06-09-2012 07:48 AM
I am implementing Internet zone using 2 layer switches(Cisco 2900), 2 core switches(Cisco 3750), 2 SRX240H and 2 WAN routers (Cisco 3925). Topology is shown in the attatchement.
I have met a very curious problem, that is :
the SRX 240H cluster can not learn the mac address of of WAN routers' GLBP VIP(virtual ip address),
I can ping the real ip of the 2 WAN routers, I can also ping the HA virtual ip address of 2 SRX from either of the WAN routers, however, I can not ping the VIP of GLBP from SRX cluster. I used "show arp" command on SRX,
there was not arp record of GLBP vip in the arp table.
I tried to connect a pc in the same vlan of SRX external port and routers' ports. Then I realized that the pc can learn vip mac address of GLBP and srx HA, and I can ping either of these 2 vip.
I checked the following status, and all of them are in normal conditions:
1. SRX HA status
2. GLBP status
3. STP status
I tried to change GLBP to HSRP, and met the same problem.
Did anyone meet this problem before?
Thank you very much for your help in advance!
06-09-2012 10:29 AM
Here are a few things that ocur to me to check...
1) are the 'real' IPs that can be pinged in the same subnet as the virtual IP that can not. Maybe your srx policies allow access to one and not the other. Or maybe the route table for the virtual IP is incorrect and the traffic is not going out on the intended interface.
2) check the routes with ... "show route 'virtual ip'" and compare the output to "show route 'real ip'". They should both show routing to the interface connected to the WAN router like "... > via <inerface>" with no "to <gateway>" to indicate it thinks the IP is on the directly attached segment.
3) capture the traffic....
- on the SRX interface ([KB11709])
- on the WAN router's interface
- on the PC connected to that LAN segment (wireshrk or Ethereal). I think both the arp request and reply are broudcast so the PC should see both. you can check that by "clear arp" on the SRX and then ping the good IP and confirm that you see both request and reply on the PC.
06-09-2012 10:31 AM
Oh, and remember that the default source IP of pings from the SRC cli is the managment interface. consider if that effects the policy. you can explicitly set the source IP with the "source" option of the ping command
06-09-2012 06:21 PM
Hi Bob ,
The real ip for the 2 WAN routers are 10.1.10.4/24 and 10.1.10.5/24, and virtual ip is 10.1.10.6/24. They are in the same subnet. I can ping 10.1.10.4 and 10.1.10.5, but can not ping 10.1.10.6.
SRX do not need route to get to WAN routers, because they are in the same layer2 broadcast domain (they are all in vlan 300). I detailed the topology, from which we can see that the RETH0 is external interface of SRX with ip address 10.1.10.1, RETH1 is internal interface of SRX with ip address 172.19.200.1. Another question is that, If I ping 10.1.10.6, the default source interface is management interface or the external interface 10.1.10.1? Since external interface is the outgoing interface.....
Thank you very much for your help!
06-11-2012 06:49 AM
The default address for a ping is the interface that is closest to the destination unless you turn on default-address-selection under system. In that case, it will use the loopback IP
06-11-2012 01:44 PM
Sorry for the confusion about the source IP of the ping. I was wrong.
I was thinking about a situation I encounted recenly that I could not ping the other end of a policy based VPN from the SRX. I had to set the source address to make the ping work, but now it makes more sense that in that situation the default IP was my outside interface and not the management IP for that ping.
BTW, I know you don't need to enter a route for a directly attached interface, but the route table still has a route to that interface that can be confirmed with the "show router <IP>" command. Since it seems that there is no explanantion for why the ping does not work, I would confirm all the things that I know should be.