SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

SRX 220 System Services Not Bound to PP0.0

  • 1.  SRX 220 System Services Not Bound to PP0.0

    Posted 10-12-2015 18:05

    We have a pair of SRX220H2 devices. Both connect to the Internet via interface ge-0/0/0; one device has a standard interface bound IP the other requires encapsulation ppp-over-ether.

     

    The issue am having, is that for the PPoE device, PING and HTTPS (which we are using for Dyanmic VPN) are not working but IKE seems to be as we are running a stie-to-site VPN which is working fine.

     

    I've tried several configuration variations placing the required services in host-inbound-traffic in both the zone and the interface but it isn't working. I'd appreciate any thoughts.

     

    The current relevant configruation bits are as follows:

     

        ge-0/0/0 {
        speed 100m;
        link-mode full-duplex;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
        pp0 {
        unit 0 {
            apply-macro <name>;
            ppp-options {
                chap {
                    default-chap-secret "<secret>";
                    local-name "<name>";
                    no-rfc2486;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                client;
            }
            family inet {
                mtu 1492;
                address a.b.c.d/24;
            }
        }
    }
            security-zone z-Internet {
            screen screen-internet;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                            https;
                        }
                    }
                }
            }
        }


  • 2.  RE: SRX 220 System Services Not Bound to PP0.0

     
    Posted 10-15-2015 01:02

    Hello ,

     

    Have you tred to put the interface "ge-0/0/0.0" in a security zone and check ? .



  • 3.  RE: SRX 220 System Services Not Bound to PP0.0

    Posted 10-15-2015 01:11

    Sam,

     

    Yes we had tried that. We put it into the same z-Internet zone and tried a variations of zone and interface bound services but no change.

     

    Tim.



  • 4.  RE: SRX 220 System Services Not Bound to PP0.0

     
    Posted 10-15-2015 02:09

    Hi Tim ,

     

    Can you remove the host inbound services under the zone and add them in interface :

     

            security-zone z-Internet {
            screen screen-internet;
            host-inbound-traffic {
                system-services {
                    ike;   <<<<< Remove this and add under 
                }
            }
            interfaces {
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                            https; <<<<<<<< Add IKE here . 
                        }
                    }
                }
            }
        }


  • 5.  RE: SRX 220 System Services Not Bound to PP0.0

     
    Posted 10-15-2015 02:24

    Hi,

     

    it looks like that you have problems with your MTU on the pppoe interface.

     

    Can you try to do the following

    set security flow tcp-mss all-tcp mss 1350 ( we can always try to set it higher)



  • 6.  RE: SRX 220 System Services Not Bound to PP0.0

    Posted 10-15-2015 02:43

    Marc,

     

    I tried an MSS of 1350 and for giggles 1452 but no change. One thing though; do I need to tear the PPPoE interface down after this change or is the effect immediate?

     

    BTW; MSS in current configuration is 1300 (based on some other posts on these forums but I'm going to review this).

     

    Tim



  • 7.  RE: SRX 220 System Services Not Bound to PP0.0

     
    Posted 10-15-2015 04:30

    HI,

     

    no you don't need to bring the pp0 interface  down after you have changed the mss setting.

     

     

    Can you attach your complete config to this post so we can have a look at it to see if their is nothing else that is giving the problems with having https and icmp beeing unreachable.



  • 8.  RE: SRX 220 System Services Not Bound to PP0.0

    Posted 10-15-2015 12:35

    Marc,

     

    Configuration attached (removed).

     

    Tim



  • 9.  RE: SRX 220 System Services Not Bound to PP0.0

     
    Posted 10-15-2015 18:45

    Hello ,

     

    Please remove the below configuration from [ system, services ] and check if that helps  :

     

        services {
        ssh;
        web-management {
            http {
                interface vlan.5;   <<<<<<<<<
            }
            https {
                system-generated-certificate;
                interface vlan.5;   <<<<<<<<

     



  • 10.  RE: SRX 220 System Services Not Bound to PP0.0

    Posted 10-16-2015 16:56

    Sam,

     

    Tried removing vlan.5. No change. Still no external PING or HTTPS to the pp0.0 address.

     

    Tim



  • 11.  RE: SRX 220 System Services Not Bound to PP0.0

    Posted 10-15-2015 02:40

    Sam,

     

    Didn't think to try that. Tried as described and also with ge-0/0/0.0 in that zone as above bu still not working.

     

    Tim



  • 12.  RE: SRX 220 System Services Not Bound to PP0.0
    Best Answer

    Posted 10-20-2015 01:17

    It appears the issue was a temporary NAT rule had been added to the original configuration for the external interface IP which was accepting all of the traffic that was expected on pp0.0. This was removed and all is now working.

     

    Thanks all.