SRX Services Gateway
Highlighted
SRX Services Gateway

Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

[ Edited ]
06.13.18   |  
Wednesday

Hi All,

 

I have an SRX240H2 connected directly to the internet. I have an interface configured for a couple of addresses. I want to be able to reach the internet from this device, from a particular subnet, so I configured that subnet for primary preferred on the interface:

 

ge-7/0/0 {
    unit 0 {
        family inet {
            no-redirects;
            sampling {
                input;
                output;
            }
            address 1.1.1.1/30;
            address 2.2.2.2/29 {
                primary;
                preferred;
            }
address 2.2.2.3/29 address 2.2.2.4/29
}

When I try to ping 8.8.8.8, I am unable to receive a response:

PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

However, when I ping it from the address configured as primary and preferred it works:

ping 8.8.8.8 source 2.2.2.2
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=2.272 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=1.912 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.912/2.092/2.272/0.180 ms

It looks like my "Primary" configuration on the device is not working properly.  Am I missing something?

 

Thanks,

 

8 REPLIES
SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.13.18   |  
Wednesday

If you don't specify a source, then it will be sourced with the IP on the interface outbound to the Internet. Which interface is that?

SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.13.18   |  
Wednesday

The interface is the one I provided: ge-7/0/0. 

 

I had expected the primary configuration to kick in and if there is no source specified, then traffic destined to the internet will be using that primary IP address. 

 

It appears that is not happening.

SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.13.18   |  
Wednesday

It should work as you say.

Can you check what address is being used when you don's specify source argument?

One way to check is to run ping to 8.8.8.8 in one console window and in another run

show security flow session destination-prefix 8.8.8.8/32

Regards, Wojtek

SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.13.18   |  
Wednesday

Hi Wojtek,

 

It appears to be using the 

1.1.1.1/30

IP, not my primary address. 

 

Thomas

SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.13.18   |  
Wednesday

Session ID: 40431, Policy name: self-traffic-policy/1, State: Active, Timeout: 56, Valid
In: 1.1.1.1/4 --> 8.8.8.8/11024;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/11024 --> 1.1.1.1/4;icmp, If: ge-7/0/0.0, Pkts: 0, Bytes: 0

SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.14.18   |  
Thursday

self-traffic-policy/1, 

Seems this it doesnt has policy for untrust. 
Is this interacfe binded to any security zone and also does it has policy ? 

Because in flow session it showing that you traffic is going out from .local..0 instead it show go from ge-7/0/0.0

 

Can you please share your secondary (2.2.2.2 ) flow for 8.8.8.8 ? 

 

SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.14.18   |  
Thursday

I can confirm that the interface ge-7/0/0 is in a security zone, and there are policies in place for the zone. 

 

See the session flow:

 

 

Session ID: 11790, Policy name: self-traffic-policy/1, State: Active, Timeout: 2, Valid
  In: 2.2.2.2/16 --> 8.8.8.8/12633;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 8.8.8.8/12633 --> 2.2.2.2/16;icmp, If: ge-7/0/0.0, Pkts: 1, Bytes: 84
SRX Services Gateway

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

06.16.18   |  
Saturday

1. Interface is in security zone & hence the sessions is built in first place. So no doubt about zone/policies.

 

2. As per defination:

An interface’s primary address is used by default as the local address for broadcast and multicast packets sourced locally and sent out the interface.

An interface’s preferred address is the default local address used for packets sourced by the local router to destinations on the subnet.

 

3. You are trying to perform ping which is unicast & that too to a destination IP outside subnet.

4. We need to check routing to understand the behaviour.

5. Assist to grab output from the device : show route

6. Also One question to be answered: Are we only looking for self traffic generated by SRX towards internet or is this just for testing? As in, Is this question a minute question of a bigger question/problem that you are trying to fix/implement?

 

-Rahul