Strange issue, i must be forgetting something in the config.
Scenario:
Datacenter<-- |VPN Connection| --> SRX300<---> EX2300-C
*I cannot ping our Datacenter from the SRX300, but i can ping it from the EX switch.
*If i disconnect the switch from the SRX300 i lose connection to the SRX300 completely. Cannot SSH or Ping even though the tunnel is up. I reconnect the switch and everything comes back up.
*Traceroute from the SRX300 shows nothing. Traceroute from EX works correctly.
The switch config is simple. Trunk with all vlans included between the SRX and EX. Native vlan is "1". All ports are configured for one of the three vlans we use.
Config of the SRX:
set version 17.3R2.10 set system host-name SRX300 set system root-authentication encrypted-password "xxxxxx" set system name-server 8.8.8.8 set system services ssh root-login allow set system services telnet set system services xnm-clear-text set system services dhcp-local-server group CorpDHCP interface irb.1 set system services dhcp-local-server group CorpWIFI interface irb.24 set system services dhcp-local-server group Guests interface irb.136 set system services web-management https system-generated-certificate set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands error set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security ike policy corporate mode main set security ike policy corporate proposal-set standard set security ike policy corporate pre-shared-key ascii-text "xxxx" set security ike gateway corp-gw ike-policy corporate set security ike gateway corp-gw address xx.xx.xx.xx set security ike gateway corp-gw local-identity inet xx.xx.xx.xx set security ike gateway corp-gw external-interface ge-0/0/5 set security ipsec policy corp-ipsec-vpn proposal-set standard set security ipsec vpn corp-vpn bind-interface st0.0 set security ipsec vpn corp-vpn vpn-monitor set security ipsec vpn corp-vpn ike gateway corp-gw set security ipsec vpn corp-vpn ike ipsec-policy corp-ipsec-vpn set security ipsec vpn corp-vpn establish-tunnels immediately set security flow tcp-mss ipsec-vpn mss 1350 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security nat source rule-set guest-to-untrust from zone GuestiNet set security nat source rule-set guest-to-untrust to zone untrust set security nat source rule-set guest-to-untrust rule source-nat-guest match source-address 10.255.7.160/27 set security nat source rule-set guest-to-untrust rule source-nat-guest then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone trust to-zone VPN policy trust-to-vpn match source-address any set security policies from-zone trust to-zone VPN policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone VPN policy trust-to-vpn match application any set security policies from-zone trust to-zone VPN policy trust-to-vpn then permit set security policies from-zone VPN to-zone trust policy VPN-to-trust match source-address any set security policies from-zone VPN to-zone trust policy VPN-to-trust match destination-address any set security policies from-zone VPN to-zone trust policy VPN-to-trust match application any set security policies from-zone VPN to-zone trust policy VPN-to-trust then permit set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match source-address any set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match destination-address any set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match application any set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.1 host-inbound-traffic system-services all set security zones security-zone trust interfaces irb.1 host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.24 set security zones security-zone trust interfaces irb.120 host-inbound-traffic system-services all set security zones security-zone trust interfaces irb.120 host-inbound-traffic protocols all set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ping set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services traceroute set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services ping set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services dhcp set security zones security-zone VPN host-inbound-traffic system-services all set security zones security-zone VPN host-inbound-traffic protocols all set security zones security-zone VPN interfaces st0.0 set interfaces ge-0/0/0 native-vlan-id 1 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members all set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Workstation set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Workstation set interfaces ge-0/0/5 unit 0 family inet address xx.xx.xx.xx/27 set interfaces ge-0/0/6 unit 0 set interfaces ge-0/0/7 unit 0 set interfaces irb unit 1 family inet address 10.255.7.1/27 set interfaces irb unit 24 family inet address 10.255.7.33/27 set interfaces irb unit 120 family inet address 10.255.7.129/27 set interfaces irb unit 136 family inet address 10.255.7.161/27 set interfaces st0 unit 0 description "Tunnel Interface to ChiDataCenter" set interfaces st0 unit 0 point-to-point set interfaces st0 unit 0 family inet mtu 1500 set interfaces st0 unit 0 family inet address 10.250.110.7/24 set routing-options static route 10.0.0.0/8 next-hop 10.250.110.110 set routing-options static route xx.xx.xx.xx/32 next-hop xx.xx.xx.xx set routing-options static route 0.0.0.0/0 next-hop xx.xx.xx.xx set routing-options router-id 10.255.7.1 set protocols lldp interface all set policy-options prefix-list manage-ip 10.0.0.0/8 set access address-assignment pool p1 family inet network 10.255.7.0/27 set access address-assignment pool p1 family inet range r1 low 10.255.7.10 set access address-assignment pool p1 family inet range r1 high 10.255.7.25 set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 28800 set access address-assignment pool p1 family inet dhcp-attributes name-server 10.110.2.20 set access address-assignment pool p1 family inet dhcp-attributes propagate-settings irb.1 set access address-assignment pool CorpWifiPool family inet network 10.255.7.32/27 set access address-assignment pool CorpWifiPool family inet range r1 low 10.255.7.35 set access address-assignment pool CorpWifiPool family inet range r1 high 10.255.7.61 set access address-assignment pool CorpWifiPool family inet dhcp-attributes maximum-lease-time 28800 set access address-assignment pool CorpWifiPool family inet dhcp-attributes name-server 10.110.2.20 set access address-assignment pool CorpWifiPool family inet dhcp-attributes propagate-settings irb.24 set access address-assignment pool GuestWifiPool family inet network 10.255.7.160/27 set access address-assignment pool GuestWifiPool family inet range r1 low 10.255.7.163 set access address-assignment pool GuestWifiPool family inet range r1 high 10.255.7.189 set access address-assignment pool GuestWifiPool family inet dhcp-attributes maximum-lease-time 28800 set access address-assignment pool GuestWifiPool family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool GuestWifiPool family inet dhcp-attributes propagate-settings irb.136 set vlans CorpWData vlan-id 24 set vlans CorpWData l3-interface irb.24 set vlans Guest vlan-id 136 set vlans Guest l3-interface irb.136 set vlans Wireless vlan-id 120 set vlans Wireless l3-interface irb.120 set vlans Workstation vlan-id 1 set vlans Workstation l3-interface irb.1
Thank you in advance.