I'm sure this is easy and something simple is being missed. Heck, if I had a test environment (or tested better before installation) this would be solved.
The below configuration is a active/passive HA pair of SRX340s. Everything is functioning except for my access to the management ports. Wanting to lock this down to only allow access from a specific segment I have a filter in place on the loopback; it is also setup to permit NTP with a specific host. At this time I cannot access either fxp0 interface yet NTP is working without issue.
Any assistance would be greatly appreciated.
version 15.1X49-D75.5;
/* Groups are used for node specific settings */
groups {
node0 {
system {
host-name vwSrx340-node0;
backup-router 10.x.y.1 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
description Management;
unit 0 {
family inet {
address 10.x.y.41/24;
}
}
}
}
}
node1 {
system {
host-name vwSrx340-node1;
backup-router 10.x.y.1 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
description Management;
unit 0 {
family inet {
address 10.x.y.42/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
host-name vwSrx340-cluster1;
}
services {
ssh {
root-login deny;
}
web-management {
https {
system-generated-certificate;
interface fxp0.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
ntp {
boot-server 10.x.y.1;
server 10.x.y.1;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
interfaces {
ge-0/0/0 {
description “Outside via ISP PP?”;
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/4 {
description “Inside via FEX123/1/3”;
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/0 {
description “Outside via ISP PP?”;
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/4 {
description “Inside via FEX124/1/3”;
gigether-options {
redundant-parent reth1;
}
}
/* Both fab0 & fab1 are used for data & session sharing between nodes */
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
ge-0/0/3;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
ge-5/0/3;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input fil-local_acl;
}
}
}
}
/* This is the virtual interface for ge-0/0/0 & ge-5/0/0 for our outside connection */
reth0 {
description “ISP Internet”;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address a.b.c.132/29;
}
}
}
/* This is the virtual interface for ge-0/0/4 & ge-5/0/4 for our outside connection */
reth1 {
description “Inside”;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 172.x.y.1/24;
}
}
}
}
routing-options {
static {
route d.e.f.0/24 next-hop 172.x.y.254;
route 0.0.0.0/0 next-hop a.b.c.129;
}
}
firewall {
family inet {
filter fil-local_acl {
term term-ntp_allow {
from {
source-address {
10.x.y.1/32;
}
destination-port 123;
}
then accept;
}
term term-ntp_block {
from {
destination-port 123;
}
then {
discard;
}
}
term term-mgmt_allow {
from {
source-address {
10.x.y.0/16;
}
protocol tcp;
destination-port [ https ssh ];
}
then accept;
}
term term-mgmt_block {
from {
protocol tcp;
destination-port [ https ssh ];
}
then {
discard;
}
}
term term-else {
then accept;
}
}
}
}