SRX Services Gateway
Highlighted
SRX Services Gateway

Cant figure out policy dropping traffic

‎10-01-2016 10:57 AM

Hi,

 

I havea system setup as follows:

 

Juniper SRX ge-0/0/0 attached to cellular provider on private APN

2 cellular routers (default route from provider is to the srx)

gre tunnel between each cellular router and the SRX

 

routes setup so management of each cellular router does not go through gre tunnel

 

management, gre tunnel have their own zones

 

I wanted to allow management traffic between the two cell modems so I created zone policy allowing traffic from management zone to management zone however this does not work.  To experiment I turned default policy to permit all and it works fine.

 

To troubleshoot I am trying to ping from cell modem to cell modem.  I am not seeing the ping when monitoring traffic on ge-0/0/0 either when the policy is set to permit or to deny (even though it works when default policy is permit)

 

 

 

Hopefully someone can point me to something that can help me troubleshoot.  I am sure its a simple thing somewhere.

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Cant figure out policy dropping traffic

‎10-02-2016 05:28 PM

Sorry, I'm have trouble picturing the topology.

 

So the key here is to understand:

Ingress interface where the ping comes in from the cell modem  (this interface is assigned to the source zone)

egress interface where the ping leaves for the other modem (this interface is assigned to the destination zone)

 

This sounds like the interfaces where the packets ingress and egress are not both in the management zone.  Check the route table to confirm the egress interface.

 

Check the zone configuration to confirm where the interface is assigned.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback