Hi Friends,
i'm facing a strange issue in lab, bascially my setup is like below:
The requirement is on EX4550, ping between the vlan.30(default routing-instance) and vlan.80 (belongs to routing-instance 80), the traffic has to flow through two SRX, transit through different zone/ routing-instance on both, this is done.
However, what I can't figure out is why on EX4550 vlan.30, it's unable to ping the self ip of SRX 240D vlan 80 (8.8.80.230) and also from EX4550 vlan 80 to SRX240U vlan 30 self ip.
But if i just reverse, initiate the ping from either SRX240 (vlan 80) to EX4550 (vlan30), then it works, same for SRX (vlan30) to EX4550 (vlan80)
Hence, it seems traffic from EX4550 has reached to SRX240 but SRX240 didn't reply back.
Directly ping from EX4550 vlan 80 to SRX 240D vlan 80 same subnet is working.
Relevant config for SRX240D:
demo@SRX240D# show interfaces vlan
unit 30 {
family inet {
address 8.8.30.231/24;
}
}
unit 100 {
family inet {
filter {
input FROM_GL_TO_30;
}
address 8.8.100.231/24;
}
demo@SRX240D# show security zones
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.3;
vlan.100;
}
}
security-zone TR_R30 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.30;
}
}
demo@SRX240D# show routing-instances
30 {
instance-type virtual-router;
interface vlan.30;
routing-options {
static {
route 8.8.80.0/24 next-table inet.0;
}
}
}
demo@SRX240D# show firewall
family inet {
filter FROM_GL_TO_30 {
term 1 {
from {
destination-address {
8.8.30.0/24;
}
}
then {
count RINSTANCE;
routing-instance 30;
}
}
term 2 {
then accept;
}
}
}
demo@SRX240D# show interfaces ge-0/0/8
description to_SRX240UGE8;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan100;
}
}
}
SRX240U
demo@SRX240U# show interfaces ge-0/0/8
description To_SRX240D_GE8;
vlan-tagging;
unit 100 {
vlan-id 100;
family inet {
filter {
input FROM_GL_TO_80;
}
address 8.8.100.230/24;
}
}
demo@SRX240U# show firewall
family inet {
filter FROM_GL_TO_80 {
term 1 {
from {
destination-address {
8.8.80.0/24;
}
}
then {
count RINSTANCE;
routing-instance 80;
}
}
term 2 {
then accept;
}
}
}
demo@SRX240U# show routing-instances
80 {
instance-type virtual-router;
interface vlan.80;
routing-options {
static {
route 8.8.30.0/24 next-table inet.0;
}
}
}
demo@SRX240U# show security policies
from-zone TR_R80 to-zone trust {
policy R80_to_TR {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
from-zone trust to-zone TR_R80 {
policy TR_to_R80 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
default-policy {
permit-all;
}
demo@SRX240U# show security zones
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.3;
ge-0/0/8.100;
}
application-tracking;
}
security-zone TR_R80 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.80;
}
}
some output when I inititate the ping from EX4550 to differet vlan on SRX.
demo@EX4550# run ping 8.8.30.231
PING 8.8.30.231 (8.8.30.231): 56 data bytes
64 bytes from 8.8.30.231: icmp_seq=0 ttl=64 time=3.508 ms
64 bytes from 8.8.30.231: icmp_seq=1 ttl=64 time=3.003 ms
demo@EX4550# run ping 8.8.30.231 routing-instance 80 PING 8.8.30.231 (8.8.30.231): 56 data bytes
demo@EX4550# run show route
80.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
8.8.30.0/24 *[Static/5] 01:05:41
> to 8.8.80.230 via vlan.80
on first SRXU which is the gateway
demo@SRX240U> show security flow session protocol icmp
Session ID: 69169, Policy name: R80_to_TR/7, Timeout: 56, Valid
In: 8.8.80.232/0 --> 8.8.30.231/24586;icmp, If: vlan.80, Pkts: 1, Bytes: 84
Out: 8.8.30.231/24586 --> 8.8.80.232/0;icmp, If: ge-0/0/8.100, Pkts: 0, Bytes: 0
Session ID: 69170, Policy name: R80_to_TR/7, Timeout: 58, Valid
In: 8.8.80.232/1 --> 8.8.30.231/24586;icmp, If: vlan.80, Pkts: 1, Bytes: 84
Out: 8.8.30.231/24586 --> 8.8.80.232/1;icmp, If: ge-0/0/8.100, Pkts: 0, Bytes: 0
Session ID: 69171, Policy name: R80_to_TR/7, Timeout: 58, Valid
In: 8.8.80.232/2 --> 8.8.30.231/24586;icmp, If: vlan.80, Pkts: 1, Bytes: 84
Out: 8.8.30.231/24586 --> 8.8.80.232/2;icmp, If: ge-0/0/8.100, Pkts: 0, Bytes: 0
It should reach to the second SRXD as Firewall filter counter is incrementing.
demo@SRX240D> show security flow session protocol icmp
Session ID: 210721, Policy name: TR_to_R30/6, Timeout: 26, Valid
In: 8.8.80.232/41 --> 8.8.30.231/24586;icmp, If: vlan.100, Pkts: 1, Bytes: 84
Out: 8.8.30.231/24586 --> 8.8.80.232/41;icmp, If: .local..5, Pkts: 0, Bytes: 0
Session ID: 210757, Policy name: TR_to_R30/6, Timeout: 2, Valid
In: 8.8.80.232/18 --> 8.8.30.231/24586;icmp, If: vlan.100, Pkts: 1, Bytes: 84
Out: 8.8.30.231/24586 --> 8.8.80.232/18;icmp, If: .local..5, Pkts: 0, Bytes: 0
Session ID: 210762, Policy name: TR_to_R30/6, Timeout: 4, Valid
In: 8.8.80.232/20 --> 8.8.30.231/24586;icmp, If: vlan.100, Pkts: 1, Bytes: 84
Out: 8.8.30.231/24586 --> 8.8.80.232/20;icmp, If: .local..5, Pkts: 0, Bytes: 0
I've enable a tranoption for flow on SRX240D, but I didn;t find anything obvious.
Please advise which part i miss? Many thanks.