Hi Ztech,
Please share the following command:
> show route table PRA-MF.inet.0
Based on the traceoptions, the SRX is peforming the route-lookup in a custom routing-instance (assumed to be PRA-MF) and not finding a route to 8.8.8.8 (more likely the default route is missing). Running the above command will tell you if the default route is not showing up.
Oct 16 10:33:25 10:33:25.555360:CID-1:RT:flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 192.168.5.52, x_dst_ip 8.8.8.8, in ifp reth0.300, out ifp N/A sp 2525, dp 1, ip_proto 1, tos 0 .
.
. Oct 16 10:33:25 10:33:25.555422:CID-1:RT:Route-lookup for 8.8.8.8 yielded reject NH
I believe that the PRA-MF routing-instance is not aware of the subnet connected to reth2.0 (untrust zone) and that the next-hop address that PRA-MF routing-instance is trying to resolve is on that subnet connected to reth2.0 interface. Please let us know if this is correct.
If the above statement is correct, we need to make sure PRA-MF routing-instance knows reth2.0's subnet. You could apply some RIB groups to accomplish this:
1. Create a Rib-group to share routes from inet.0 table (Default routing-instance) to PRA-MF.inet.0 table. Also there is a routing-policy (RETH2-SUBNET-ONLY) to ensure that only reth2.0's subnet is shared between the mentioned tables. set routing-options rib-groups EXAMPLE import-rib [ inet.0 PRA-MF.inet.0 ] set routing-options rib-groups EXAMPLE import-policy RETH2-SUBNET-ONLY 2. Create the routing-policy to match the subnet of reth2.0 only: set policy-statement RETH2-SUBNET-ONLY term RETH2 from route-filter [reth2_subnet] exact; set policy-statement RETH2-SUBNET-ONLY term RETH2 then accept; set policy-statement RETH2-SUBNET-ONLY term REJECT-REST then reject; 3. Apply the rib-group under the Default routing-instance, under interface-routes hierarchy, in order to share the directly connected subnets from inet.0 to PRA-MF.inet.0: set routing-options interface-routes rib-group EXAMPLE
Please let us know.