I have a SRX320
Currently i have a SFP module in port ge-0/0/6 which is LC/LC to the ISP's ADVA Layer 2 device
when i do "show chassis hardware" the SFP, serial number etc is shown.
Link LED's are green and activity flickers now and again.
I have programmed Port GE-0/0/6 with the ISP's IP they gave me which is a /29
I have added a static route of 0.0.0.0/0 to 93.x.x.x (ISP's gateway IP)
I have 2 Zones Trust and untrust and have set Trust to untrust ANY ANY PERMIT
Ive set up around 30 junipers for remote offices no problem, but this one is giving me a headache.
Do i have todo anything with the SFP or mode or anything it just doesnt seem to pass any traffic to the internet. I cant even ping the ISP's gateway.
not sure if im missing something!?
Can you check whether the ARP is resolved for the Gateway? - user@host> show arp no-resolve
If you don't see ARP entry, perform the following command and check whether you are seeing ARP IN and OUT packets. user@host> monitor traffic interface <interface-name> no-resolve size 1500
Also, please check the IP address and subnet value once whether it falls under a valid range.
If ARP is resolved and still you can't reach the Internet Gateway, we need to check whether SRX is sending the ICMP packets out or not. We can determine this using a tcpdump.
How about rebooting the device once if you think something abnormal is happening in this device?
when i do "show arp no-resolve" it only shows my internal GE-0/0/1.0 (not the ge-0/0/6)
i then do monitor traffic interface ge-0/0/6 no-resolve and it outputs
listinging on ge-0/0/6
18:25:15 Out arp who-has 93.x.x.1 tell 93.x.x.2
93.x.x.1 being my default gateway to ISP (that they gave me)
93.x.x.2 being the IP i gave the GE-0/0/6 interface
It looks like SRX is trying to resolve the ARP but it is not getting ARP reply from the next-hop device. If you see the output, we are sending the ARP request - OUT but not receiving ARP reply - IN.
Can you please check with the ISP once?
Thinking out loud.. does the ISP hand of the internet connection untagged or do you need to configure ge-0/0/6 with a vlan-tag to match the ISP configuration?
But overall - agree with noobmaster. It looks like the SRX is working but cannot reach the ISP gateway.
As noobmaster suggests, you need to involve your ISP to solve this efficiently.
Have you added your optical interface ge-0/0/6.0 to the untrust security zone and remove any default entry that is there.
set security zone security-zone untrust interface ge-0/0/6.0
Confirm your optic is linked up that the status shows both admin and link up
show interface terse ge-0/0/6
There are no alarms related to the link or optic
show chassis alarms
show interface diagnostics optics ge-0/0/6
not sure why everytime i post here it gets deleted?