So this is weird.. Configuring a new SRX240 running Junos 11.4r5.5 I have the following config: run show configuration security zones security-zone management interfaces vlan.10; vlan.85; lo0.0 { host-inbound-traffic { system-services { ping; }
I can't ping my loop0 (10.255.0.8) interface from anywhere. So I did some traceoptions to see the flow: Nov 6 08:06:01 08:06:01.516302:CID-0:RT: routed (x_dst_ip 10.255.0.8) from oob (ge-0/0/15.0 in 0) to lo0.0, Next-hop: 10.255.0.8 Nov 6 08:06:01 08:06:01.516302:CID-0:RT: policy search from zone oob-> zone management (0x0,0x4be70002,0x2) Nov 6 08:06:01 08:06:01.516302:CID-0:RT: app 0, timeout 60s, curr ageout 60s Nov 6 08:06:01 08:06:01.516302:CID-0:RT: packet dropped, denied by policy Nov 6 08:06:01 08:06:01.516302:CID-0:RT: packet dropped, policy deny. Nov 6 08:06:01 08:06:01.516302:CID-0:RT: flow find session returns error. Looks pretty clear, no security policy from zone oob to zone management.... But wait, this is junos-self traffic - why do I need a policy for self traffic? Never had to do this before, perhaps something new in 11.4?? Anyway just for kicks I made the following policy: run show configuration security policies from-zone oob to-zone management policy oob-to-management { match { source-address any; destination-address any; application any; } then { permit; } } So that policy should permit my traffic.... but my pings still fail, traceoptions shows the same as above - packet dropped, policy deny.\ However - If remove the loop0 interface from the management zone, and put it into the trust zone, it works. I still need a security policy, but the configuration is exactly the same as it is on my management zone: run show configuration security zones security-zone trust interfaces { lo0.0 { host-inbound-traffic { system-services { ping; } run show configuration security policies from-zone oob to-zone trust policy management { match { source-address any; destination-address any; application any; } then { permit; Pings work with this config. I don't normally use the default 'trust' zone, am I missing something here? This should be simple! Any thoughts? Luca _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp