SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX210 - can't ping loop0 unless in 'trust' zone

     
    Posted 11-05-2012 16:15

    So this is weird..  Configuring a new SRX240 running Junos 11.4r5.5

    I have the following config:

    run show configuration security zones security-zone management interfaces
vlan.10;
vlan.85;
lo0.0 {
    host-inbound-traffic {
        system-services {
            ping;
        }
    }

     So I can't ping my loop0 interface from anywhere.  So i did some traceoptions to see the flow:

     

    Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  routed (x_dst_ip 10.255.0.8) from oob (ge-0/0/15.0 in 0) to lo0.0, Next-hop: 10.255.0.8

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  policy search from zone oob-> zone management (0x0,0x4be70002,0x2)

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  packet dropped, denied by policy

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  packet dropped,  policy deny.

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  flow find session returns error.

     

    Right so thats pretty clear, no security poilcy from zone oob to zone management.... But wait, this is self traffic - why do I need a policy for self traffic?  Never had to do this before....

     

    Anyway just for kicks I made the following policy:

    run show configuration security policies from-zone oob to-zone management
policy oob-to-management {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

     So that policy should permit my traffic.... but my pings still fail.

     

    However - If remove the loop0 interface from the management zone, and put it into the trust zone it works fine.  I still need a security policy, but the confguration is exactly the same as it is on my management zone:

    run show configuration security zones security-zone trust

interfaces {
    lo0.0 {
        host-inbound-traffic {
            system-services {
                ping;
            }


run show configuration security policies from-zone oob to-zone trust
policy management {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;

     

    So why the hell does it not work in the management zone?  I don't use the trust zone at all.

     

     



  • 2.  RE: SRX210 - can't ping loop0 unless in 'trust' zone

    Posted 11-05-2012 17:21

    You need to create a policy to allow traffic from your oob zone to the junos-host zone. You can't use the management zone in a security policy. 



  • 3.  RE: SRX210 - can't ping loop0 unless in 'trust' zone

     
    Posted 11-05-2012 17:26

    Yea tried that.... doesn't work

    Trace below shows traffic from oob to management still

     

    Nov  6 09:20:25 09:20:25.835580:CID-0:RT:  policy search from zone oob-> zone management (0x0,0x4ec50002,0x2)

Nov  6 09:20:25 09:20:25.835580:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Nov  6 09:20:25 09:20:25.835580:CID-0:RT:  packet dropped, denied by policy

Nov  6 09:20:25 09:20:25.835580:CID-0:RT:  packet dropped,  policy deny.

Nov  6 09:20:25 09:20:25.835580:CID-0:RT:  flow find session returns error.

Nov  6 09:20:25 09:20:25.835580:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

     

    from-zone oob to-zone junos-host {
    policy traffic {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;

     Like I said, this works in the 'trust' zone, but not management. 



  • 4.  RE: SRX210 - can't ping loop0 unless in 'trust' zone

    Posted 11-05-2012 17:28

    Stupid question of the day - do you allow ping as a host-inbound in your oob zone? I am not in front of an SRX but recall that when using the junos-host zone for self traffic you also have to allow the traffic as host inbound to the ingress IF (from memory).



  • 5.  RE: SRX210 - can't ping loop0 unless in 'trust' zone

    Posted 11-05-2012 18:17

    Well. From what I inferm the entire point of a management zone is that no other zone is able to communicate with the management zone; which ensures OOB management. So I guess if you're not able to reach from any other zone to the management zone. that's expected behaviour.

    But  I may be wrong.

     



  • 6.  RE: SRX210 - can't ping loop0 unless in 'trust' zone
    Best Answer

    Posted 11-05-2012 19:06
    Hi ,

    The zone name "management" is reserved for functional zones, using that name for a security zone,has resulted in this behaviour .

    Management zone is not meant for transit traffic (so no polciies can refer to this zone - neither from-zone , nor to-zone).

    It need not be trust zone , you can use any name for that zone other than "managment:, It works .


  • 7.  RE: SRX210 - can't ping loop0 unless in 'trust' zone

     
    Posted 11-05-2012 20:01

    haha ok thanks... renaming the zone 'managament' to 'mgmt' worked.

    Didn't know about that....

     

    Thanks again