SRX Services Gateway
Highlighted
SRX Services Gateway

VLan Help

[ Edited ]
‎08-07-2015 08:33 AM

I have SAN switch and srx240. 

 

When i try to ping the vlan interface from the san it work. But when i try to ping the web from the san i have packet lost. 

 

can some body help me. 

 

I try to caputre the ping packet in the packet capture but i don see any packet.

 

When i close the interface the ping stop, And when i delete vlan the ping stop.  

 

I post image with the post 

Attachments

17 REPLIES 17
Highlighted
SRX Services Gateway

Re: VLan Help

‎08-07-2015 02:22 PM

I assume that the route to the internet is via the srx? Have you confirmed that there is a security policy between the vlan.1 interface and the interface to the internet?

 

Use the "show security match-policies " command to verify which policy

 

Tim

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-07-2015 08:04 PM
 
Highlighted
SRX Services Gateway

Re: VLan Help

‎08-07-2015 08:12 PM
Yes i do policy vlan iscsi to untrust. I créateur zone with the same subnet ip that the vlan ip. 172.16.50.0/24. I assign the vlan to the interface 13.

I Can send you my config. all vlan is in access mode note in truck or tagged mode.

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-08-2015 02:11 AM

Yes please attach the config

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-08-2015 04:05 AM

The security policy permits the traffic from your SAN to the internet.

 

Since your SAN address is RFC 1918 you also need a nat policy so that the address is translated to the internet interface address on egress to the internet.

 

Replace "san" with your san zone name on the SRX.

 

set security nat source rule-set san-to-untrust from zone san
set security nat source rule-set san-to-untrust to zone untrust
set security nat source rule-set san-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set san-to-untrust rule source-nat-rule then source-nat interface

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLan Help

‎08-09-2015 06:47 AM

I send you all the config for this interface. If you need something else just ask me. 

 

thank !!!! 

Attachments

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-09-2015 06:39 PM

When attempt to ping from the SAN can you see any flows in 'show security flow session protocol icmp' ?

 

Also try ping from the SRX using vlan.3 as the source, if that works check that the SAN has the correct default gateway. Can the SAN ping another address local to the SRX?

 

Is anything hitting the NAT translation? 'show security nat source rule all'

 

Tim

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-10-2015 03:38 AM

Your configuration sample does not show the NAT rules.

 

If your SAN needs access to the internet you will need to add the NAT rule like the sample I posted above.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLan Help

‎08-10-2015 06:38 AM
From de VLan.3 SRX to SAN (work) 


PING 172.16.50.3 (172.16.50.3): 56 data bytes
64 bytes from 172.16.50.3: icmp_seq=0 ttl=255 time=3.092 ms
64 bytes from 172.16.50.3: icmp_seq=1 ttl=255 time=2.578 ms
64 bytes from 172.16.50.3: icmp_seq=2 ttl=255 time=1.439 ms
64 bytes from 172.16.50.3: icmp_seq=3 ttl=255 time=2.468 ms
64 bytes from 172.16.50.3: icmp_seq=4 ttl=255 time=1.389 ms
64 bytes from 172.16.50.3: icmp_seq=5 ttl=255 time=1.489 ms
64 bytes from 172.16.50.3: icmp_seq=6 ttl=255 time=1.466 ms
64 bytes from 172.16.50.3: icmp_seq=7 ttl=255 time=1.496 ms
64 bytes from 172.16.50.3: icmp_seq=8 ttl=255 time=1.457 ms
64 bytes from 172.16.50.3: icmp_seq=9 ttl=255 time=6.488 ms
--- 172.16.50.3 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.389/2.336/6.488/1.501 ms


From SAN to SRX Gateway interface (work)

Session ID: 4691, Policy name: self-traffic-policy/1, Timeout: 4, Valid
In: 172.16.50.3/51646 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
Out: 172.16.50.1/507 --> 172.16.50.3/51646;icmp, If: .local..0, Pkts: 1, Bytes
: 84

Session ID: 43370, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 172.16.50.3/51644 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
Out: 172.16.50.1/507 --> 172.16.50.3/51644;icmp, If: .local..0, Pkts: 1, Bytes
: 84

Session ID: 109664, Policy name: self-traffic-policy/1, Timeout: 4, Valid
In: 172.16.50.3/51645 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
Out: 172.16.50.1/507 --> 172.16.50.3/51645;icmp, If: .local..0, Pkts: 1, Bytes
: 84

Session ID: 121778, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 172.16.50.3/51643 --> 172.16.50.1/507;icmp, If: vlan.3, Pkts: 1, Bytes: 84
Out: 172.16.50.1/507 --> 172.16.50.3/51643;icmp, If: .local..0, Pkts: 1, Bytes
: 84
Total sessions: 4




NAt rules (the san interface it ISCSI) (work)

source NAT rule: Allow-internet Rule-set: Trust_ISCSI-to-untrust
Rule-Id : 3
Rule position : 3
From zone : Trust_ISCSI
To zone : untrust
Match
Source addresses : 172.168.50.0 - 172.168.50.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Destination port : 0 - 0
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 0
Successful sessions : 0
Number of sessions : 0

San Default gateway

172.16.50.1

Vlan 3 IP

172.16.50.1

Try to ping google

packet lost and see no ping




 

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-10-2015 01:53 PM

Hi,

 

You have no translation hits on the NAT rule. Can you ping the internet from the SRX using vlan.3 as the source? 

 

Tim

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-10-2015 03:21 PM

Can you confirm the default gateway for your SAN controller has the SRX ip address?

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLan Help

‎08-17-2015 06:07 AM

I apologize for the delay. I just tested ping to the web from the vlan.3 interface and ping actually does not pass what is my problem?

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-17-2015 06:08 AM

Yes the gateway in the san it the ip off the SRX interface. 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author hboivin
‎08-26-2015 01:27 AM

Re: VLan Help

‎08-17-2015 12:30 PM

There is either a problem with the NAT or security policy. Can you paste the configuration.

 

Tim

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-19-2015 01:20 PM

thank you the problème still to be from the nat i do mistake in the addresse.

 

Now i have nother problème when i replicate data from SAN A to SAN B i just can reach 7 mbit. Do you think it can be the ALG module ?

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-19-2015 01:42 PM

Hi,

 

Need more information about the addresses of SAN A/B and the connectivity as it is not in your diagram.

 

Tim

Highlighted
SRX Services Gateway

Re: VLan Help

‎08-20-2015 06:31 AM

From San/A to SAN/b data transfert it 7mbit / per sec. I send you diagram off the network. I think something throtle the connection from the ( SRX240H A ) When i do speed test at the destination in the same network San/b it good speed. But i can do test speed from the source SAN/A. Can from the vlan.3 in the srx i can test the speed ?

 

Thank you

Attachments

Feedback