SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Can ping from (X) to (Y), but not (Y) to (X) - SRX

    Posted 07-14-2014 01:08

    Hi All,

     

    I have a Lab environment set up as per the attached diagram. srxA-1 and srxA-2 are physical devices, while INTERNET, all VR's and the Host are Virtual Instances running on a single SRX210. This device (SRx210) is in Packet-Mode. You might be familiar with this set up.. I have used LT interfaces to connect between the VR's on the VR-device.

     

    - I had a similar set up sometime last year and it worked well. Now, I try to set it up again and the below are my observations:

     

     

    1. I can ping from srxA-1 to vr101, and I can also ping from vr101 to srxA-1.

    2. I can ping from srxA-1 to vr201, BUT I cannot ping from vr201 to srxA-1. (this is Surprising to me).

    3. I can ping from srxA-2 to vr102, BUT I cannot ping from vr102 to srxA-2. (also suprising).

    4. I can ping from srxA-2 to vr202, BUT I cannot ping from vr202 to srxA-2. (also surprising).

     

    Most of other pings are working. E.g From SRxA-1 to srxA-1 and also from srxA-1/srxA-2 to INTERNET/Host.

     

    I may be missing something very simple. Because essentially, I am able to Ping from Source (X) to Destination (Y), but not from Destination (Y) to Source (X).. A ping should work 2-way I believe?

     

    I have attached config for the three Devices: srxA-1, srxA-2 and vr-Device.

    Attachment(s)

    txt
    vrDevice-JNET.txt   5 KB 1 version
    txt
    srxA-2-JNET.txt   6 KB 1 version
    txt
    srxA-1-JNET.txt   7 KB 1 version


  • 2.  RE: Can ping from (X) to (Y), but not (Y) to (X) - SRX
    Best Answer

    Posted 07-14-2014 01:38

    Hi,

     

    2. I can ping from srxA-1 to vr201, BUT I cannot ping from vr201 to srxA-1. (this is Surprising to me).

     

    try on SRX-A

     

    set security zone security-zone ACME-SV host-inbound-traffic system-services ping

     

    ------------------------

     

    3. I can ping from srxA-2 to vr102, BUT I cannot ping from vr102 to srxA-2. (also suprising).

     

    try on SRX-B

     

    set security zone security-zone Juniper-WF host-inbound-traffic system-services ping

     

    ----------------------------------------------------------------------------

     

    4. I can ping from srxA-2 to vr202, BUT I cannot ping from vr202 to srxA-2. (also surprising).

     

    try on SRX-B

     

    set security zone security-zone ACME-WF host-inbound-traffic system-services ping

     

     

    ---------------------------------

     

    ping is two-way in routing concept but for security. on Firewall any session is uni-direction if ping from X --> Y working not necessary means ping from Y --> X will work

     

    Regards,
    Mohamed Elhariry
    2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

    [Click the "Star" for Kudos if you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

     

     



  • 3.  RE: Can ping from (X) to (Y), but not (Y) to (X) - SRX

    Posted 07-14-2014 21:52

    Hey mhariry,

     

    Thank you so much. Worked like a charm. I'm happy I learnt it this way.

     

    I keep discovering more about the SRX. Everything must be defined "explicitly".