ScreenOS Firewalls (NOT SRX)
Reply
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Two ports... two networks... won't route

The 10.18.76.10 host is not sending any replies to the ping requests, or at least the firewall isn't seeing them.

 

Look at every section that starts with "****** xxxxxx.0: <Trust/bgroup0> packet received [60]******

 

Packet is always from 10.20.1.51 to 10.18.76.10.  No packets come in from 10.18.76.10 to 10.20.1.51.

 

I would start by troubleshooting connectivity from the 10.18.76.10 host.  Does it have a local host firewall enabled?  Can it reach to other parts of the network and/or the internet?

 

If all that checks out, you can run a packet capture on the host itself and see if it's properly receiving the ping request and sending a reply out onto the wire.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Re: Two ports... two networks... won't route

[ Edited ]

When I ping .10 from the SSG20  itself the server replies to the ping.

 

 

ssg20-> ping 10.18.76.10
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 10.18.76.10, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/4 ms
ssg20->

 

 

I don't think the problem is on the 10.18.76.10 server.

I think the request from 10.20.1.x network never gets forwarded to 10.18.76.10

 

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Two ports... two networks... won't route

The ping from the firewall is going to be sourced from the firewall's interface, which is on the same subnet as the host.

 

Most default rules for host firewalls allow pings/traffic from the local subnet, but not from other subnets.

 

Furthermore, something as simple as a bad default gateway or subnet mask configuration could cause similar problems. The firewall pinging the host happens at layer 2.  The other host pinging the target host requires layer 3.

 

I've given some suggestions to help you track down the issue...

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Re: Two ports... two networks... won't route

I have logged into the server at .10 and confirmed it can reach the internet just fine. The Default Gateway is correct.  Subnet mask is correct. Firewall is disabled.

 

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Two ports... two networks... won't route

Best I can suggest at this point is to capture traffic at the 10.18 host, and compare it to what you see using debug flow and also try "snoop" on the firewall.

 

The replies are getting lost somewhere... just have to find out where/why.

 

Debug Flow and Snoop

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.