SRX

We are experience a challange where we can ping hosts within a subnet, but not their gateway.  The traffic comes in on an interface in one routing instance (us1mgmt), and out on another interface in another routing instance (prod).  The goal is to ping the gateway.  The gateway can be pinged from other interfaces in the same routing instance as well as from interfaces in other routing interfaces (including the one traffic comes in on) but not from hosts that are connected to those interfaces even though routes exist and appear to be correct.

 

• Example Source: 10.10.10.20
• Example Destination: 10.103.22.17 (cant ping) - this is reth11.2 (in prod routing instance)
• Example Destination: 10.103.22.18 (can ping) - this is a host off reth11.2 (in prod routing instance)
• 10.203.22.16/28 is the network
• Traffic comes in on reth11.1 (in us1mgmt routing instance)

 

The traffic enters the device on reth11.1 which is in the us1mgmt routing instance.  Routes for 10.103.22.16/28 and 10.103.22.17/32 show up in the routing instance us1mgmt to goto reth11.2.

 

 

# run show route table us1mgmt 10.103.22.16

us1mgmt.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.103.22.16/28    *[Direct/0] 1w0d 19:43:37
                    > via reth11.2

{primary:node0}[edit]

# run show route table us1mgmt 10.103.22.17


us1mgmt.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.103.22.17/32    *[Local/0] 6d 18:17:32
                      Local via reth11.2

 

The return routes exists (and uses an interface in another routing instance, us1mgmt).

# run show route table prod 10.10.10.20

prod.inet.0: 37 destinations, 37 routes (37 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.20/32   *[Static/5] 1w0d 18:06:31
                    > to 10.254.253.3 via reth11.1

 

I can ping the reth11.2 interface from reth11.3, which is in the same routing instance.

# run show route instance prod detail
prod:
  Router ID: 10.103.22.17
  Type: virtual-router    State: Active
  Interfaces:
    reth11.4
    reth11.3
    reth11.2
    reth11.0
  Tables:
    prod.inet.0             : 37 routes (37 active, 0 holddown, 0 hidden)

# run ping 10.103.22.17 interface reth11.3
PING 10.103.22.17 (10.103.22.17): 56 data bytes
64 bytes from 10.103.22.17: icmp_seq=0 ttl=64 time=0.419 ms

 

I can ping hosts in the same subnet, just not the gateway interface, from the original source 10.10.10.20.

# run show log traffic-log | match 10.103.22.30
Jun  3 18:15:02  FW RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.10.10.20/5420->10.103.22.30/512 icmp 10.10.10.20/5420->10.103.22.30/512 None None 1 prod-us1-FromSMS us1-mgmt prod-app 218319

 

Ping is enable on the interface.

 

run show interfaces reth11.2
  Logical interface reth11.2 (Index 210) (SNMP ifIndex 618)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.843 ]  Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :        691626          1      47022332          744
        Output:        130831          0       6035040          472
    Security: Zone: prod-app
    Allowed host-inbound traffic : ping
    Protocol inet, MTU: 1500
      Flags: None
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.103.22.16/28, Local: 10.103.22.17, Broadcast: 10.103.22.31

 

 

I can even ping the gateway from the reth11.1 interface, in which this traffic comes in on.

 

 

 

# run ping 10.103.22.17 interface reth11.1
PING 10.103.22.17 (10.103.22.17): 56 data bytes
64 bytes from 10.103.22.17: icmp_seq=0 ttl=64 time=0.412 ms
^C
--- 10.103.22.17 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.412/0.412/0.412/0.000 ms

 

Any help is greatly appeciated.  Thank you in advanced to anyone who can lend any suggestions to this challange.  We also have a ticket with JTAC and will update if we can find the resolution.  Please let me know if there are any other outputs I can provide to help solve this puzzle.

 

 

 

#JUNOS
#virtual.router
#routing.instance
#SRX
#virtual-router

Nevermind somehow in you post I missed that part.

Had the same issue, drove me nuts...  Host-inbound-traffic system-services can't be accessed through a routing instance other then inet.0.  You need to put up a firewall filter and accept the layer 3 ip of your vlan, term 2 then your routing instance in order for this to work.

 

firewall {
    filter trust-vr {
        term 1 {
            from {
                destination-address {
                    10.0.0.33/32;
                    10.4.0.33/32;
                    10.4.0.41/32;
                    10.4.0.49/32;
                    10.4.0.57/32;
                }
            }
            then accept;
        }
        term 2 {
            then {
                routing-instance trust-vr;
            }
        }
    }
}

Hi there,

 

My configuration is as follow:
2 interfaces (ge-0/0/0 & ge-0/0/1) are linked to two modems of two different ISP.
Both are configured in DHCP client mode (as my ISPs do not provide me a fixed IP address)

 

I have created two virtual routers, one for each interface.

Then I have a trust zone (which is spread over the remaining interfaces, L2 configuration)

 

From one client (i.e. from the trust zone), routing goes well and I can ping whatever.

From the SRX itself (which I would like to use to refresh my DDNS parameters), it is possible to ping out the internet ONLY if I add in the ping command the output interface.

 

For instance:
ping interface ge-0/0/0 www.google.fr => OK
ping www.google.fr => does not go out.

 

It seems to me that the situation are the same but I do not understand how to solve it.

If you have any comments or suggestions, let me know

 

Should maybe open a new thread instead 😉 The reason it works with adding interface is because that makes you ping from the correct routing-instance, your master table can't get to google.fr.

Thanks Adam for your answer.

In fact I noticed this but I am looking for a way to use the virtual routing table.

The problem is that I have no way to set a fix IP address for next-hop (as I get it from DHCP server), thus I have to use a virtual router and then I can't reach the external IP from SRX because the routing table is not available...

 

It seems to me like a problem without an end.

Let me know if you have any suggestions.

 

Thanks in advance

Laurent

If you need to know your topology and next-hops, try "show route forward destination" ... I suppose main SRX is routed/forwarded from inet.0.

 

Btw. you can do config where leakes routes from one virtual router into inet.0 ... if you wish.

Hi Vencour,

 

Thanks for your answer too. in the version of Junos I use this command is not available, the most similar one is "show route forwardind-table" that shows all routes...

 

I don't understand what you mean when you say:

"Btw. you can do config where leakes routes from one virtual router into inet.0"

 

Do you mean I have to add a route ?

Could you be more explicit ?

Many thanks in advance

 

Laurent