SRX Services Gateway
SRX Services Gateway

SRX Unable to Ping Hosts on Networks Accessible by VPN

‎06-08-2015 12:37 PM

I'm having an issue with some SRXs that cannot ping hosts that must be accessed across a VPN.

End users can ping each other across the VPN, and the end users can ping the SRX 550s.  The SRXs can ping end users on networks they are physically connected to, but not hosts across the VPN.

What could cause this?

Below is rough diagram of the networks involved.

Note: We are using traffic selectors in our ipsec configurations.

 

 

 

Juniper_SRX_VPN_Routing_Issue.JPG

6 REPLIES 6
SRX Services Gateway

Re: SRX Unable to Ping Hosts on Networks Accessible by VPN

‎06-08-2015 08:11 PM

Hello ,

 

As per your details , you are able to ping between End user 2 and 3 , but end user 1 cannot ping 2 or 3 .Correct me if I am wrong .

 

Please share the folloing details from SRX550 connected to end user 1,2,3 ,

 

>show security ipsec security-associations

> show route <end user IP >

> show security flow session destination-prifix <end user IP>

 

If possible please share the configuration from the SRXs and the IP of each hosts .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
SRX Services Gateway

Re: SRX Unable to Ping Hosts on Networks Accessible by VPN

[ Edited ]
‎06-10-2015 05:16 AM

Hey Sam,

All end users can ping each other, but the SRX's themselves cannot ping end users on the other side of the VPNs.

If I log into the SRX for end user 1 and try to show route to end user 2, I see this:

 

inet.0: 21 destinations, 31 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.0.0/16 *[Static/5] 11:45:32
> via st0.0
[Static/5] 11:45:32
> via st0.0

 

This is correct as st0.0 is the VPN interface on the SRX to get to that 10.10.0.0/16 network on the other side of the VPN, but I still cannot ping anything on that network.

SRX Services Gateway

Re: SRX Unable to Ping Hosts on Networks Accessible by VPN

‎06-10-2015 05:35 AM

Hello ,

 

 

Try to ping the  other end user IP by sourcing with out trusted interface IP .

 

 

ping  <user 2 IP > source  <trust interface IP >

 

This is because , when the return packet comes in , it will be the external interface IP and it may not go through the tunnel from other end. So source it with Trust Interface IP  ( where the user 1 is conencted ) and try . It will work .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
SRX Services Gateway

Re: SRX Unable to Ping Hosts on Networks Accessible by VPN

‎06-10-2015 05:48 AM

Well, that definitely works, but if I'm trying to send something other than ICMP (i.e. FTP a config or syslog) to a host across the VPN... How would that work?

SRX Services Gateway
Solution
Accepted by topic author tsjeff
‎08-26-2015 01:27 AM

Re: SRX Unable to Ping Hosts on Networks Accessible by VPN

‎06-10-2015 06:11 AM

Hello ,

 

For that , you can take an unused LAN IP and assign the same to the loopback IP in SRX so that any self generated traffic will take the default source as Loopback .

 

or configure the following to take loopback IP as default source IP :

 

#set system default-address-selection

 

Ref :  http://www.juniper.net/documentation/en_US/junos13.1/topics/reference/configuration-statement/defaul...


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: SRX Unable to Ping Hosts on Networks Accessible by VPN

‎06-10-2015 07:14 AM

Thank you!