SRX

last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Can't ping LAN devices on same subnet

    Posted 05-06-2015 19:52
      |   view attached

     

    I've just finished setting up a cluster with SRX240 firewalls and found that I can't ping hosts on the same subnet. I can ping the switch that is directly connected, but none of the hosts connected to the switch.

     

    I created a Trust to Trust, permit all policy per another user's recommendation but it still isn't working. Not sure what else I could be missing?

    Attachment(s)

    txt
    Site-B.txt   7 KB 1 version


  • 2.  RE: Can't ping LAN devices on same subnet

    Posted 05-06-2015 21:13

    Hello GhengisT

    I dont see in your Config where are the DHCP in you config?

    or this clients run with Static-IP-address?

     

    please can you explain "little" your IP topologies

     

    can you check on SRX-Console also no answer come back?

    ping a.b.c.d

    and after this traeroute a.b.c.d

     

    on the client site you can try the same:

    ipconfig /release

    ipconfig /renew

    ping a.b.c.d

    and after this traeroute a.b.c.d

     

    regards

    Mauri



  • 3.  RE: Can't ping LAN devices on same subnet

     
    Posted 05-06-2015 22:07

    Hello ,

     

    Can you try clearing the ARP entry in the Switch and the SRX  and try again .



  • 4.  RE: Can't ping LAN devices on same subnet

    Posted 05-06-2015 22:54

    As per your post you have configured the Intra-zone (from-zone Trusted to-zone Trusted) policy but it is not there in the configuration --- just to ensure if you have placed the pertinent configuration:  Also, if you Already configured the policy and it is still not working, could you please try manual fail-over to second unit and check if PING is successful (You can revert it back and can check from the first unit again) , Also check if VLAN configuration is correct on Switch.



  • 5.  RE: Can't ping LAN devices on same subnet

    Posted 05-07-2015 06:30

    All hosts are configured using static IP addresses.

     

    I removed the Trust to Trust policy after implementing it and having no success. Is this a required policy? Our other sites use SRX210s and I can't recall seeing that policy.

     

    I've rebooted the switch and still not having any success.



  • 6.  RE: Can't ping LAN devices on same subnet

    Posted 05-07-2015 07:03
      |   view attached

    Here is the updated config that includes the "Trust-to-Trust permit any" policy

     

    My switch contains two vlans:

     

    Ports 1-4 are vlan 500. SRX reth0.0 is connected to ports 3 & 4, and the WAN uplink is connected to ports 1-2.

     

    Ports 5-28 are vlan 1. SRX reth1.0 is connected to ports 5 & 6, all servers are connected using ports 7-16.

     

    My laptop is currently plugged into port 24, and I can access all servers, the switch, and other sites using connected via VPN tunnels.

     

    When I SSH into the SRX using the local IP, I still cannot ping the servers.

    Attachment(s)

    txt
    juniper-config.txt   9 KB 1 version


  • 7.  RE: Can't ping LAN devices on same subnet
    Best Answer

    Posted 05-07-2015 08:35

    Ok, I think that I found my issue:

     

    All servers are running ESXI and it's quite lazy in terms of ARP. I found no ARP entries for any of the servers in the switch.

     

    I restarted each ESXI's management network, fired off a ping to the Juniper's reth1.0 interface, and it's been working successfully since..

     

    Thanks for all the input & guidance, much appreciated.