ScreenOS 5.4r5 sub-if + VLAN routing problem



  • I have an old netscreen-25 running 5.4r5 that I am having a bear of a time with. It has been running for ages with a simple LAN (ethernet1), DMZ(ethernet2), WAN (ethernet3) config. My L3 switches route all LAN traffic to ethernet1.

    I now have need to add a sub-IF as ethernet1.1 and control a single VLAN differently than the others. I have added an interface with the correct subnet info (172.22.16.0/23) and VLAN tagging for VLAN 7.

    So now with the new configuration a device on the main LAN can ping its own gateway interface but not the ethernet1.1 interface. A device on VLAN 7 can ping its ethernet1.1 interface but CAN ping the main LAN ethernet1 interface. Devices on either subnet cannot ping each other in either direction. I have testing polices in place to allow everything in every direction until I get this solved.

    Logging shows CLOSE - AGE OUT or CLOSE -RESP on pings from a device on VLAN 7 to any device on the main LAN and the same close reason on traffic the other direction.



  • Hey, isn’t that L2/L3 mixed mode (check out “get sys”)?



  • Anyone please? This problem is killing me and I have read till my eyes are bleeding and tried many many different configuration options and still can’t get this working.


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts