SRX Services Gateway
Highlighted
SRX Services Gateway

Ping and ssh does not work on public interface even after enabling ping

‎12-08-2015 10:15 PM

 

Any idea why ping does not work on the public facing interface , there are two public facing interface x and y , both are enabled to accept ping and ssh  , however I am only able to ping one interface  x, the other was pinging before , I have seeing this issue after vpn got enabled , does this have any effect. 

i cannot also ssh into the second interface (y) ssh is enabled.

17 REPLIES 17
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-08-2015 10:54 PM

are these 2 interfaces in same zone and there is a policy allowing traffic between them? This is needed as traffic may not come throgh the actual interface assigned with the IP.

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-08-2015 10:57 PM

they are in the same zone "untrust" but there is no security policy for untrust - untrust , is that needed I do not have a policy to deny all traffic at the end.

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-08-2015 10:59 PM

I  will place that rule , but still wondering how it worked before creating VPN.

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-08-2015 11:12 PM

I enabled untrust zone to untrust zone policy , but still no luck.

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-08-2015 11:55 PM
Can you share the config and show route for the source from where you are ping?
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

[ Edited ]
‎12-09-2015 01:24 AM

 

 

set interfaces ge-0/0/0 unit 0 family inet address x.x.119.154/30
 
set interfaces ge-0/0/1 unit 0 family inet address x.x.210.78/30
 
set security policies from-zone untrust to-zone untrust policy ssh-only match source-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match destination-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ssh
set security policies from-zone untrust to-zone untrust policy ssh-only then permit
 
 
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services rpm
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services rpm
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
 
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
 
 

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 6d 16:00:16
> to x.x.119.153 via ge-0/0/0.0
to x.x.210.77 via ge-0/0/1.0
x.x.210.76/30 *[Direct/0] 6d 16:00:16
> via ge-0/0/1.0
x.x.78/32 *[Local/0] 2w5d 07:48:26
Local via ge-0/0/1.0
10.4.0.0/22 *[Static/5] 14:20:15
> via st0.0
10.4.4.0/22 *[Static/5] 14:20:15
> via st0.0
10.4.28.0/24 *[Direct/0] 2w5d 07:38:13
> via vlan.100
10.4.28.1/32 *[Local/0] 2w5d 07:48:46
Local via vlan.100
10.4.30.0/24 *[Direct/0] 2w5d 07:38:13
> via vlan.101
10.4.30.1/32 *[Local/0] 2w5d 07:48:46
Local via vlan.101
x.x119.152/30 *[Direct/0] 2d 23:05:20
> via ge-0/0/0.0
x.x.119.154/32 *[Local/0] 2d 23:05:20
Local via ge-0/0/0.0

ri_L3_video.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 4d 05:24:55
> to x.x.210.77 via ge-0/0/1.0
x.x.210.76/30 *[Direct/0] 4d 05:24:55
> via ge-0/0/1.0
x.x.210.78/32 *[Local/0] 4d 05:24:55
Local via ge-0/0/1.0
10.4.28.0/24 *[Direct/0] 4d 05:24:55
> via vlan.100
10.4.28.1/32 *[Local/0] 4d 05:24:55
Local via vlan.100
10.4.30.0/24 *[Direct/0] 4d 05:24:55
> via vlan.101
x.x30.1/32 *[Local/0] 4d 05:24:55
Local via vlan.101
x.x.119.152/30 *[Direct/0] 2d 23:05:20
> via ge-0/0/0.0
x.x.119.154/32 *[Local/0] 2d 23:05:20
Local via ge-0/0/0.0

ri_comcast_Data.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 2d 23:05:20
> tox.x.119.153 via ge-0/0/0.0
x.x.210.76/30 *[Direct/0] 4d 05:24:55
> via ge-0/0/1.0
x.x.78/32 *[Local/0] 4d 05:24:55
Local via ge-0/0/1.0
10.4.28.0/24 *[Direct/0] 4d 05:24:55
> via vlan.100
10.4.28.1/32 *[Local/0] 4d 05:24:55
Local via vlan.100
10.4.30.0/24 *[Direct/0] 4d 05:24:55
> via vlan.101
10.4.30.1/32 *[Local/0] 4d 05:24:55
Local via vlan.101
x.x.119.152/30 *[Direct/0] 2d 23:05:20
> via ge-0/0/0.0
x.x.x.x.154/32 *[Local/0] 2d 23:05:20
Local via ge-0/0/0.0
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

