SRX

Hi,

I have connected 2SRX diectly but not able to establish connectivity.

Please find the below configuration

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 100.100.100.1/24;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.220.1/24;
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {

security-zone trust {
tcp-rst;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
st0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
ike;
ping;
}
}

Hello ,

Can you specify is it the normal L3 connection that you are setiing UP or VPN between the SRX ?

If its normal L3 connectivity , please check for routes are the direct routes gettig populated on SRX and make sure to have static routes between the 2 routers R1 ( gatways as SRX1 ) and R2 ( gateway as SRX2)  .

I am trying to establish VPN,please find the routing table..

root> show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/30 *[Direct/0] 00:00:28
> via ge-0/0/0.0
1.1.1.1/32 *[Local/0] 00:00:29
Local via ge-0/0/0.0
10.10.10.0/24 *[Static/5] 00:00:28
> to 100.100.100.100 via ge-0/0/1.0
30.30.30.0/24 *[Static/5] 00:00:38
> via st0.0
100.100.100.0/24 *[Direct/0] 00:00:28
> via ge-0/0/1.0
100.100.100.1/32 *[Local/0] 00:00:29
Local via ge-0/0/1.0
192.168.220.0/24 *[Direct/0] 00:00:38
> via st0.0
192.168.220.1/32 *[Local/0] 00:00:38
Local via st0.0

root> configure
Entering configuration mode

root# show routing-options static
route 30.30.30.0/24 next-hop st0.0;
route 10.10.10.0/24 next-hop 100.100.100.100;

You do not appear to have any IPSec VPN configuration. Can you show this?

Hello ,

Please configure an IPSEC VPN  between the 2 SRX so that we can route the traffic .

http://kb.juniper.net/InfoCenter/index?page=content&id=TN108

Hi,

Thanks for your response, i guess to configure VPN first we should have reachibility to gateways right and static route is not required as both devices are in same network but why i am not able to ping SRX2??

Is it not possbile to establish a VPN without using routers between FIrewalls?

I apologise, I think I have misunderstood the issue. Are you saying the following?
That SRX1 ge-0/0/0 1.1.1.1/30 is connected to SRX2 ge-0/0/0 1.1.1.2/30.
SRX1 can not ping 1.1.1.2.

If so then please double check the following:
Cable plugged into the correct port.
IP address configured correctly on the correct interface, and in this case with no VLAN tagging.
The interface on both SRXs are within a security zone.
The security zone allows icmp as a host inbound service.
There is no firewall filter on the interface or on the control plane (loopback interface) to block ICMP from the source address.

Can you ping your local interface i.e. SRX1 can ping 1.1.1.1 and SRX2 can ping 1.1.1.2.

If none of this helps then please attach entire configs of both SRX devices and myself or someone could take a look.

Hi,

Please find the below output, i am also sharing whole conf.

SRX1:
root> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 1.1.1.1/30

root# show security zones
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
st0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
ike;
ping;
}
}
}
}
}

PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.059 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.133 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.051 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.421 ms
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.051/0.166/0.421/0.151 ms

root# run ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
^C
--- 1.1.1.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

==========================================================================================================
SRX2:
root> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 1.1.1.2/30

root# show security zones
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
st0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
ike;
ping;
}
}
}
}
}

root# run ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=64 time=0.057 ms
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.119 ms
^C
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.046/0.068/0.119/0.030 ms

root# run ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

Attachment(s)

Srx1.txt   3 KB 1 version

SRX2 conf.txt   3 KB 1 version

I can see nothing wrong wth your configuration. I assume that you have configrmed that SRX1 ge-0/0/0 is connected to SRX2 ge-0/0/0.

Can you tell me which SRX device you are using?

Hello,

Could you please check after disbaling the screen feature enabled for ge-0/0/0 interface on both the SRX.

Please do so using the following commands on respective SRX:-

deactivate security zone untrust screen untrust-screen ( on SRX 1)

deactivate security zone untrust screen untrust-screen ( on SRX 2)

Thanks,
Pulkit Bhandari

Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.

I am testing in GNS3 using vsrx firefly,  i will disable Screen feature and let you know the results.

Thanks,

Bharath

Could you disclose the SRX model?

SRX2:

root# deactivate security zones security-zone untrust screen

[edit]
root# commit
commit complete

[edit]
root# run ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^^^C
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

SRX1:

root# deactivate security zones security-zone untrust screen

root# commit
commit complete

[edit]
root# run ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
^C
--- 1.1.1.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
=============================================================================================

root> show version
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]

Please could you tell me the SRX model you were using before you used vSRX? i.e. the SRXs you used in the original lab.

I have dumped your configs onto 2x SRX210s and it works fine.

lab> show interfaces terse ge-0/0/0
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 1.1.1.1/30

lab> ping 1.1.1.1 rapid count 10
PING 1.1.1.1 (1.1.1.1): 56 data bytes
!!!!!!!!!!
--- 1.1.1.1 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.428/0.640/1.511/0.312 ms

lab> ping 1.1.1.2 rapid count 10
PING 1.1.1.2 (1.1.1.2): 56 data bytes
!!!!!!!!!!
--- 1.1.1.2 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.462/4.076/5.204/0.456 ms

Hello,

Since youa are using vSRX on GNS3, please check if you are running into the same problem as in the following document:-

https://gns3.com/discussions/unable-to-ping-between-two-junos 

Please let us know the results.

Thanks,
Pulkit Bhandari

Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.

Hello,

Finally its started working..............Thanks a lot 🙂

SRX1:

root> ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=64 time=201.241 ms
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=2.136 ms
^C
--- 1.1.1.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.136/101.689/201.241/99.553 ms

root> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.082 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.264 ms

Thanks,

Bharath

Hi Bharat,

I am facing the same issue and above link not working can you please help me..?

I am using vsrx12.1x46d10 qemu in gns3 VM . only ge-0/0 interface working but other interface not getting ping/ passing traffic  which is conencted to 2nd srx

Hi ,

According to you link not find the page .. can you send it again ..?

Thanks