SRX

last person joined: 10 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  ICMP - no response found

    Posted 03-06-2018 08:40

    Hey all,

     

    I really struggle on vSRX to monitor interfaces and traffic flow problems just something I don't seem to be able to get my head around.

     

    I seem to have all working then I make a couple of config changes and ICMP stops working for no apparent reason but I'm unable to figure out how to monitor why it suddenly stops sending a response. I've tried a few of the steps online like creating a PCAP but they haven't revealed much to me.

     

    This is in a lab so I've opened up everything as below:

     

    interfaces {
        ge-0/0/2 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/3 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/4 {
            unit 0 {
                family inet {
                    address 202.20.89.1/28;
                }
            }
        }
        ge-7/0/2 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-7/0/3 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/1;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-7/0/1;
                }
            }
        }
        reth0 {
            redundant-ether-options {
                redundancy-group 1;
                lacp {
                    active;
                    periodic slow;
                }
            }
            unit 0 {
                family inet {
                    address 172.16.1.1/24;
                }


        zones {
            security-zone trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    reth0.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/4.0;
                }


        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                deny-all;
            }

     

    Everything was working ok until I tried to setup NAT then internal (trust) pings stopped and even after deleting the NAT config I still get this in wireshark:

     

    1078    661.403516    172.16.1.9    172.16.1.1    ICMP    98    Echo (ping) request  id=0xd60b, seq=127/32512, ttl=64 (no response found!)

     

    Can anyone help me monitor this interface/traffic flow to see what is going?

     

    I can see the ICMP traffic getting to the interface then not getting a response and it seems to be happening over and over again with the smallest of config changes.

     

    Thanks,

     

    Charles

     



  • 2.  RE: ICMP - no response found

    Posted 03-06-2018 13:11

    Removed nearly all config and then resetup and now its working again.

     

    Doesn't appear to have happened again in the last 5-6 hours however long I've been studying.

     

    Would still like to know more about monitoring an interface as it doesn't make too much sense to me right now.



  • 3.  RE: ICMP - no response found

    Posted 03-09-2018 02:51

    From you description, I am not sure what the issue was with the interface no longer responding to ping after adding a nat rule.

     

    But I think this might be the kb article you are looking for.  It goes over the details of packet processing and how to see what is happening at each phase and do packet captures on the SRX.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110