SRX210 Cluster Can't Ping reth interfaces

mcnj101 · ‎07-11-2012

Junos newbe srx210 cluster a/p issue, I have created a new cluster with two srx210 running junos ver 10.4R10.7.

Pretty simple configuration I thought.

In testing I can ping the trust reth0.0 interface no problem with a notebook connected to a ex2200 switch.

The links coming from the cluster to the ex2200 ports are configured as “trunk” , the notebook connect to the ex2200 also, but in a “access” interface. I have replicated this for all the security zones, Trust, Untrust and DMZ on the ex2200 switch.

But I can’t ping either the untrust address or either of the two dmz interface address. I did creade a rule to allow any any any ICMP. But no luck.. I feel there is something at the layer2 switch? Does anyone see something wrong here?

Many thanks

SRX210 Cluster

## Last changed: 2012-07-11 15:37:11 EDT

version 10.4R10.7;

groups {

node0 {

system {

host-name TH_Node0;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address 192.168.40.99/24;

}

node1 {

system {

host-name TH_Node1;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address 192.168.40.98/24;

}

apply-groups "${node}";

system {

time-zone America/New_York;

authentication-order [ radius password ];

root-authentication {

encrypted-password "$1$OhSk.N6k$gnqYCOpPZ4CRxAmJdkOfx/";

}

chassis {

cluster {

reth-count 3;

heartbeat-interval 2000;

heartbeat-threshold 8;

redundancy-group 0 {

node 0 priority 100;

node 1 priority 1;

}

redundancy-group 1 {

node 0 priority 100;

node 1 priority 1;

gratuitous-arp-count 5;

interface-monitor {

ge-0/0/0 weight 255;

ge-2/0/0 weight 255;

ge-0/0/1 weight 255;

ge-2/0/1 weight 255;

fe-0/0/4 weight 255;

fe-2/0/4 weight 255;

}

redundancy-group 2 {

node 0 priority 100;

node 1 priority 1;

}

interfaces {

ge-0/0/0 {

gigether-options {

redundant-parent reth0;

}

ge-0/0/1 {

gigether-options {

redundant-parent reth1;

}

fe-0/0/4 {

fastether-options {

redundant-parent reth2;

}

ge-2/0/0 {

gigether-options {

redundant-parent reth0;

}

ge-2/0/1 {

gigether-options {

redundant-parent reth1;

}

fe-2/0/4 {

fastether-options {

redundant-parent reth2;

}

fab0 {

fabric-options {

member-interfaces {

fe-0/0/2;

fe-0/0/3;

}

fab1 {

fabric-options {

member-interfaces {

fe-2/0/2;

fe-2/0/3;

}

fxp0 {

unit 0 {

family inet {

address 192.168.40.100/24 {

master-only;

}

reth0 {

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

unit 0 {

description Trust_Interface;

vlan-id 2;

family inet {

address 10.101.1.1/24;

}

reth1 {

redundant-ether-options {

redundancy-group 1;

}

unit 0 {

family inet {

address x.x.x.x/29;

}

reth2 {

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

unit 10 {

vlan-id 10;

family inet {

address 172.19.10.1/24;

}

unit 11 {

vlan-id 11;

family inet {

address 172.19.11.1/24;

}

AdamLin · ‎08-02-2010

Hi, next time, use the insert code feature

Luckily you attached the config, your problem is your zone configuration, the interfaces you're trying to ping are in zones where you don't have ping in host-inbound-traffic. Traffic that should go to the srx (not transit traffic) needs to be configured there.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)

mcnj101 · ‎07-11-2012

Adam,

thanks, I guess I should have "previewed" the post pior.

Is this the area you are speaking of ?

Thanks very much.

Mark

AdamLin · ‎08-02-2010

Yes, correct,
Just add "ping" under untrust and dmz, if you want to ping those interfaces.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)

mcnj101 · ‎07-11-2012

Thanks Adam,

I added "ping" with no luck. The tryed Services ALL and Protocols ALL.

Still no luck

On the trust interface reth0 I have this:

  host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;

On the dmz interface reth2.10 & reth2.11 I have this:

     host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth2.10 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                reth2.11 {
                    host-inbound-traffic {
                        protocols {
                            all;
                        }

Still not working ???

AdamLin · ‎08-02-2010

Remove the host-inbound-traffic under the interfaces. If you configure host-inbound-traffic on interface that takes precendece over the zone config. And your reth2.11 only has protocols all, not system-services all. Or maybe you didn't copy it all. Does transit traffic work ? Like from dmz to untrust or whatever?

Here's some information on host-inbound:

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-sec...

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)

mcnj101 · ‎07-11-2012

Adam,

Hope this is what you ment,

Still not working ???

security-zone dmz {
    address-book {
        address bb-transact-nic1 172.19.10.10/32;
        address bb-transact-nic2 172.19.10.12/32;
        address dmz-me0-sw 192.168.100.21/32;
        address dmz-mgmt-sw 172.19.11.2/32;
        address-set bb-transact {
            address bb-transact-nic1;
            address bb-transact-nic2;
        }
    }
    host-inbound-traffic {
        system-services {
            ping;                       
        }
    }
    interfaces {
        reth2.10;
        reth2.11;
    }
}

{primary:node0}[edit security zones]
root@TH_Node0#

mcnj101 · ‎07-11-2012

Could it be anythnig with the vlans?

ed_gpc · ‎09-21-2010

Could be vlans, could be routing. Can you ping it from a local subnet device, maybe a switch? If so, then it's probably a route issue.

axel.eble@ciber.com · ‎09-21-2012

I've found that the SRX replies with the source address of the interface closest to the source of the Echo Request:

Client ---- [(Interface A) SRX (Interface B)] ---

Then no matter if you ping Interface A or Interface B the SRX will always send the Echo Replies from Interface A.

SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces

Re: SRX210 Cluster Can't Ping reth interfaces