I'm sure this is easy and something simple is being missed. Heck, if I had a test environment (or tested better before installation) this would be solved.
The below configuration is a active/passive HA pair of SRX340s. Everything is functioning except for my access to the management ports. Wanting to lock this down to only allow access from a specific segment I have a filter in place on the loopback; it is also setup to permit NTP with a specific host. At this time I cannot access either fxp0 interface yet NTP is working without issue.
Any assistance would be greatly appreciated.
version 15.1X49-D75.5; /* Groups are used for node specific settings */ groups { node0 { system { host-name vwSrx340-node0; backup-router 10.x.y.1 destination 0.0.0.0/0; } interfaces { fxp0 { description Management; unit 0 { family inet { address 10.x.y.41/24; } } } } } node1 { system { host-name vwSrx340-node1; backup-router 10.x.y.1 destination 0.0.0.0/0; } interfaces { fxp0 { description Management; unit 0 { family inet { address 10.x.y.42/24; } } } } } } apply-groups "${node}"; system { host-name vwSrx340-cluster1; } services { ssh { root-login deny; } web-management { https { system-generated-certificate; interface fxp0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; ntp { boot-server 10.x.y.1; server 10.x.y.1; } } chassis { cluster { control-link-recovery; reth-count 2; redundancy-group 0 { node 0 priority 200; node 1 priority 100; } redundancy-group 1 { node 0 priority 200; node 1 priority 100; } } } security { forwarding-options { family { mpls { mode packet-based; } } } } interfaces { ge-0/0/0 { description “Outside via ISP PP?”; gigether-options { redundant-parent reth0; } } ge-0/0/4 { description “Inside via FEX123/1/3”; gigether-options { redundant-parent reth1; } } ge-5/0/0 { description “Outside via ISP PP?”; gigether-options { redundant-parent reth0; } } ge-5/0/4 { description “Inside via FEX124/1/3”; gigether-options { redundant-parent reth1; } } /* Both fab0 & fab1 are used for data & session sharing between nodes */ fab0 { fabric-options { member-interfaces { ge-0/0/2; ge-0/0/3; } } } fab1 { fabric-options { member-interfaces { ge-5/0/2; ge-5/0/3; } } } lo0 { unit 0 { family inet { filter { input fil-local_acl; } } } } /* This is the virtual interface for ge-0/0/0 & ge-5/0/0 for our outside connection */ reth0 { description “ISP Internet”; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address a.b.c.132/29; } } } /* This is the virtual interface for ge-0/0/4 & ge-5/0/4 for our outside connection */ reth1 { description “Inside”; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 172.x.y.1/24; } } } } routing-options { static { route d.e.f.0/24 next-hop 172.x.y.254; route 0.0.0.0/0 next-hop a.b.c.129; } } firewall { family inet { filter fil-local_acl { term term-ntp_allow { from { source-address { 10.x.y.1/32; } destination-port 123; } then accept; } term term-ntp_block { from { destination-port 123; } then { discard; } } term term-mgmt_allow { from { source-address { 10.x.y.0/16; } protocol tcp; destination-port [ https ssh ]; } then accept; } term term-mgmt_block { from { protocol tcp; destination-port [ https ssh ]; } then { discard; } } term term-else { then accept; } } } }