Hi, somebody can help me knowing if an SRX345 has the Remote Access VPN Service active. I can´t see this license in the output of Show system license.
Thanks
↧
Unable to verify the SRX345 device includes VPN license
↧
OSPF with dual GRE/IPSec tunnels, tunnel preference help
I have a number of remote Juniper SRX sites that connect back to a data center. At the data center there are two Cisco routers. The SRX is configured with IPSec tunnels to both routers. OSPF is being used as the IGP. The goal is to have the remote SRX use the primary tunnel unless it is down, if it is it should use the secondary tunnel. What appears to be happening is that the SRX will just get stuck on one or the other. It will failover but if tunnel 1 comes back up, it won't switch back over to that tunnel, it will instead stay on number 2.
I figured that by using OSPF metrics I could direct which tunnel to use but that doesn't seem to work. What is the best method to achieve this? Should I use some kind of tracking mechanism (I'm thinking like Cisco IP SLA type of thing).
↧
↧
VRRP failover testing
I have two SRX 550 in which VRRP method of failover is configured. Our client is saying for failover testing to check setup is working fine.
Can anybody help me how to perform failover testing ? Thanks in advance.
Primery FW Log:
Track route State Cost Interface Group Cfg Run VR State
0.0.0.0/0 up 75 ae0.201 0 200 200 master
secondery Fw Log:
Interface State Group VR state VR Mode Timer Type Address
ae0.201 up 0 backup Active D 3.055 lcl X.X.X.X
vip X.X.X.X
mas X.X.X.X
↧
DCE-RPC not working
Hello
I'm confused wether this is an SRX issue or microsoft issue ..
We have three networks :
2xLAN: 172.19.224/226
SQL: 172.21.25.10
Between the first two LANs and the SQL is two SRX devices , configured with allow any policies "temporary" just to debug the issue .
The thing is that RPC is not working fine and sending error message
If I take SQL server resist on the same LAN "172.19.x.x" it is working just fine .
RPC is not working between LAN 172.19.226.0/24" and SQL 172.21.25.10 . But it is working fine from 172.19.224.0/24 to SQL 172.21.25.10.
I've also followed KB23730 , but still ,problem is exist .
I've captured the flow on PCs from both LANs and this is the only difference:
not sure what is IRemUnknown or IOXIDResolv ....
↧
SRX 340 occasional panic
Hi!
We're getting occasional panics and are out of thoughts. It started suddenly and we opened RMA and got replacement 340. Let me shed some lights - before it was running half a year without problem. None. It is weird that even replacement hardware panics every hour. It doesn't matter if i rack it or running on my desk. Finally it will panic. If more debugging are needed then we're happy to provide it.
Thanks in advance,
A.
JUNOS 15.1X49-D130.6 #0: 2018-03-04 17:25:09 UTC
builder@ralenth.juniper.net:/volume/build/junos/15.1/service/15.1X49-D130.6/obj/octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory = 4294967296 (4194304K bytes)
avail memory = 2621882368 (2500MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
Security policy loaded: Junos MAC/veriexec (mac_veriexec)
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
MAC/veriexec fingerprint module loaded: SHA1
MAC/veriexec fingerprint module loaded: SHA256
netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 70XX/71XX CPU Rev. 0.2 with no FPU implemented
L1 Cache: I size 78kb(128 line), D size 32kb(128 line), thirty two way.
