Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Verify the reachability to an SRX device

0

0

Article ID: KB17281 KB Last Updated: 31 Dec 2014Version: 6.0
Summary:

Troubleshooting steps to verify and correct reachability to the SRX.


Symptoms:

Symptoms:

  • Unable to ping an SRX interface
  • Can't connect to SRX with Pulse client
  • Unable to connect to SRX via HTTPS or HTTP:

  • https://<ike external interface IP>/dynamic-vpn
    https://<srx interface ip>
    http://<srx interface ip>

    Instead of the SRX web page being displayed, the user receives one of the following browser error messages (depending on the Web browser being used):

    • Unable to connect - Firefox can't establish a connection to the server at IP address
    • OR
    • This webpage is not available
    • OR
    • Internet Explorer cannot display this webpage

Cause:

Solution:

Perform the follow steps to solve the problem:

step1  On the SRX, are 'ping, http or https' enabled on the interface you are trying to reach for the method being attempted?
      
In order to verify, enter the following command, replacing fe-0/0/0.0 with the proper interface name.

      root@srx> show interfaces fe-0/0/0.0

        Logical interface fe-0/0/0.0 (Index 68) (SNMP ifIndex 151)
          Flags: SNMP-Traps Encapsulation: ENET2
          Input packets : 0
          Output packets: 0
          Security: Zone: untrust
          Allowed host-inbound traffic : http https ike ping
          Protocol inet, MTU: 1500
          Flags: Sendbcast-pkt-to-re, Is-Primary
          Addresses, Flags: Is-Default Is-Preferred Is-Primary
            Destination: 172.27.201/24, Local: 172.27.201.26,
            Broadcast: 172.27.201.255

        This can also be checked through the configuration:

      root@srx> show security zones security-zone untrust interfaces
      fe-0/0/0.0 {
          host-inbound-traffic {
              system-services {
                 http;
                 https;
                 ike;
                 ping
              }
          }
      }


  • Yes - Continue to Step 2.

  • No - Add necessary services attempting to be used. 

    root@srx# set security zones security-zone <zone name> interfaces <interface name> host-inbound-traffic system-services <service>
    root@srx# commit
       Note:  "host-inbound-traffic system-services" can also be configured directly under the zone; however, the "host-inbound-traffic system-services" under the interface as shown above will overwrite the configuration that is done directly under the zone.



step2  Are you attempting to reach the SRX using HTTP or HTTPS?

  • Yes - Verify system services have been enabled to allow HTTP/HTTPS.
               root@srx# show system services
               web-management {
                     http;
                     https {
                           system-generated-certificate;
                     }
               }
  • No - Continue to Step 3.



step3  Is there a firewall filter applied to loopback interface or interface attempting to be reached?

root# show interfaces lo0
unit 0 {
family inet {
filter {
input fw_filter;
}
}
}

root# show interfaces fe-0/0/0
unit 0 {
family inet { filter {
input fw_filter; }
dhcp;
}
}
  • Yes - Verify that the firewall filter has allowed services attempting to be used.
root# show firewall
filter fw_filter {
term 1 {
from {
destination-port [ ssh https http ];
}
then accept;
}
term 2 {
from {
protocol icmp;
}
then accept;
}
}
  • No - Continue to Step 4.



step4  With PING being allowed in Step 1, try to ping the IP address of the SRX.  Is the ping successful?

  • No - Continue to Step 5.



step5  Do you have a route back to the source using the same interface that you are attempting to reach?

root@srx> show route 1.1.1.1

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 3w4d 01:58:54
> to 192.168.1.1 via fe-0/0/1.0 <-Active Route (denoted by an *)

[Access-internal/12] 00:02:25
> to 172.27.201.1 via fe-0/0/0.0
  • Yes - Continue to Step 6.
  • No - Add a route to the source with a next-hop for the downstream device connected to the interface you are attempting to reach.

    root# set routing-options static route 1.1.1.1/32 next-hop 172.27.201.1
    root# commit


step6  Traceroute to the IP address of the SRX.  Does traceroute give you a clue as to why you cannot ping the SRX?  (Most likely, there is a routing issue or firewall filter in the path from the PC to the SRX.)


 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search