[ Edited ]
‎12-09-2015 01:33 AM

 

 

PING x.x.210.78 (x.x.210.78): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6



12 packets transmitted, 0 packets received, 100.0% packet loss
Binoys-Mac:~ binoy$ ping  119.154
ping: cannot resolve x.x119.154: Unknown host
Binoys-Mac:~ binoy$ ping x.x.119.154
PING x.x.119.154 (x.x119.154): 56 data bytes
64 bytes from x.x.119.154: icmp_seq=0 ttl=49 time=235.612 ms

^C
--- x.x.119.154 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 235.612/276.502/326.367/33.895 ms

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-13-2015 10:17 AM

x.x.210.78 seems to be in routing table rl_video

 

have you tried adding the routig table to your ping command as it s needed.

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

[ Edited ]
‎12-13-2015 10:50 AM
set security policies from-zone untrust to-zone untrust policy ssh-only match source-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match destination-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ssh
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ping
set security policies from-zone untrust to-zone untrust policy ssh-only then permit
 
Without a look at the config, troubleshooting will be difficult. When pinging, what is the output of "security floow session"? Add junos-ping as indicated above.
Can you ping any other IP address successfully across the VPN?
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-13-2015 07:54 PM

 

I have two public interface on the SRX , one of them I am able to ping and ssh other I am not able to ping or ssh , yes I can try adding the ping but I want to understand why ssh is not working ?

 

if  you see  there are two interfaces I am able to ping and ssh the first one , but I cannot ssh  the second one , When I tried ssh from the public ip outside (x.x.115.226 ) to the interface IP x.x.210.78 on ssh you can see the flow is on the G 0/0/0 which is the Comcast ISP .       SSH and ping to x.x 119.154 interface is fine .

 

set interfaces ge-0/0/0 description "Comcast 100Mb"
set interfaces ge-0/0/0 unit 0 family inet address x.x.119.154/30       ## Able to ssh 
set interfaces ge-0/0/1 description "Level3 Video 50mb burst 100mb"
set interfaces ge-0/0/1 unit 0 family inet address x.x.210.78/30             ## cannot ssh or ping 

 

gw> show security flow session | match 121.244.155.226    
  In: x.x.155.226/51747 --> x.x.119.154/22;tcp, If: ge-0/0/0.0, Pkts: 290, Bytes: 25337
  Out: x.x119.154/22 --> x.x.155.226/51747;tcp, If: .local..0, Pkts: 167, Bytes: 38093
  In: x.x155.226/45119 --> x.x.210.78/22;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104          ## traffic passing via Ge-0/0/0
  Out: x.x.210.78/22 --> x.x155.226/45119;tcp, If: .local..0, Pkts: 2, Bytes: 104
 
set interfaces ge-0/0/0 description "Comcast 100Mb"
set interfaces ge-0/0/0 unit 0 family inet address x.x.119.154/30       ## Able to ssh 
set interfaces ge-0/0/1 description "Level3 Video 50mb burst 100mb"
set interfaces ge-0/0/1 unit 0 family inet address x.x.210.78/30             ## cannot ssh or ping 
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-13-2015 08:04 PM
I have added the ping ,but still its not pinging , I still see ping and ssh entering the first ISP interface g-0/0/0 instead of ge-0/0/1  , why is the packet entering via ge0/0/0 instead of ge-0/0/1 ?
 
