SRX Services Gateway
SRX Services Gateway

Some SRX110 Network Addresses Reply to ICMP

‎11-15-2019 09:15 AM

We currently have 30 SRX110's in our production network which have been deployed at different times. All are currently running 2 or 3 VLANs (1 for Managment on newer ones, 1 for Users, 1 for VOIP) and we've recently noticed that some network addresses are responding to ICMP while others are not. From everything I've looked at our configs are the same across the different devices so I'm not exactly sure why we're not seeing the same behavior among all of the devices. Is there a setting that would cause a network address to respond to ICMP ? To my limited knowledge network addresses by default do not respond to ICMP the same way a gateway or loopback would. 

JNCIA
3 REPLIES 3
SRX Services Gateway

Re: Some SRX110 Network Addresses Reply to ICMP

‎11-17-2019 05:35 AM

All you would need to have enabled is both ping and traceroute under the zone that the responding interface is a member of.

 

security zone security-zones NAME host-inbound-traffic system-services ping

security zone security-zones NAME host-inbound-traffic system-services traceroute

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Some SRX110 Network Addresses Reply to ICMP

‎11-18-2019 11:40 PM

Hi,

 

I am assuming you are pinging the addresses on the physical interfaces. Please use the following command to see the services enabled on a working interface and a non-working interface:

 

> show interfaces  [interface_name] extensive | find security

 

It will show something similar to:

 

  Logical interface ge-0/0/1.0 (Index 70) (SNMP ifIndex 49)
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 5161
    Output packets: 83
    Security: Zone: zone2
    Allowed host-inbound traffic : bootp bfd bgp  dns dvmrp  ldp msdp nhrp ospf pgm
    pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike
    netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl

 

Look for ping under Allowed host-inbound traffic.

 

Also look for any firewall filters applied to these interfaces or to the loopback interface that might be allowing/blocking ping/icmp.

 

 

SRX Services Gateway

Re: Some SRX110 Network Addresses Reply to ICMP

‎11-19-2019 06:47 AM

As Steve pointed out, the security zone has to be configured to accept icmp messages (host-inbound-traffic).  But also make sure that no firewall filter applied to either the physical interface or the loopback interface is blocking your icmp traffic, and that you have proper policies in place: 

exception traffic processing.png

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps