SRX

last person joined: 8 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  reth don't pass trafic

    Posted 06-16-2013 10:59

    Hi,

     

     

    please i need help, i spent all the day to try to fix this but i still not inderstand where is the problem

     

    well , i configure 2 srx 650 in cluster with 2 redundancy group

    when i add two reth( reth0,  reth1)  in redundancy group 1 , all seems to work fine but when try to add another reth (reth2) interface in the redundancy group , the traffic don't seem to pass throup

    i can't ping the interface (reth2) and the first interface either

     

    i tried to play with weigt (255 for each interface) and (100.100.50 for each interface)

     

    please tell me where is the problem, i have to fix this tomorow

     

     



  • 2.  RE: reth don't pass trafic

    Posted 06-17-2013 00:46
      |   view attached

    here my configuration file, please need help

    Attachment(s)

    docx
    configuration(2).docx   14 KB 1 version


  • 3.  RE: reth don't pass trafic

    Posted 06-17-2013 04:16
    Hi Sarah,

    What I think is,

    Probably, as soon as your third interface is up, srx-primary & srx-secondary change their roles, since interface monitor threshold reaches 255.

    You need to verify that all reths (0,1,2) are well connected to their corresponding networks (trust, untrust, test). I think there is some connectivity problem. Therefore, as soon as role changes chassis get disconnected.

    There is also unused reth3 (delete it, though does not effect).

    Regards


  • 4.  RE: reth don't pass trafic

    Posted 06-17-2013 04:30

    i tried to monitor just the connected interface , and i didn't work

    i have this version of junos 1.2R4.3  right now i try to upload the recommanded version 11.4R7.5

    maybe it can solve the problem, unless the configuration is good

     

     



  • 5.  RE: reth don't pass trafic

    Posted 06-17-2013 04:50

    You can try upgrade, however, I dont think this is related to any bug.

    Better is you

    1. turn off secondary firewall and then check whether you can ping all reths

    2. Are you pinging the reth directly (through some laptop) or through policy. Be sure you just have trust-to-untrust and test-to-untrust

    3. Turn on secondary firewall, if you are able to resolve the issue.

    Wish you get out of this soon.

    Regards



  • 6.  RE: reth don't pass trafic

    Posted 06-17-2013 11:15
      |   view attached

    thank's for your help, but when i upgraded to recommanded version of junos , i works

    and i think that was a bug in the version

     

    i configured all reth needed and i affected the, into zone ,i also configured nat, route and security policy

    but now i can't ping outside even the default route

     

    i checked nat and route but i doesn't work

     

    here is the configuration ;

     

    appreciate your help

     

     

    Attachment(s)

    docx
    conf.docx   14 KB 1 version


  • 7.  RE: reth don't pass trafic

    Posted 06-17-2013 11:55

    that what i got when i start monitoring traffic

     

    root@srx-sgsia> <14>1 2013-06-17T17:13:42.318+01:00 srx-sgsia RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.40 reason="unset" source-address="192.168.100.20"     source-port="786" destination-address="196.41.226.137" destination-port="1" service-name="icmp" nat-source-address="196.41.226.138" nat-source-port="56444" nat-dest    ination-address="196.41.226.137" nat-destination-port="1" src-nat-rule-name="rule" dst-nat-rule-name="None" protocol-id="1" policy-name="internet-access" source-zon    e-name="trust" destination-zone-name="untrust" session-id-32="11260" packets-from-client="1" bytes-from-client="60" packets-from-server="0" bytes-from-server="0" el    apsed-time="58" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0"] session closed unset: 192.168.100    .20/786->196.41.226.137/1 icmp 196.41.226.138/56444->196.41.226.137/1 rule None 1 internet-access trust untrust 11260 1(60) 0(0) 58 UNKNOWN UNKNOWN N/A(N/A) reth0.0

    show route


    0.0.0.0/0          *[Static/5] 00:00:13
                        > to 196.41.226.137 via reth1.0
    10.0.2.254/32      *[Local/0] 00:02:09
                          Reject
    10.0.255.253/32    *[Local/0] 00:02:09
                          Reject
    10.10.0.254/32     *[Local/0] 00:02:09
                          Reject
    10.10.10.0/24      *[Direct/0] 00:02:09
                        > via fxp0.0
    10.10.10.1/32      *[Local/0] 00:02:09
                          Local via fxp0.0
    192.168.0.254/32   *[Local/0] 00:02:09
                          Reject
    192.168.3.1/32     *[Local/0] 00:01:35
                          Reject
    192.168.100.254/32 *[Local/0] 00:02:09
                          Reject
    196.41.226.136/29  *[Direct/0] 00:00:13
                        > via reth1.0
    196.41.226.138/32  *[Local/0] 00:02:09
                          Local via reth1.0



  • 8.  RE: reth don't pass trafic

    Posted 06-18-2013 04:39

    can anyone help me to fix this



  • 9.  RE: reth don't pass trafic
    Best Answer

    Posted 06-18-2013 04:43

    Hello there,

    Please turn off Windows Firewall and Antivirus on Your host 196.41.226.137, try again and report back.

    HTH

    Thanks

    Alex



  • 10.  RE: reth don't pass trafic

    Posted 06-18-2013 05:17

    i did it,but i doesn't work

     

    i dit test with the router wich i connecte it directly to the interface ,but the ping doesn't pass

     

    i don't understand , i has not a relation with host-junos and self traffic policy



  • 11.  RE: reth don't pass trafic

    Posted 06-18-2013 05:18

    and the problem is that i can ping the trust, and the other zone, it just the untrust interface

    it's wweirdd



  • 12.  RE: reth don't pass trafic

    Posted 06-18-2013 07:23

    the firewall and antivirus are already disable, the problem is not fixed