We're in the process of configuring a new SRX 340 but have hit an issue whereby can connect to an irb interface via a VLAN access port on the SRX, it works for a few minutes ie we can get internet and then we get cut off. Cannot figure out why. It seems to allow us ping the irb interface and we can also ping external IP addresses however we cannot connect to websites, get DNS resolution etc.
We've been using irb.3 as a test interface (no filters applied - we thought these were the issue at first) via access ports configured on ge-0/0/1.0 and ge-0/0/2.0
ge-0/0/0 is connected to our internal network whilst we test hence its private IP address.
I notice everything here has private addressing on it and the symptoms ping working but full layer 3 conversations not, this tends to happen when there are multiple paths available to the traffic and a second firewall involved.
Is your outbound test path clean and no possible asymmetrical routing?
Steve Puluka BSEET - Juniper Ambassador Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home
I'm not aware of anything that would cause an issue.
The test laptop itsself only has a single NIC connected directly into the Juniper.
The SRX is sitting behind a second firewall so effectivley we are double natting to get to the internet. We tried changing IPs on the Juniper which didn't help. Interesting we haven't tested if we can connect to services which are internal to the second firewall and hence only have to go through the Juniper - I will look at this on Monday.
Additionally, I would suggest to check the upstream firewall for any errors/clues as to why the sessions are not working. It may have i.e. a default setting limiting the number of sessions per user which could cause Your grief.
We've done quite a bit of testing today and it looks like the the problem was caused by having the traffic come through the upstream firewall. We were able to connect to addresses on the WAN side of the Juniper even though we couldn't connect past the second firewall. We've move the Juniper so that its directly on the back of the router provided by our ISP and changed its IP to a public facing one. In this configuration we no longer get the issue.
Thanks for your help it certainly pointed us in the right direction.