L2 Cache: Size 512kb, 4 way
obio0 on motherboard
uart0: <Octeon-16550 channel 0> on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
set clock 0x58
xhci0: <Cavium Octeon 7xxx xHCI Host Driver> on obio0
usb0: <USB bus for xHCI Controller> on xhci0
usb0: USB revision 3.0
uhub0: vendor 0x0000 XHCI root hub, class 9/0, rev 3.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
xhci1: <Cavium Octeon 7xxx xHCI Host Driver> on obio0
usb1: <USB bus for xHCI Controller> on xhci1
usb1: USB revision 3.0
uhub1: vendor 0x0000 XHCI root hub, class 9/0, rev 3.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
cpld0 on obio0
pcib0: <Cavium on-chip PCIe HOST bridge> on obio0
Disabling Octeon big bar support
pcib0: Initialized controller
pci0: <PCI bus> on pcib0
pci0: <network, ethernet> at device 0.0 (no driver attached)
pci0: <network, ethernet> at device 0.1 (no driver attached)
ahci0: <Cavium Octeon AHCI> on obio0
ahci0: AHCI v1.30 controller with 2 6Gbps ports, PM supported
ata0: <Cavium Octeon AHCI Channel> on ahci0
ata1: <Cavium Octeon AHCI Channel> on ahci0
gblmem0 on obio0
octpkt0: <Octeon RGMII> on obio0
cfi0: <Macronix MX25L64 - 8MB> on obio0
cfi1: <Macronix MX25L64 - 8MB> on obio0
octagl0: <Octeon AGL> on obio0
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
miibus0: <MII bus> on octagl0
brgphy0: <BCM54616S 10/100/1000baseTX PHY> on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
Timecounter "mips" frequency 1600000000 Hz quality 0
Registered AMT tunnel Encap with UDP Tunnel!
Loading Redundant LT driver
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
Kernel thread "wkupdaemon" (pid 53) exited prematurely.
Trying to mount root from ufs:/dev/da0s2a
MFSINIT: Initialising MFSROOT
Process-1 beginning MFSROOT initialization...
Creating MFSROOT...
/dev/md0: 20.0MB (40956 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 5.00MB, 320 blks, 640 inodes.
super-block backups (for fsck -b #) at:
32, 10272, 20512, 30752
Populating MFSROOT...
Creating symlinks...
Setting up mounts...
Continuing boot from MFSROOT...
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md1...
M
WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
mount: /dev/bo0s3f : Operation not permitted
** /dev/bo0s3f
** Last Mounted on /cf/var
** Phase 1 - Check Blocks and Sizes
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Time and ticks drifted too much, resetting synchronization...
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
panic: Hardware watchdog timeout
cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_sab82532_class+0x0 (0,0,0,0) ra 0 sz 0
pid 30, process: swi5: cambio
Uptime: 8m14s
Cannot dump. No dump device defined.
Automatic reboot in 15 seconds - press a key on the console to abort
NMI Exception on core:0
Watchdog status, core 0: 0xfffecbffffb
FPA INT Summery: 0x2000000000000
Err EPC: 0x80a6d7dc
Trapframe Register Dump:
zero: 0000000000000000 at: fffffffffffffffe v0: 0000000050c808e5 v1: 0000000022bd85ae
a0: 00000000000186a0 a1: ffffffff80dc06b0 a2: 00000000ffff8010 a3: 0000000000000067
t0: 00000000508008a1 t1: 0000000000000000 t2: ffffffff80011800 t3: 0000000000000800
ta0: 0000000000000000 ta1: 0000000000000001 ta2: 0000000000000000 ta3: 0000000000000000
t8: 0000000023c34600 t9: 000000006f35bed1 s0: 000000000537dace s1: 0000000009896800
s2: 000000001d85aaec s3: ffffffffc6e3a14c s4: ffffffff80a90000 s5: 0000000000000100
