Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
We have aSRX100 at a remote office, we can get to it via the public IP, and the VPN tunnel. On SRX port fe-0/0/1.0 goes to EX port ge-0/0/11, we cannot ping or telnet to the EX2200.
version 12.1X44-D35.5; system { host-name vpnloaner02; time-zone EST; root-authentication { encrypted-password ""; ## SECRET-DATA } name-server { 10.10.10.10; 10.20.10.10; 208.67.222.222; 208.67.220.220; } name-resolution { no-resolve-on-input; } login { user admin { full-name Administrator; uid 2000; class super-user; authentication { encrypted-password ""; ## SECRET-DATA } } } services { ssh; telnet; web-management { http { interface vlan.1; } https { system-generated-certificate; interface [ vlan.1 fe-0/0/0.0 ]; } session { idle-timeout 60; } } dhcp { option 161 string wyse.masseyservices.com; option 186 string wyse.masseyservices.com; pool 192.168.202.0/24 { address-range low 192.168.202.50 high 192.168.202.249; router { 192.168.202.1; } } propagate-settings fe-0/0/0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } interfaces { fe-0/0/0 { unit 0 { family inet { dhcp; } } } fe-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } st0 { unit 0 { family inet { address 192.168.200.202/24; } } } vlan { unit 1 { family inet { address 192.168.202.1/24; } } } } } routing-options { static { route 192.168.200.0/24 next-hop st0.0; route 10.0.0.0/8 next-hop st0.0; } } protocols { stp; } security { ike { policy ike_pol_vpnloaner02 { mode aggressive; proposal-set standard; pre-shared-key ascii-text ""; ## SECRET-DATA } gateway gw_vpnloaner02 { ike-policy ike_pol_vpnloaner02; address 75.112.50.xxx; local-identity hostname vpnloaner02; external-interface fe-0/0/0.0; } } ipsec { policy ipsec_pol_vpnloaner02 { perfect-forward-secrecy { keys group1; } proposal-set standard; } vpn vpnloaner02 { bind-interface st0.0; ike { gateway gw_vpnloaner02; ipsec-policy ipsec_pol_vpnloaner02; } establish-tunnels immediately; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone Internal; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Internal to-zone Internet { policy All_Internal_Internet { match { source-address any; destination-address any; application any; } then { permit; } } policy policy_out_vpnloaner02 { match { source-address addr_192_168_202_0_24; destination-address addr_192_168_200_0_24; application any; } then { permit; } } } from-zone Internet to-zone Internal { policy policy_in_vpnloaner02 { match { source-address [ addr_10_0_0_0_8 addr_192_168_0_0_16 ]; destination-address addr_192_168_202_0_24; application any; } then { permit; } } } } zones { security-zone Internal { address-book { address addr_192_168_202_0_24 192.168.202.0/24; } host-inbound-traffic { system-services { all; } } interfaces { vlan.1 { host-inbound-traffic { system-services { ping; dhcp; http; https; ssh; telnet; snmp; } } } } } security-zone Internet { address-book { address addr_192_168_0_0_16 192.168.0.0/16; address addr_10_0_0_0_8 10.0.0.0/8; address addr_192_168_200_0_24 192.168.200.0/24; } host-inbound-traffic { system-services { ike; } } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { ping; dhcp; https; ssh; ike; snmp; } } } st0.0 { host-inbound-traffic { system-services { https; ping; ike; ssh; snmp; } } } } } } } vlans { vlan1 { vlan-id 3; l3-interface vlan.1; } }
ANy help is apprecioated.
Hi,
From which source are you unable to reach the EX switch in your network ? From you SRX and / or your vpn connection ?
Can you also share the configuration of the EX device.
MarcTB,
I wonder if it is the vlan ID that could be the issue.
Here is the EX2200 config
version 12.3R6.6; groups { ezqos-voip { class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110; } forwarding-class ezqos-control-fc { loss-priority low code-points [ 110000 011000 011010 111000 ]; } forwarding-class ezqos-video-fc { loss-priority low code-points 100010; } } } forwarding-classes { class ezqos-best-effort queue-num 0; class ezqos-video-fc queue-num 4; class ezqos-voice-fc queue-num 5; class ezqos-control-fc queue-num 7; } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control-scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data-scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 20; priority strict-high; } ezqos-control-scheduler { buffer-size percent 10; priority strict-high; } ezqos-video-scheduler { transmit-rate percent 70; buffer-size percent 20; priority low; } ezqos-data-scheduler { transmit-rate percent 30; buffer-size percent 50; priority low; } } } } } apply-groups ezqos-voip; system { host-name VPNLOANER02; root-authentication { encrypted-password ""; ## SECRET-DATA } login { user admin { uid 2000; class super-user; authentication { encrypted-password ""; ## SECRET-DATA } } } services { ssh { protocol-version v2; } telnet; netconf { ssh; } web-management { http; } dhcp { traceoptions { file dhcp_logfile; level all; flag all; } } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } chassis { alarm { management-ethernet { link-down ignore; } } auto-image-upgrade; } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } vlan { unit 0 { family inet { address 102.168.202.10/24; } } } } snmp { contact MASSYE_IT; community Public { authorization read-only; } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.202.1; } } protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } class-of-service { interfaces { ge-* { scheduler-map ezqos-voip-sched-maps; unit * { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp default; } } } } } ethernet-switching-options { voip; storm-control { interface all; } } vlans { default { l3-interface vlan.0; } } poe { interface all; }
No should be OK. I cant see an issue with the config. Can you ping from the SRX to the EX? i.e. 192.168.202.1 to 192.168.202.10.
Telnet to the SRX, and ping 192.168.202.10
the result is 7 packets transmitted, 0 packets received.
All the clients on the EX are able to perform their normal daily tasks.
The printers are working.
Just cannot telnet or https to it.
vlan { unit 0 { family inet { address 102.168.202.10/24;
Typo at the IP address?
Correct, **bleep**......
Saw that last night, will wait for the bundle to come back, and fix it.
Fat fingers kill us hu ?
Thanks
Great you solved it 🙂 kudo's
EX missing default route?