Ethernet Switching
Ethernet Switching

Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-23-2019 02:13 AM

Hi all.

We planned a bandwidth update, and our ISP installed a new fibre switch (Accedian) which connects to a new router (another Juniper). The IP addresses of the new router are the same, so we shouldn't modify anything from the existing configuration.

 

Now the issue: we are unable to ping the remote router despite a lot of tests using the external interface of our SRX220.

If we connect a laptop to the Accedian switch, everything works fine, and we're able to ping the remote router.

 

After a deep packet inspection, the SRX sends the ARP request for the mac address of the remote router, but there is no answer to it. The answer is present if we connect a laptop, instead.

Even if we 'force' the mac address on the interface (arp XX.XX.XX.XX mac YY:YY:YY:YY:YY:Y) we cannot get an answer.

 

We also opened multiple cases to our ISP and Juniper support, but we're still struggling understanding why.

 

Any idea?

 

 

6 REPLIES 6
Ethernet Switching

Re: Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-23-2019 03:19 AM

I assume you have verified that the interface facing the ISP is assigned to a zone and has ping allowed in host inbound traffic.

 

Or is this the same device already working on the previous circuit?

 

Since they are both Juniper make sure they are not clusters with the same id which would generate the same mac addresses on the device.

 

And from the packet captures on the laptop working can you verify what mac address comes from the ISP SRX to compare with your own mac addresses.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-23-2019 03:39 AM

Yes: the interfaces are in a security zone and I think there is no a routing configuration error because if I connect a spare device with the IP address of the ISP router, I can ping using my SRX.

We also have another spare device which faces the same issue.

Now we are using the same ISP, the same configuration and same IP addresses and the only difference is the Layer 2 switch that connects our Juniper with their one (in the working case: a Nokia/Siemens).

 

Non working configuration:

Juniper (on premise) ----- Accedian (layer 2 switch) ----- Juniper (ISP router)

 

Working (as test) configuration:

Laptop ----- Accedian (layer 2 switch) ----- Juniper (ISP router)

 

Working (as test) configuration (2)*:

Juniper (on premise) ----- HP Switch ----- Juniper (on premise) 

* this configuration only to test if routing/configuration works as expected since is all on-premise

 

The MAC address retrieved from the laptop is the mac address of the remote router. The ending .105 address is the remote router, while the .107 is the Laptop (in this case) or the 'WAN' interface of the Juniper on-premise.

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       Dell_a4:19:d9         Broadcast             ARP      42     Who has XXX.XXX.XXX.105? Tell XXX.XXX.XXX.107

Frame 1: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0
Ethernet II, Src: Dell_a4:19:d9 (18:03:73:a4:19:d9), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
      2 0.002308       JuniperN_b7:5f:f0     Dell_a4:19:d9         ARP      56     XXX.XXX.XXX.105 is at 28:c0:da:b7:5f:f0

Frame 2: 56 bytes on wire (448 bits), 56 bytes captured (448 bits) on interface 0
Ethernet II, Src: JuniperN_b7:5f:f0 (28:c0:da:b7:5f:f0), Dst: Dell_a4:19:d9 (18:03:73:a4:19:d9)
Address Resolution Protocol (reply)

No.     Time           Source                Destination           Protocol Length Info
      3 0.014901       Dell_a4:19:d9         Broadcast             ARP      42     Who has XXX.XXX.XXX.105? Tell XXX.XXX.XXX.107

Frame 3: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0
Ethernet II, Src: Dell_a4:19:d9 (18:03:73:a4:19:d9), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
      4 0.017226       JuniperN_b7:5f:f0     Dell_a4:19:d9         ARP      56     XXX.XXX.XXX.105 is at 28:c0:da:b7:5f:f0

Frame 4: 56 bytes on wire (448 bits), 56 bytes captured (448 bits) on interface 0
Ethernet II, Src: JuniperN_b7:5f:f0 (28:c0:da:b7:5f:f0), Dst: Dell_a4:19:d9 (18:03:73:a4:19:d9)
Address Resolution Protocol (reply)

Thanks.

 

 

 

 

Ethernet Switching

Re: Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-24-2019 01:25 AM

By the way: this is what I see from the Juniper (on premise) interface, with no answer

 

10:20:35.058592 bpf_flags 0x80, Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35584
Logical Interface Index Extension TLV #4, length 4, value: 99
-----original packet-----
78:19:f7:a6:b0:05 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has XXX.XXX.XXX.105 (remote router) tell XXX.XXX.XXX.106 (local interface)

 

 

Ethernet Switching

Re: Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-25-2019 03:33 AM

Odd issue.  I notice you are testing the laptop on 107 and have 106 configured on the SRX.  Can you test reversiing these?  

I'm wondering if something else in has the 106 address and that is why you don't see the response.

 

I'm sure you verified the masks already too with the provider to be sure they match on all three devices.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-25-2019 04:06 AM

Very odd Smiley Sad

The IP addresses are correct: I tested both .106 and .107 to 110 (.111 is the broadcast).

The only difference is the encapsulation. See the attached image: on the left the Laptop, on the right the Juniper

In the Juniper packet, I also notice a Juniper/Ethernet extension in the request which contains a 'Magic Number' (not depicted here).

Thanks.

 

Attachments

Ethernet Switching

Re: Unable ping remote router from a SRX220 with an Accedian layer2 switch

‎09-26-2019 05:17 AM

I don't think the encapsulation is the issue.  but am at a loss to see an obvious solution on your side.

 

Any chance the ISP would do a joint session to observe the arp requests on the local switch during a troubleshooting session from the SRX on site.

And verify the request is flooded to the MX upstream.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home