Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Unable to access or ping device IP or IP on revenue interfaces

0

0

Article ID: KB33930 KB Last Updated: 14 Mar 2019Version: 1.0
Summary:

When trying to ping or access a service on the device, revenue/management interfaces do not respond even though the service or ping is allowed on respective zones/device. Running the command, 'monitor traffic interface' on that particular interface shows the packets are received by the device, but there is no response.

Symptoms:

Example:

When trying to ping the device's fxp0 interface, the ICMP requests are seen coming in on the device without any drops:

{primary:node1}[edit]
root# run monitor traffic interface fxp0 matching icmp 
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fxp0, capture size 96 bytes

Reverse lookup for 10.219.91.190 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

09:47:24.122407  In IP truncated-ip - 24 bytes missing! 10.222.33.185 > 10.219.91.190: ICMP echo request, id 34009, seq 0, length 64
09:47:25.125419  In IP truncated-ip - 24 bytes missing! 10.222.33.185 > 10.219.91.190: ICMP echo request, id 34009, seq 1, length 64
09:47:26.127455  In IP truncated-ip - 24 bytes missing! 10.222.33.185 > 10.219.91.190: ICMP echo request, id 34009, seq 2, length 64
09:47:27.135298  In IP truncated-ip - 24 bytes missing! 10.222.33.185 > 10.219.91.190: ICMP echo request, id 34009, seq 3, length 64
09:47:28.135520  In IP truncated-ip - 24 bytes missing! 10.222.33.185 > 10.219.91.190: ICMP echo request, id 34009, seq 4, length 64
09:47:29.138953  In IP truncated-ip - 24 bytes missing! 10.222.33.185 > 10.219.91.190: ICMP echo request, id 34009, seq 5, length 64
^C
82 packets received by filter
0 packets dropped by kernel

However, the pings fail from the source:

test-PC:~ test$ ping 10.219.91.190
​PING 10.219.91.190 (10.219.91.190): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
^C
--- 10.219.91.190 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
test-pc:~ test$
Cause:

A possible firewall filter present on the lo0 interface may be the cause. If there is a filter present on the lo0, which does not have the proper term to allow concerned service traffic, the filter will deny the packets.

Solution:

Modify the lo0 interface according to your requirements so that traffic is allowed. You can add a new term to modify the existing term to allow the traffic.

Example:

The configuration below is on the firewall and the same firewall filter is applied on the interface lo0:

# show firewall 
family inet {
    filter test {
        term 1 {
            from {
                destination-address {
                    10.219.91.190/32;
                }
                port 22;
            }
            then accept;
        }
    }
}

show interfaces lo0 
unit 0 {
    family inet {
        filter {
            input test;
        }
        address 192.168.255.254/32;
    }
}


Add the ICMP to be allowed for that IP as shown below which would resolve the issue:

# show firewall 
family inet {
    filter test {
        term 1 {
            from {
                destination-address {
                    10.219.91.190/32;
                }
                protocol icmp;
                port 22;
            }
            then accept;
        }
    }
}

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search