Hello and thank you in advanced for any pointers.  We have an SSG-350 pair setup as an nsrp cluster on one vlan.  We just added a stand alone SRX1500 on the same VLAN and for some reason the SRX can't ping the SSG.  It doesn't return as unreachable thoug, its just it doesn't get the return packet.  The SSG also can't ping the ip of the SRX, however the SRX does appear in the ARP table of the SSG, while the SRX ARP table does not have the SSG.  Meanwhile all other devices on the same VLAN can ping both devices.  


Hi Peace,


SRX cannot ping SSG <No ARP entry on SRX>
+ check if ping is enabled on the interface or not <get int <interface name> | i ping>?
+ If it is not enabled then set it by set interface <interface> manager ping
+ Provide me with the configuration on SRX
+ Check the switch port are configured correctly
+ Also check if any other device is able to ping SSG
+ Check for the interface counter errors (in overrun, in misc) if something is increasing on SSG by command (get counter stat)
+ Connect the laptop directly on the interface of SSG and test if you are able to ping to isolate the issue.


SSG cannot ping SRX <ARP entry is present on SSG>

+ Check the configuration on SRX whether service ping is enabled or not
+ If not enable the Ping by below command and test

# set security zones security-zone <zone name> interfaces <Interface name> host-inbound-traffic system-services ping
+ If this does not work then try to connect the laptop and check if ping works or not
+ You can also apply the traceoptions on the SRX to investigate the issue following the below mentione KB article:

# https://kb.juniper.net/InfoCenter/index?page=content&id=KB16108&actp=search
+ You can also monitor the interface which will show you the real time counters:

# root> monitor interface <interface name>

+ Try to clear the ARP on SSG and check if still ARP is resolved or not

