We are experience a challange where we can ping hosts within a subnet, but not their gateway. The traffic comes in on an interface in one routing instance (us1mgmt), and out on another interface in another routing instance (prod). The goal is to ping the gateway. The gateway can be pinged from other interfaces in the same routing instance as well as from interfaces in other routing interfaces (including the one traffic comes in on) but not from hosts that are connected to those interfaces even though routes exist and appear to be correct.
- Example Source: 10.10.10.20
- Example Destination: 10.103.22.17 (cant ping) - this is reth11.2 (in prod routing instance)
- Example Destination: 10.103.22.18 (can ping) - this is a host off reth11.2 (in prod routing instance)
- 10.203.22.16/28 is the network
- Traffic comes in on reth11.1 (in us1mgmt routing instance)
The traffic enters the device on reth11.1 which is in the us1mgmt routing instance. Routes for 10.103.22.16/28 and 10.103.22.17/32 show up in the routing instance us1mgmt to goto reth11.2.
# run show route table us1mgmt 10.103.22.16
us1mgmt.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.103.22.16/28 *[Direct/0] 1w0d 19:43:37
> via reth11.2
{primary:node0}[edit]
# run show route table us1mgmt 10.103.22.17
us1mgmt.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.103.22.17/32 *[Local/0] 6d 18:17:32
Local via reth11.2
The return routes exists (and uses an interface in another routing instance, us1mgmt).
# run show route table prod 10.10.10.20
prod.inet.0: 37 destinations, 37 routes (37 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.20/32 *[Static/5] 1w0d 18:06:31
> to 10.254.253.3 via reth11.1
I can ping the reth11.2 interface from reth11.3, which is in the same routing instance.
# run show route instance prod detail
prod:
Router ID: 10.103.22.17
Type: virtual-router State: Active
Interfaces:
reth11.4
reth11.3
reth11.2
reth11.0
Tables:
prod.inet.0 : 37 routes (37 active, 0 holddown, 0 hidden)
# run ping 10.103.22.17 interface reth11.3
PING 10.103.22.17 (10.103.22.17): 56 data bytes
64 bytes from 10.103.22.17: icmp_seq=0 ttl=64 time=0.419 ms
I can ping hosts in the same subnet, just not the gateway interface, from the original source 10.10.10.20.
# run show log traffic-log | match 10.103.22.30
Jun 3 18:15:02 FW RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.10.10.20/5420->10.103.22.30/512 icmp 10.10.10.20/5420->10.103.22.30/512 None None 1 prod-us1-FromSMS us1-mgmt prod-app 218319
Ping is enable on the interface.
run show interfaces reth11.2
Logical interface reth11.2 (Index 210) (SNMP ifIndex 618)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.843 ] Encapsulation: ENET2
Statistics Packets pps Bytes bps
Bundle:
Input : 691626 1 47022332 744
Output: 130831 0 6035040 472
Security: Zone: prod-app
Allowed host-inbound traffic : ping
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.103.22.16/28, Local: 10.103.22.17, Broadcast: 10.103.22.31
I can even ping the gateway from the reth11.1 interface, in which this traffic comes in on.
# run ping 10.103.22.17 interface reth11.1
PING 10.103.22.17 (10.103.22.17): 56 data bytes
64 bytes from 10.103.22.17: icmp_seq=0 ttl=64 time=0.412 ms
^C
--- 10.103.22.17 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.412/0.412/0.412/0.000 ms
Any help is greatly appeciated. Thank you in advanced to anyone who can lend any suggestions to this challange. We also have a ticket with JTAC and will update if we can find the resolution. Please let me know if there are any other outputs I can provide to help solve this puzzle.
#JUNOS#virtual.router#routing.instance#SRX#virtual-router