SRX Services Gateway
Highlighted
SRX Services Gateway

How to check for echo-reply packets?

‎04-05-2019 03:18 AM

I am trying to investigate some odd behaviour on one of our VDSL connections (SRX320). Via this connection it is not possible to ping (or at least receive the responses from) 8.8.8.8, but I can ping 8.8.4.4 . Tracert completes for the latter and not to the former, unsurprisingly. We have no such issues at alternative identically configured sites, so I just can't figure out what is going on.

 

It has been suggested by someone much wiser than I, that I check for the ICMP echo-reply packets returning from 8.8.8.8. How can this be achieved?

1 REPLY 1
SRX Services Gateway
Solution
Accepted by topic author EMTSU
‎04-05-2019 05:43 AM

Re: How to check for echo-reply packets?

[ Edited ]
‎04-05-2019 03:23 AM

Apply a firewall filter to count packets from 8.8.8.8 and apply it in input direction on that interface

 

Sample config:

 

set firewall family inet filter Count-ICMP term 1 from destination-address 8.8.8.8/32

set firewall family inet filter Count-ICMP term 1 from protocol icmp

set firewall family inet filter Count-ICMP term 1 then count ICMP-OUT

set firewall family inet filter Count-ICMP term 1 then accept

set firewall family inet filter Count-ICMP term 2 from source-address 8.8.8.8/32

set firewall family inet filter Count-ICMP term 2 from protocol icmp

set firewall family inet filter Count-ICMP term 2 then count ICMP-IN

set firewall family inet filter Count-ICMP term 2 then accept

set firewall family inet filter Count-ICMP term 3 then accept

 

 

Apply this filter on input and output direction on corresponding interface

 

set interfaces ge-0/0/0 unit 0 family inet filter input Count-ICMP

set interfaces ge-0/0/0 unit 0 family inet filter output Count-ICMP

 

Commit the changes, initiate the ping and use below counter to check if the packets come back to SRX

 

root@srx> show firewall filter Count-ICMP   

 

Filter: Count-ICMP                                            

Counters:

Name                                                Bytes              Packets

ICMP-IN                                                 0                    0

ICMP-OUT                                                0                    0

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too