SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Intra-Zone traffic

[ Edited ]
2 weeks ago

I currently have a setup as per the diagram below. When I ping (and other traffic) from the remote site firewall (3.3.3.1) to ISP2 IP address on the firewall (2.2.2.1) it works fine. I know because the default route points to ISP1 that the return traffic will be asymmetric (so the request will come in via ISP2 and go out via ISP1) Both interfaces are in the same zone (Untrust) Everything is working fine with this setup. I'm fine with asymmetric traffic on the firewall.

 

I have a second instance of this setup which is exactly the same (apart from the IP addresses etc) Same firmware and same firewall model. With this second setup, traffic doesn't flow. If I ping from the remote site, I get no response but I can see the traffic hitting the firewall.  I know people will say you need a firewall policy from Untrust to Untrust but I don't have that policy on the working setup.  (I also tried to all that policy and it didn't help)

 

I didn't have time to setup traceoptions to troubleshoot this and I will probably not get a chance again for a few weeks until I am back on site. In the meantime is there anything else that someone can think of that is required to make this work and that would allow it to work on the first setup but not the second one? 

 

Thanks

 

diagram.PNG

 

 

 

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

2 weeks ago

Hello Tars,

 

If you are confident that both the setups are exactly the same then it should work.

 

Other possible reasons that may cause the traffic to drop are,

 

  • Interface might be down on the FW. Please check all the ingress and egress interfaces whether it is UP.
  • Since you mentioned that you have checked the zones and policies I'm not gonna comment on that. But did you had a chance to check the host-inbound-traffic whether ping is allowed?
  • Also, it is better to double-check the firewall filters configured on the device.

If the above-suggested inputs aren't the cause of the issue then you need to configure, flow traces. 

 

BTW, I think the IP address mentioned in the diagram is incorrect or it's the other way around. Because when you mentioned you are pinging 2.2.2.2 which is ISP2's IP address on FW, the actual IP address mentioned in the diagram is 2.2.2.1 and 2.2.2.2 is the adjacent interface in the router. Also, 3.3.3.3 is not mentioned in the diagram so is it configured behind the FW or within the FW's interface?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

[ Edited ]
2 weeks ago

Hi, thanks for the response:

 

I have answered your questions below.

 

Q: Interface might be down on the FW. Please check all the ingress and egress interfaces whether it is UP.

A: It's definitely up and working, if I force traffic (change default route) out the 2nd ISP interface everything works fine (ping etc) This is why I am almost certain the firewall is dropping the traffic in some way because it's asymmetric. 

 

Q: Since you mentioned that you have checked the zones and policies I'm not gonna comment on that. But did you had a chance to check the host-inbound-traffic whether ping is allowed?

A: It's a good suggestion but ICMP is definitely allowed because it's enabled on the Untrust zone and I can ping the first ISP interface fine. I did also double check this at the time. ICMP is allowed from anywhere in the firewall filter.

 

Q: Also, it is better to double-check the firewall filters configured on the device.

A: There is a firewall filter applied but it already allows the relevant traffic (works on first interface and filter is applied to whole firewall)

 

Q: BTW, I think the IP address mentioned in the diagram is incorrect or it's the other way around. Because when you mentioned you are pinging 2.2.2.2 which is ISP2's IP address on FW, the actual IP address mentioned in the diagram is 2.2.2.1 and 2.2.2.2 is the adjacent interface in the router. Also, 3.3.3.3 is not mentioned in the diagram so is it configured behind the FW or within the FW's interface?

A: Sorry, yes you are correct, I mean't to say 2.2.2.1. I have corrected this in the original post now. 3.3.3.1 is a 3rd firewall (at the top of the diagram)

 

Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

2 weeks ago

Hi Tars,

 

I understood that forcing the traffic towards ISP2 interface made it work, but I want you to check the FW interface connecting the ISP1. Because if that interface is DOWN, then the default route won't be taken into consideration. This is my assumption though.

 

Next time when you are at the site, you can check the below things on the bottom FW:

 

  1. Check the interface connecting the ISP1 is UP using user@host> show interfaces terse | match inet
  2. If both the Admin and Link are UP for that interface, check the default route in the routing table. Also, check the same in the forwarding table as well using user@host> show route forwarding-table. The route in the forwarding table shouldn't be dscd (discard) or rjct (reject).
  3. If all of the above are fine, then the issue can be something external. So, try to ping the top FW from the bottom FW via ISP1 and check the reachability. However, configuring a flow trace will be better before performing this step in order to rule out the issue with FW.


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

2 weeks ago

Thanks for the response. As mentioned it works out of ISP1 interface, it also works out of ISP2 interface when I switch the default route. There isn't any problem with each of the interfaces passing traffic. The issue is when I try ping the interface where the default route is not pointing out.

 

Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

2 weeks ago

Hello Tars,

 

Then I guess only way to find out is by configuring flow traces.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

yesterday

Did you configure the traces yet? Also, what are the hops you see when you do a traceroute? 

 

Anand

Highlighted
SRX Services Gateway

Re: SRX Intra-Zone traffic

18 hours ago

Hi Anand10

 

I rebuilt the firewall and it works as expected now so not sure what the actual problem was.

 

Thanks for the response.

Feedback