SRX

I have SAN switch and srx240. 

 

When i try to ping the vlan interface from the san it work. But when i try to ping the web from the san i have packet lost. 

 

can some body help me. 

 

I try to caputre the ping packet in the packet capture but i don see any packet.

 

When i close the interface the ping stop, And when i delete vlan the ping stop.  

 

I post image with the post 

I assume that the route to the internet is via the srx? Have you confirmed that there is a security policy between the vlan.1 interface and the interface to the internet?

 

Use the "show security match-policies " command to verify which policy

 

Tim

Yes i do policy vlan iscsi to untrust. I créateur zone with the same subnet ip that the vlan ip. 172.16.50.0/24. I assign the vlan to the interface 13.

I Can send you my config. all vlan is in access mode note in truck or tagged mode.

Yes please attach the config

The security policy permits the traffic from your SAN to the internet.

 

Since your SAN address is RFC 1918 you also need a nat policy so that the address is translated to the internet interface address on egress to the internet.

 

Replace "san" with your san zone name on the SRX.

 

set security nat source rule-set san-to-untrust from zone san
set security nat source rule-set san-to-untrust to zone untrust
set security nat source rule-set san-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set san-to-untrust rule source-nat-rule then source-nat interface

 

I send you all the config for this interface. If you need something else just ask me. 

 

thank !!!! 

When attempt to ping from the SAN can you see any flows in 'show security flow session protocol icmp' ?

 

Also try ping from the SRX using vlan.3 as the source, if that works check that the SAN has the correct default gateway. Can the SAN ping another address local to the SRX?

 

Is anything hitting the NAT translation? 'show security nat source rule all'

 

Tim

Your configuration sample does not show the NAT rules.

 

If your SAN needs access to the internet you will need to add the NAT rule like the sample I posted above.

From de VLan.3 SRX to SAN (work) 


PING 172.16.50.3 (172.16.50.3): 56 data bytes
64 bytes from 172.16.50.3: icmp_seq=0 ttl=255 time=3.092 ms
64 bytes from 172.16.50.3: icmp_seq=1 ttl=255 time=2.578 ms
64 bytes from 172.16.50.3: icmp_seq=2 ttl=255 time=1.439 ms
64 bytes from 172.16.50.3: icmp_seq=3 ttl=255 time=2.468 ms
64 bytes from 172.16.50.3: icmp_seq=4 ttl=255 time=1.389 ms
64 bytes from 172.16.50.3: icmp_seq=5 ttl=255 time=1.489 ms
64 bytes from 172.16.50.3: icmp_seq=6 ttl=255 time=1.466 ms
64 bytes from 172.16.50.3: icmp_seq=7 ttl=255 time=1.496 ms
64 bytes from 172.16.50.3: icmp_seq=8 ttl=255 time=1.457 ms
64 bytes from 172.16.50.3: icmp_seq=9 ttl=255 time=6.488 ms
--- 172.16.50.3 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.389/2.336/6.488/1.501 ms


From SAN to SRX Gateway interface (work)

Session ID: 4691, Policy name: self-traffic-policy/1, Timeout: 4, Valid
 In: 172.16.50.3/51646 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
 Out: 172.16.50.1/507 --> 172.16.50.3/51646;icmp, If: .local..0, Pkts: 1, Bytes
: 84

Session ID: 43370, Policy name: self-traffic-policy/1, Timeout: 2, Valid
 In: 172.16.50.3/51644 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
 Out: 172.16.50.1/507 --> 172.16.50.3/51644;icmp, If: .local..0, Pkts: 1, Bytes
: 84

Session ID: 109664, Policy name: self-traffic-policy/1, Timeout: 4, Valid
 In: 172.16.50.3/51645 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
 Out: 172.16.50.1/507 --> 172.16.50.3/51645;icmp, If: .local..0, Pkts: 1, Bytes
: 84

Session ID: 121778, Policy name: self-traffic-policy/1, Timeout: 2, Valid
 In: 172.16.50.3/51643 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
 Out: 172.16.50.1/507 --> 172.16.50.3/51643;icmp, If: .local..0, Pkts: 1, Bytes
: 84
Total sessions: 4




NAt rules (the san interface it ISCSI) (work)

source NAT rule: Allow-internet Rule-set: Trust_ISCSI-to-untrust
 Rule-Id : 3
 Rule position : 3
 From zone : Trust_ISCSI
 To zone : untrust
 Match
 Source addresses : 172.168.50.0 - 172.168.50.255
 Destination addresses : 0.0.0.0 - 255.255.255.255
 Destination port : 0 - 0
 Action : interface
 Persistent NAT type : N/A
 Persistent NAT mapping type : address-port-mapping
 Inactivity timeout : 0
 Max session number : 0
 Translation hits : 0
 Successful sessions : 0
 Number of sessions : 0

San Default gateway 

172.16.50.1

Vlan 3 IP

172.16.50.1

Try to ping google

packet lost and see no ping 

 

Hi,

 

You have no translation hits on the NAT rule. Can you ping the internet from the SRX using vlan.3 as the source? 

 

Tim

I apologize for the delay. I just tested ping to the web from the vlan.3 interface and ping actually does not pass what is my problem?

There is either a problem with the NAT or security policy. Can you paste the configuration.

 

Tim

thank you the problème still to be from the nat i do mistake in the addresse.

 

Now i have nother problème when i replicate data from SAN A to SAN B i just can reach 7 mbit. Do you think it can be the ALG module ?

Hi,

 

Need more information about the addresses of SAN A/B and the connectivity as it is not in your diagram.

 

Tim

From San/A to SAN/b data transfert it 7mbit / per sec. I send you diagram off the network. I think something throtle the connection from the ( SRX240H A ) When i do speed test at the destination in the same network San/b it good speed. But i can do test speed from the source SAN/A. Can from the vlan.3 in the srx i can test the speed ?

 

Thank you

Can you confirm the default gateway for your SAN controller has the SRX ip address?

Yes the gateway in the san it the ip off the SRX interface.