Juniper SRX IPv6 Issue Reaching Host

        I have the following:
SRX345 -> Juniper Switch -> Host I've enabled flow-based ipv6 on the SRX along with configured an ip on a reth interface. (reth1.110 in this example) The host is set to the proper vlan on the access port on the switch (110) however I am unable to ping the v6 address on the host. I've also configured a v6 address on the switch itself which I also put into vlan 110 and I can ping between the SRX and switch just fine. Pinging from the host to the switch works as well. It's only from the SRX to the host and vice versa that does not work. The security policy on the SRX should be permitting all traffic as it's an allow all policy for testing. Example failing ping output:
srx> ping inet6 2000:11c:e00f:2::2
PING6(56=40+8+8 bytes) 2000:11c:e00f:2::1 --> 2000:11c:e00f:2::2
64 bytes from 2061:1960:2001:a::4: Destination Host Unreachable
Vr TC  Flow Plen Nxt Hlim
 6 00 00000 0010  3a   40
2000:11c:e00f:2::1->2000:11c:e00f:2::2
ICMP6: type = 128, code = 0

64 bytes from 2061:1960:2001:a::4: Destination Host Unreachable
Vr TC  Flow Plen Nxt Hlim
 6 00 00000 0010  3a   40
2000:11c:e00f:2::1->2000:11c:e00f:2::2
ICMP6: type = 128, code = 0

Traceroute showing it trying to go out the ISP facing interface:
srx> traceroute 2000:11c:e00f:2::2
traceroute6 to 2000:11c:e00f:2::2 (2000:11c:e00f:2::2) from 2000:11c:e00f:2::1, 64 hops max, 12 byte packets
 1  2061:1960:2001:a::4 (2061:1960:2001:a::4)  3028.808 ms !A^C
{primary:node0}
2061:1960:2001:a::4 is on our interface facing our ISP so not sure why it's trying to go out that interface...
Security policy it should be hitting:
set security policies from-zone MGMT to-zone MGMT policy allow_all match source-address any
set security policies from-zone MGMT to-zone MGMT policy allow_all match destination-address any
set security policies from-zone MGMT to-zone MGMT policy allow_all match application any
set security policies from-zone MGMT to-zone MGMT policy allow_all then permit

SRX interface zone:
set security zones security-zone MGMT interfaces reth1.110
SRX interface config:
set interfaces reth1 unit 110 family inet6 address 2000:11c:e00f:2::1/64

srx> show ipv6 neighbors
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
2061:1960:2001:a::1          cc:4e:24:41:3d:00  delay       2   yes no      reth1.5
2000:11c:e00f:2::3           d4:04:ff:ba:bb:a1  stale       293 yes no      reth1.110
No ::2 of the host here but has the switch ::3.
Switch output:
switch> show ipv6 neighbors
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
2000:11c:e00f:2::1           00:10:db:ff:10:01  stale       393 yes no      ae0.0
2000:11c:e00f:2::2           0c:c4:7a:9f:12:93  stale       326 no  no      ge-3/0/36.0
Has the ::2 entry here.
Any ideas?

Leave Your Comment

Leave a Reply

%d bloggers like this: