So this is weird.. Configuring a new SRX240 running Junos 11.4r5.5
I have the following config:
run show configuration security zones security-zone management interfaces
vlan.10;
vlan.85;
lo0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
So I can't ping my loop0 interface from anywhere. So i did some traceoptions to see the flow:
Nov 6 08:06:01 08:06:01.516302:CID-0:RT: routed (x_dst_ip 10.255.0.8) from oob (ge-0/0/15.0 in 0) to lo0.0, Next-hop: 10.255.0.8
Nov 6 08:06:01 08:06:01.516302:CID-0:RT: policy search from zone oob-> zone management (0x0,0x4be70002,0x2)
Nov 6 08:06:01 08:06:01.516302:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Nov 6 08:06:01 08:06:01.516302:CID-0:RT: packet dropped, denied by policy
Nov 6 08:06:01 08:06:01.516302:CID-0:RT: packet dropped, policy deny.
Nov 6 08:06:01 08:06:01.516302:CID-0:RT: flow find session returns error.
Right so thats pretty clear, no security poilcy from zone oob to zone management.... But wait, this is self traffic - why do I need a policy for self traffic? Never had to do this before....
Anyway just for kicks I made the following policy:
run show configuration security policies from-zone oob to-zone management
policy oob-to-management {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
So that policy should permit my traffic.... but my pings still fail.
However - If remove the loop0 interface from the management zone, and put it into the trust zone it works fine. I still need a security policy, but the confguration is exactly the same as it is on my management zone:
run show configuration security zones security-zone trust
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ping;
}
run show configuration security policies from-zone oob to-zone trust
policy management {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
So why the hell does it not work in the management zone? I don't use the trust zone at all.