SRX

I am trying to investigate some odd behaviour on one of our VDSL connections (SRX320). Via this connection it is not possible to ping (or at least receive the responses from) 8.8.8.8, but I can ping 8.8.4.4 . Tracert completes for the latter and not to the former, unsurprisingly. We have no such issues at alternative identically configured sites, so I just can't figure out what is going on.

It has been suggested by someone much wiser than I, that I check for the ICMP echo-reply packets returning from 8.8.8.8. How can this be achieved?

Apply a firewall filter to count packets from 8.8.8.8 and apply it in input direction on that interface

Sample config:

set firewall family inet filter Count-ICMP term 1 from destination-address 8.8.8.8/32

set firewall family inet filter Count-ICMP term 1 from protocol icmp

set firewall family inet filter Count-ICMP term 1 then count ICMP-OUT

set firewall family inet filter Count-ICMP term 1 then accept

set firewall family inet filter Count-ICMP term 2 from source-address 8.8.8.8/32

set firewall family inet filter Count-ICMP term 2 from protocol icmp

set firewall family inet filter Count-ICMP term 2 then count ICMP-IN

set firewall family inet filter Count-ICMP term 2 then accept

set firewall family inet filter Count-ICMP term 3 then accept

Apply this filter on input and output direction on corresponding interface

set interfaces ge-0/0/0 unit 0 family inet filter input Count-ICMP

set interfaces ge-0/0/0 unit 0 family inet filter output Count-ICMP

Commit the changes, initiate the ping and use below counter to check if the packets come back to SRX

root@srx> show firewall filter Count-ICMP   

Filter: Count-ICMP                                            

Counters:

Name                                                Bytes              Packets

ICMP-IN                                                 0                    0

ICMP-OUT                                                0                    0