I have a bit of a strange problem going on and I've been trying to find a solution for a while now.
Basically, I have a L3VPN which connects 9 customer sites. Previously the 8 sites, which are running Mikrotik routers have BGP sessions for 'vpn4' (inet-vpn) back to two MX104's which are acting as route reflectors. MPLS and LDP are up and running over OSPF. The sites can communictate between each other without issue.
The customer also has a rack in the same DC as us and we therefore added the VRF to one of the MX104s so that we can give them connectivity to the rest of their LAN from the DC. Again this worked absolutely fine.
Last week the customer opened a new site and we installed connectivity, but this time we installed a pair of SRX340s which basically had all of the security configuration in them stripped away so that they are just L3 switches.
Now here comes the issue. The SRXs can communicate with all of the other sites on the network, except the customer's kit in the DC which is inside the VRF on the MX104.
Routes to the subnets at the site and the DC are all present and it appears as though the MPLS routes are there and also the bpg.l3vpn routes are also there.
I've tried with and without vrf-table-label set, but this doesnt seem to make any difference.
I've attached a network diagram which shows what the route looks like to get to the SRXs. Some of the other sites are omitted.
With this issue, for example, I can ping from 10.224.224.254 which is a gateway on R1 to both 10.100.10.1 and 10.19.32.1, but 10.19.32.1 cannot ping 10.100.10.1.
There are no firewall filters running on any of the ports on any of the routers which may block traffic between the routers.
Setting up a different VRF on the DC and SRX results in the same issue.
Has anyone else ever come across anything like this?
as far as I understand you tried to ping the destination with the 10.19.32.1 as source which is the VIP address. Did you set the accept-data knob within the vrrp configuration (because otherwise the router won't accept packets for the VIP and only forward transit packets)? Did you try to ping with the 10.19.32.2 as source?