SRX

Hello Community,

 

I have this weird problem and am really hoping for this to be a silly config mistake.  Here goes:

 

SRX(0/0/2)-------------EX-1------------------EX-2

99.1.1.1/24                 99.1.1.2/24                  99.1.1.3/24

reth1

 

-- The EX-links shown are layer-2.

-- The EX IP addresses are those of the corrsponding RVI (vlan.99).

-- Pings to 99.1.1.2 or 99.1.1.3 from the SRX are successful.

-- pings from EX-1 to EX-2 (and vice-versa) are successful.

 

-- pings from either EX-1 or EX-2 to 99.1.1.1 fail.

-- The ARP/MAC tables on EX's look good.

-- While initiating pings from the EX's, the output of 'tcpdump -i reth1' on the SRX doesn't show the packets coming in.

 

config on the SRX:

 

set chassis cluster reth-count 4

set chassis cluster redundancy-group 0 node 0 priority 100

set chassis cluster redundancy-group 0 node 1 priority 50

set chassis cluster redundancy-group 1 node 1 priority 50

set chassis cluster redundancy-group 1 node 0 priority 100

set chassis cluster redundancy-group 1 preempt

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255

set interfaces ge-0/0/1 gigether-options redundant-parent reth0

set interfaces ge-0/0/2 gigether-options redundant-parent reth1

set interfaces ge-0/0/5 unit 0 family inet address 27.1.1.1/24

set interfaces ge-3/0/1 gigether-options redundant-parent reth0

set interfaces ge-3/0/2 gigether-options redundant-parent reth1

set interfaces ge-3/0/5 unit 0 family inet address 27.2.2.1/24

set interfaces fab0 fabric-options member-interfaces ge-0/0/3

set interfaces fab1 fabric-options member-interfaces ge-3/0/3

set interfaces reth0 redundant-ether-options redundancy-group 1

set interfaces reth0 unit 0 family inet address 98.1.1.1/24

set interfaces reth1 redundant-ether-options redundancy-group 1

set interfaces reth1 unit 0 family inet address 99.1.1.1/24

set routing-options static route 0.0.0.0/0 next-hop 27.1.1.2

set routing-options static route 0.0.0.0/0 qualified-next-hop 27.2.2.2 metric 50

set routing-options static route 0.0.0.0/0 metric 10

set routing-options autonomous-system 64790

set protocols bgp group routed-core type internal

set protocols bgp group routed-core export send-default

set protocols bgp group routed-core neighbor 98.1.1.2

set protocols bgp group routed-core neighbor 98.1.1.3

set protocols bgp group routed-core neighbor 99.1.1.2

set protocols bgp group routed-core neighbor 99.1.1.3

set protocols lldp interface all

set policy-options policy-statement send-default term match-default from route-filter 0.0.0.0/0 exact

set policy-options policy-statement send-default term match-default then next-hop self

set policy-options policy-statement send-default term match-default then accept

set security zones security-zone trusted interfaces reth1.0

set security zones security-zone trusted interfaces reth0.0

set security zones security-zone external-bgp host-inbound-traffic protocols all

set security zones security-zone external-bgp interfaces ge-0/0/5.0

set security zones security-zone external-bgp interfaces ge-3/0/5.0

 

 

Any help would be appreciated.

 

ankit

 

set security zones security-zone trusted host-inbound-traffic system-services ping;

or...

 

set security zones security-zone trusted host-inbound-traffic system-services all;

 

Depending on if ping is the only thing you want enabled or not...

 

oh shoot, how did I miss that one!

Interesting thing is that BGP was up even before applying the changes. Shouldn't it have been down as the zone didn't have the host-inbound configuration??

Applied the changes, but the pings from EX to the SRX still don't work:

root@lab-SRX-2# run show configuration security zones | display set
set security zones security-zone trusted host-inbound-traffic protocols all
set security zones security-zone trusted interfaces reth1.0
set security zones security-zone trusted interfaces reth0.0
set security zones security-zone external-bgp host-inbound-traffic protocols all
set security zones security-zone external-bgp interfaces ge-0/0/5.0
set security zones security-zone external-bgp interfaces ge-3/0/5.0

{primary:node1}[edit]
root@lab-SRX-2# run show src
^
syntax error, expecting <command>.
root@lab-SRX-2# run show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: off

node1:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: off

{primary:node1}[edit]
root@lab-SRX-2# run show bgp summary
Groups: 1 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
98.1.1.2 64790 2448 2459 0 2 18:05:24 0/0/0/0 0/0/0/0
98.1.1.3 64790 2455 2459 0 1 18:10:19 0/0/0/0 0/0/0/0
99.1.1.2 64790 2466 2468 0 0 18:41:14 0/0/0/0 0/0/0/0
99.1.1.3 64790 2467 2468 0 0 18:41:10 0/0/0/0 0/0/0/0

{primary:node1}[edit]
root@lab-SRX-2#

If I am reading your config correctly you have enabled protocols all (which will allow BGP) but NOT enabled system-services (all or ping) so your ping still won't work. 

That was it. Day one of SRX is finally successful. 🙂
Thanks, Keith and Kevin.

Well that is great! Welcome to the world of SRX. 🙂