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services rpm
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services rpm
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
 
set security policies from-zone untrust to-zone untrust policy ssh-only match source-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match destination-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ssh
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ping
 
set routing-instances ri_L3_video instance-type forwarding
set routing-instances ri_L3_video routing-options static route 0.0.0.0/0 next-hop x.x.210.77
set routing-instances ri_comcast_Data instance-type forwarding
set routing-instances ri_comcast_Data routing-options static route 0.0.0.0/0 next-hop x.x 119.153
set routing-options static route 0.0.0.0/0 next-hop x.x119.153
set routing-options static route 0.0.0.0/0 next-hop x.x.210.77
 
set firewall filter outbound-nat term t1 from source-address x.x28.0/24
 
set firewall filter outbound-nat term t1 from destination-address x.x152.0/22
set firewall filter outbound-nat term t1 then routing-instance ri_L3_video
set firewall filter outbound-nat term default then routing-instance ri_comcast_Data

 

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

[ Edited ]
‎12-14-2015 12:10 AM
 
set security policies from-zone untrust to-zone untrust policy ssh-only match source-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match destination-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ssh
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ping
set security policies from-zone untrust to-zone untrust policy ssh-only then permit
 PERMIT????
 
Also ping <address> routing-instances ri_L3_video
 
set firewall filter outbound-nat term t1 from source-address x.x28.0/24
 
set firewall filter outbound-nat term t1 from destination-address x.x152.0/22
set firewall filter outbound-nat term t1 then routing-instance ri_L3_video
set firewall filter outbound-nat term default then routing-instance ri_comcast_Data
 
Your traffic must match destination-address x.x152.0/22 to use routing-instance ri_L3_video else use comcast. I think that is what is happening since your ssh is 210.77
What if you tested it by changing the match destination to 0/0?
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-14-2015 01:49 AM

its there sorry I forgot to include 

 

set security policies from-zone untrust to-zone untrust policy ssh-only match source-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match destination-address any
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ssh
set security policies from-zone untrust to-zone untrust policy ssh-only match application junos-ping
set security policies from-zone untrust to-zone untrust policy ssh-only then permit

 

 

gw> ping x.x..210.78 routing-instance ri_L3_video
PING x.x 210.78 (x.x.210.78): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address

 

 

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-14-2015 01:53 AM

gw> ping x.x.210.77 routing-instance ri_L3_video count 10
PINGx.x.210.77 (x.x.210.77): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address

 

x.x .210.77 is the gateway and 210.78 is the SRX interface IP ge -0/0/1

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-14-2015 02:04 AM

Are you running this from the SRX where the routing instance resides? What we are doing is to ping the gateway sourcing the ping from the specified routing instance. Also verify that the RI is properly named (spelling)

Also i am curious. Check the output >show security flow status, to see if it is requiring a reboot. I have seen this happen.

 

Also try >ping x.x.210.77 source x.x.210.78

 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-14-2015 02:18 AM

I am doing this from the same SRX.

 

gw> ping x.x.210.77 source x.x210.78
PING x.x210.77 (x.x.210.77): 56 data bytes
64 bytes from x.x.210.77: icmp_seq=0 ttl=64 time=2.588 ms
64 bytes from x.x.210.77: icmp_seq=1 ttl=64 time=2.270 ms
64 bytes from x.x.210.77: icmp_seq=2 ttl=64 time=2.327 ms
64 bytes from x.x.210.77: icmp_seq=3 ttl=64 time=2.184 ms

Highlighted
SRX Services Gateway

Re: Ping and ssh does not work on public interface even after enabling ping

‎12-14-2015 02:43 AM

ping routing-instance ri_comcast_Data x.x.210.77

 

Without looking at the complete config and  setting packet capture, it isa little difficult to troubleshoot.

So I just trying to narrow down the possible source. I have a remote idea.

Also set basic datapath debug and then run the ping tests.

use the following example:

the view the results

>show log ping-fail

You will have read that one by yourself or use find replace all to change your IP address. You should be able to see what is causing the problem.

 

show security flow traceoptions
file ping-fail;
flag basic-datapath;
packet-filter outboung_ping {
    source-prefix <>;
    destination-prefix 1<>;
}
packet-filter return-traffic {
    source-prefix <>;
    destination-prefix <>;

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]