[j-nsp] I've got some bone head problem on an srx...but I don't see it.
Morgan McLean
wrx230 at gmail.com
Tue Jun 11 22:12:27 EDT 2013
--- JUNOS 10.4R7.5 built 2011-09-08 07:12:35 UTC
{primary:node0}
mmclean at srxhost> show route 4.2.2.2
inet.0: 248 destinations, 251 routes (244 active, 4 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 2w5d 01:07:06
> to x.x.x.237 via ge-2/0/23.0
{primary:node0}
mmclean at srxhost > ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
^C
--- 4.2.2.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
{primary:node0}
mmclean at srxhost> ping 4.2.2.2 source x.x.x.238
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=59 time=12.020 ms
^C
--- 4.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 12.020/12.020/12.020/0.000 ms
{primary:node0}
On Tue, Jun 11, 2013 at 7:09 PM, Morgan McLean <wrx230 at gmail.com> wrote:
> I've gotten a couple replies off list. There is an any policy from trust
> to untrust, and the untrust zone does have host inbound traffic ping
> enabled. I think the ping not responding is a byproduct of whatever is
> going on, though.
>
> Morgan
>
>
> On Tue, Jun 11, 2013 at 6:29 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>
>> I have an SRX cluster at an office with a single connection to the web at
>> the moment. It has a couple ipsec connections out to our datacenters, and a
>> couple local subnets hanging on RETH interfaces.
>>
>> For the life of me, I can't figure out why I'm unable to ping out from
>> this system. Even if I try to ping the point to point between us and
>> Verizon, a direct route, it won't work unless I specify the source address
>> as our local interface address.
>>
>> Outbound nat from clients behind the SRX works fine. The loopback is in
>> trust, and I have a couple zones + trust with a source nat rule using the
>> verizon interface IP as the egress point. Destination nat rules work.
>>
>> So everything seems to work...except from the SRX. As a result, we cannot
>> ping the SRX remotely...but again IPSEC works.
>>
>> Any great tips? None of our other SRX's behave like this...and its
>> driving me nuts!
>>
>>
>> --
>> Thanks,
>> Morgan
>>
>
>
>
> --
> Thanks,
> Morgan
>
--
Thanks,
Morgan
More information about the juniper-nsp
mailing list