SRX Services Gateway
Highlighted
SRX Services Gateway

I have ISP failover working, but now the archive-sites and ping does not work

3 weeks ago

I set up ISP failover on my SRX300 - and it works!! I can even ssh in from the selected IP addresses I put in the firewall filter for any remote administration I need to do.

 

Problem - I cannot ping anything on the Internet from the SRX, nor will the archival configuration work. (the second item is far more irritating than the first)

 

Remove the failover and use only one interface - things work.

 

ISP1  10.1.10.0/24  (dhcp)

  gateway 10.1.10.1

ISP2  10.2.10.140/30

  gateway 10.2.10.141

 

office network 192.168.1.x/24

location of my archive server   10.3.10.112

 

I have no idea where to start. Can someone please point me in a direction to address this?

 

Thx!

Attachments

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: I have ISP failover working, but now the archive-sites and ping does not work

3 weeks ago

Hello, 

 

If you can't ping any destination from the SRX it means that route is not properly configured or the SRX can't find the route in its master routing table.

 

My questions are,

  • Where is your default route pointed at? Is it in master routing-table inet.0 or in any routing instance?
  • If the 0.0.0.0/0 is in any routing-instance, you need to specify the routing-instance while you ping. e.g. user@host> ping 8.8.8.8 routing-instance <instance-name>
  • Try taking SSH of your archival destination manually from the SRX and check whether it works or not.
  • When you are pinging or taking SSH from the SRX, open another terminal and check the session output. e.g. user@host> show security flow session source-prefix <source-ip> destination-prefix <destination-ip>


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: I have ISP failover working, but now the archive-sites and ping does not work

3 weeks ago

Note - all systems on my office/inside network are nat'ing correctly to the Internet. The only problem is running ping or ssh from the SRX

From the SRX:

 


root@gw-myoffice> ssh user@10.3.10.112
ssh: connect to host 10.3.10.112 port 22: Operation timed out
root@gw-myoffice> ping 10.3.10.112
^C
--- 10.3.10.112 ping statistics ---
24 packets transmitted, 0 packets received, 100% packet loss

 

 

From my linux system that is being nat'ed by the SRX

[user@chewbaca ~]$ ssh -p 22 user@10.3.10.112
Last login: Tue Jul 21 10:40:53 2020 from 10.1.10.2
12:40:58 up 26 days, 22:30, 1 user, load average: 0.08, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user pts/0 10.1.10.2 12:40 0.00s 0.03s 0.00s w
[user@jbu ~]$ exit


[user@chewbaca ~]$ ping -n 10.3.10.112
PING 10.3.10.112 (10.3.10.112) 56(84) bytes of data.
64 bytes from 10.3.10.112: icmp_seq=1 ttl=54 time=5.77 ms
64 bytes from 10.3.10.112: icmp_seq=2 ttl=54 time=5.80 ms
64 bytes from 10.3.10.112: icmp_seq=3 ttl=54 time=5.86 ms
64 bytes from 10.3.10.112: icmp_seq=4 ttl=54 time=5.84 ms
^C
--- 10.3.10.112 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.772/5.817/5.858/0.033 ms

 

The srx must be passing ping correctly for the failover to work, but I dont understand why you cant ping or ssh from the srx itself

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Portscanner
2 weeks ago

Re: I have ISP failover working, but now the archive-sites and ping does not work

3 weeks ago

I believe the traffic is being routed on your master routing instance inet.0 and considering that can you specify the interface or source IP address when pinging and SSH from the SRX.

 

Did you had a chance to check the flow session when pinging from the SRX?

 

Provide me with these outputs:

 

user@host> show interfaces terse | match inet

user@host> show route 10.3.10.112

user@host> show configuration firewall | display set

user@host> show configuration interfaces | display set | match filter

user@host> show security flow session destination-prefix 10.3.10.112     <<<<< This output has to be collected when you ping from the SRX



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: I have ISP failover working, but now the archive-sites and ping does not work

2 weeks ago

Thank you! you pointed me in the correct direction. There was some major problems with the configuration of my failover. I used a configuration I had found on another web site, but it turns out, that configuration had a bunch of stuff in it that I did not need. This is what I used to create a working configuration:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32556

The above config is an example with 4 isp's so I just trimmed it down to two.

 

 

Highlighted
SRX Services Gateway

Re: I have ISP failover working, but now the archive-sites and ping does not work

2 weeks ago

Hi,

 

I'm glad the issue has been resolved :grinning_face:

 

Have a Nice Day!!!



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback