[j-nsp] AE vs PT , and OSPF neigh not forming

Samol molasian at gmail.com
Thu Jan 23 01:53:46 EST 2014 

Hi Ben,

Yes, it's allowed in the security zone.

Regards,


2014/1/23 Ben Dale <bdale at comlinx.com.au>

> Make sure you have:
>
> host-inbound-traffic protocols ospf
>
> configured under the security zone for your reth interface
>
> On 23 Jan 2014, at 3:58 pm, Samol <molasian at gmail.com> wrote:
>
> > Hi List,
> >
> > I've got not another problem with ospf neigh. As the topo below, SRX and
> MX
> > can reach each other by ping, but ospf neig can't form.
> >
> > MX (ae0.88)------------------(pt-1/0/0.0) SRX
> >
> > I did the investigation on SRX and I found that SRX is sending/receiving
> > ospf hello message.
> >
> > Time      Filter    Action Interface     Protocol        Src Addr
> >              Dest Addr
> > 18:37:46  pfe       A      pt-1/0/0.0    OSPF            172.16.161.1
> >              224.0.0.5
> > 18:37:44  OSPF-DEBUG A     local         OSPF            172.16.161.2
> >              224.0.0.5
> > 18:37:38  pfe       A      pt-1/0/0.0    OSPF            172.16.161.1
> >              224.0.0.5
> > 18:37:35  OSPF-DEBUG A     local         OSPF            172.16.161.2
> >              224.0.0.5
> > 18:37:29  pfe       A      pt-1/0/0.0    OSPF            172.16.161.1
> >              224.0.0.5
> > 18:37:26  OSPF-DEBUG A     local         OSPF            172.16.161.2
> >              224.0.0.5
> >
> > However, on MX side, It's sending the hello message, but it's not
> receiving
> > hello message that SRX ACKs. that leads to OSPF state in INIT state on
> SRX
> > side, and no neigh status on MX side. Looking in to ae interface
> statistics
> > , get the result as below :
> >
> >    Link:
> >      ge-1/0/0.88
> >        Input :             0          0             0            0
> >        Output:         62551          0       6804562            0
> >      ge-1/0/1.88
> >        Input :           882          0        287932            0
> >        Output:             0          0             0            0
> >
> > it's using one link to send and another to receive. Surely, OSPF message
> > that sending from SRX is being dropped somewhere in the middle, however
> why
> > is it not dropping ICMP message ? Any idea is really appreciated.
> >
> > Regards,
> >
> >
> >
> > --
> > Samol Khoeurn
> > (855) 077 55 64 02 / (855) 067 41 88 66
> > Network Engineer
> > Cisco: CCNA/CCNP SP/CCIP/
> > Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT
> > www.linkedin.com/in/samolkhoeurn
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>


-- 
Samol Khoeurn
(855) 077 55 64 02 / (855) 067 41 88 66
Network Engineer
Cisco: CCNA/CCNP SP/CCIP/
Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT
www.linkedin.com/in/samolkhoeurn

More information about the juniper-nsp mailing list