Can't ping one external interface on SSG5
sgt_b2002 last edited by
Got a problem where I have two connections to the Internet from different ISPs for failover purposes. Failover works fine, but I have an issue where I cannot ping the external interface of the standby connection. The connection is up, and I can ping the interface’s gateway from that interface, but from an outside source on the Internet I cannot ping that interface.
Right now I have two default routes where the active connection is favored. If that link goes down, that interface’s route is weighted and outbound traffic starts using the standby connection. While all this works well, I still need to be able to ping the standby interface from the Internet to monitor the connection.
Based off the routing table along I can see why this would technically fail, but I was wondering if there was some type of reverse route detection that I’m missing. Say if the packet comes in on that interface it should go out that interface.
Any help would be appreciated! Thanks
boyahensem last edited by
i am experienced with the same issue here. On my SSG5 untrust port eth0/0(X.X.X.59/32), i can ping X.X.X.58 on ISP modem
However, from the outside cannot ping my eht0/0 ip.
read from [KB5719]
_When the NetScreen is first set up as NAT mode, by default, all management options are disabled. For that reason, ICMP requests to the untrust interface from the Internet will fail. Additionally, when the device is set up to NAT mode, it won’t affect the system IP address. To enable management of the NetScreen from both sides, change the system IP to 0.0.0.0.
It is best to change to NAT mode from the CLI:
set admin sys-ip 0.0.0.0 [Enter]
set interface untrust manage ping [Enter]_
is it working in SSG5 Os ver 6.3 ?
Or I should try with unset flow route-chace first?
Sounds strange. Is it possible for you to put NW diagram and config here?
Also, I noticed something from what you said:
The connection is up, and I can ping the interface’s gateway from that interface, but from an outside source on the Internet I cannot
ping that interface.
You mean, from Untrust to ISP router, you can ping, but the reverse route has a problem, right?
Did you check out “get int” to see if ping manage is enabled? If you’re running 6.3, “unset flow route-cache” might work.
And I suggest you to enable self-log feature by “set firewall self-log” in order to see if the ICMP traffic from Internet is really hitting the SSG.
sgt_b2002 last edited by
I tried that but it still won’t work. I believe that since the packet terminates on the firewall’s interface it doesn’t technically become part of a flow. The only option I’ve heard so far that would work is to set up the two external interfaces into their own virtual routers. Unfortunately, I’m not going to jump through those hoops just so I can ping an external interface. Still looking to solve this problem.
unset flow reverse-route clear-text prefer
unset flow clear text prefer