168.1.3: icmp_seq=8 ttl=64 time=1.540 ms
ping: sendto: Operation not permitted
1408 bytes from 192.168.1.3: icmp_seq=10 ttl=64 time=1.762 ms
1408 bytes from 192.168.1.3: icmp_seq=11 ttl=64 time=1.972 ms
1408 bytes from 192.168.1.3: icmp_seq=12 ttl=64 time=1.451 ms
ping: sendto: Operation not permitted
1408 bytes from 192.168.1.3: icmp_seq=14 ttl=64 time=1.450 ms
ping: sendto: Operation not permitted
1408 bytes from 192.168.1.3: icmp_seq=16 ttl=64 time=46.920 ms
1408 bytes from 192.168.1.3: icmp_seq=17 ttl=64 time=1.428 ms


The same applies to every host in 192.168.1.0/28 network. If I ping
the M20(192.168.1.14) from servers there is same amount of packet
loss. Any ideas, what might cause this "ping: sendto: Operation not
permitted"? If additional information is needed, please ask :)


regards,
martin

More information about the juniper-nsp mailing list