Ethernet Switching
Ethernet Switching

not able to pinging outside from ex

[ Edited ]
2 weeks ago

Hi all,

Users are connected to the EX swithes in VC are able to access to internet. No problem...

Topology is:

200 users---------->Ex4200 inVC -----ae3.0--------->Palo alto F/w----->internet

 

But on the VC it is not able to ping 8.8.8.8 or 8.8.4.4 or 13.225.146.9

> ping 8.8.8.8 source 172.20.184.54

Ip address of 172.20.184.54 is sit on the VC as l3 vlan 15

 

There is a only default route on VC to paloalto......When checking routing:

> show route forwarding-table destination 8.8.8.8

Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 1 0:bb:14:2:2:31 ucst 1377 4 vlan.15
default perm 0 rjct 36 2

 
> show ethernet-switching table | match 02:31
VLAN-INTERNAL 0:bb:14:2:2:31 Learn 0 ae3.0

 

And ae3.0 has 2 physical aggregate members that directly connected to paloalto...

During the running ping to 8.8.8.8, monitor traffic shows as below:

17:07:20.437298 Out IP 172.20.184.54 > 8.8.8.8: ICMP echo request, id 19784, seq 7, length 64
17:07:21.439282 Out IP 172.20.184.54 > 8.8.8.8: ICMP echo request, id 19784, seq 8, length 64
17:07:22.440235 Out IP 172.20.184.54 > 8.8.8.8: ICMP echo request, id 19784, seq 9, length 64
17:07:23.441234 Out IP 172.20.184.54 > 8.8.8.8: ICMP echo request, id 19784, seq 10, length 64

.....

.......

So as you can see there is no traffic coming back on VC . Same behaviour occurs on when doing ssh to 8.8.8.8 on port 443.

What reason(s) could be? And there is no right to access and manage the paloalto...

What torubleshooting further should be to investigate?

 

thx

A

7 REPLIES 7
Ethernet Switching

Re: not able to pinging outside from ex

2 weeks ago

It looks the issue is with the Palo Alto.

 

Try to check traceroute or traceroute monitor if the packet is reaching the Palo Alto.

 

traceroute 8.8.8.8

traceroute monitor 8.8.8.8

 

The Palo Alto should have a route to send the reply back to Juniper.

Ethernet Switching

Re: not able to pinging outside from ex

[ Edited ]
2 weeks ago

Hello,

 


@Arix wrote:

Hi all,

Users are connected to the EX swithes in VC are able to access to internet. No problem...

 

 

Good

 


@Arix wrote:

 

But on the VC it is not able to ping 8.8.8.8 or 8.8.4.4 or 13.225.146.9

> ping 8.8.8.8 source 172.20.184.54

 



You are using private IP as src.IP for Your ping. Please make sure Your PANW firewall has a SFW rule (to allow this address) and NAT rule (to xlate this address) in place in order for Your pings to succeed.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: not able to pinging outside from ex

2 weeks ago

Mostly return traffic doesn't know how to reach 172.20.184.54


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Ethernet Switching

Re: not able to pinging outside from ex

2 weeks ago

Thanks for replies...

 

Mostly return traffic doesn't know how to reach 172.20.184.54, how 200 users are able to access to internet?

Ethernet Switching

Re: not able to pinging outside from ex

2 weeks ago

Hello,

 


@Arix wrote:

Thanks for replies...

 

Mostly return traffic doesn't know how to reach 172.20.184.54, how 200 users are able to access to internet?


 

Are users belonging to the same subnet - 172.20.184.x/<whatever mask>?

Please try to ping using "source-address <user's DGW IP from 172.20.184.x subnet>" and You'll get the better picture.

But please check the PANW FW rules as well in the meantime.

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: not able to pinging outside from ex

a week ago

Hi,

 

I've just tried it....No, it is not working either with g/w addresss of users...

> ping 8.8.8.8 source <g/w addr of users> -----> unfortunately same thing happening like I said before.....

 

Doesn't it give a response to icmp sender when any policy is denying  icmp traffic on paloalto...Like junos does sending back RST flag when security policy deny the traffic. But in my case, return traffic od icmp is not coming back...

 

Any further ideas before jumping to palaalto device?

Ethernet Switching

Re: not able to pinging outside from ex

a week ago
Couple of things to be answered before concluding why it should work for the users and not for Switch IP. 1. Do the user reside in the same vlan of 172.20.184.x/x from where you are initiating the ping? 2. Do you have permit policy on FW to allow traffic from 172.20.184.54 to 8.8.8.8 with application being ICMP and other desired tcp ports? 3.Do you see the session being formed on FW when initiating the ping? 4.Do you see the source NAT is performed on the session for the session initiated from 172.20.184.54? 5.Do you have reverse route available on FW to reach 172.20.184.54?

*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.