s6: 0000000000000001 s7: ffffffffc6ee3000 k0: 00bb3f24808b1101 k1: 0034002000040028
gp: ffffffff80ca2a80 sp: ffffffffeafab5d8 s8: ffffffff80b423cc ra: ffffffff8079a9cc
sr: 0000000050c808e5 mullo: 000000000f023000 mulhi: 0000000019000000
pc: ffffffff8015f7bc cause: 0000000040008408 badvaddr: ffffffffc6efa0dc
ErrPC: 0000000000000840
Current ticks/softticks 492920/10854, curproc [30] swi5: cambio
Core0: CacheErr(I/D: current: 0x2000000000000000/0xffffffffffff0000)
PCPU dump:
cpuid = 0
curthread = 0xc6ee3000: pid 30 "swi5: cambio"
ipis = 0x0
cpuid = 1
curthread = 0xc6e61000: pid 20 "idle: cpu1"
ipis = 0x0
cpuid = 2
curthread = 0xc6e5dc60: pid 19 "idle: cpu2"
ipis = 0x0
cpuid = 3
curthread = 0xc6e5da50: pid 18 "idle: cpu3"
ipis = 0x0
cpuid = 4
curthread = none
ipis = 0x0
cpuid = 5
curthread = none
ipis = 0x0
cpuid = 6
curthread = none
ipis = 0x0
cpuid = 7
curthread = none
ipis = 0x0
cpuid = 8
curthread = none
ipis = 0x0
cpuid = 9
curthread = none
ipis = 0x0
cpuid = 10
curthread = none
ipis = 0x0
cpuid = 11
curthread = none
ipis = 0x0
Memory dump of 1024 words starting at 0x80000000
0x80000000: 0829b8e3 401a4000 00000000 00000000
0x80000010: 00100000 00000000 00000000 00000000
0x80000020: 00000000 00000000 00000000 00000000
0x80000030: 00000000 00000000 00000000 00000000
0x80000040: 00000000 00000000 00000000 00000000
0x80000050: 00000000 00000000 00000000 00000000
0x80000060: 00000000 00000000 00000000 00000000
0x80000070: 00000000 00000000 00000000 00000000
0x80000080: 0829b8e3 401a4000 00000000 00000000
0x80000090: 00000000 00000000 00000000 00000000
0x800000a0: 00000000 00000000 00000000 00000000
0x800000b0: 00000000 00000000 00000000 00000000
0x800000c0: 00000000 00000000 00000000 00000000
0x800000d0: 00000000 00000000 00000000 00000000
0x800000e0: 00000000 00000000 00000000 00000000
0x800000f0: 00000000 00000000 00000000 00000000
0x80000100: 3c1b80df 277b2910 7c1a003b 001ad0c0
0x80000110: 035bd821 403ad801 ff7a0000 401a6000
0x80000120: 335a0002 17400005 00000000 3c1a80a7
0x80000130: 275af740 03400008 00000000 3c1a807c
0x80000140: 275aa92c 03400008 00000000 1000ffff
0x80000150: 00000000 42000018 00000000 00000000
0x80000160: 00000000 00000000 00000000 00000000
0x80000170: 00000000 00000000 00000000 00000000
0x80000180: 401a6000 401b6800 335a0010 001ad0c0
0x80000190: 337b007c 037ad825 3c1a80c9 275ac180
0x800001a0: 035bd021 8f5a0000 00000000 03400008
0x800001b0: 00000000 00000000 00000000 00000000
0x800001c0: 00000000 00000000 00000000 00000000
0x800001d0: 00000000 00000000 00000000 00000000
0x800001e0: 00000000 00000000 00000000 00000000
0x800001f0: 00000000 00000000 00000000 00000000
0x80000200: 00000000 00000000 00000000 00000000
0x80000210: 00000000 00000000 00000000 00000000
0x80000220: 00000000 00000000 00000000 00000000
0x80000230: 00000000 00000000 00000000 00000000
0x80000240: 00000000 00000000 00000000 00000000
0x80000250: 00000000 00000000 00000000 00000000
0x80000260: 00000000 00000000 00000000 00000000
0x80000270: 00000000 00000000 00000000 00000000
0x80000280: 00000000 00000000 00000000 00000000
0x80000290: 00000000 00000000 00000000 00000000
0x800002a0: 00000000 00000000 00000000 00000000
0x800002b0: 00000000 00000000 00000000 00000000
0x800002c0: 00000000 00000000 00000000 00000000
0x800002d0: 00000000 00000000 00000000 00000000
0x800002e0: 00000000 00000000 00000000 00000000
0x800002f0: 00000000 00000000 00000000 00000000
0x80000300: 00000000 00000000 00000000 00000000
0x80000310: 00000000 00000000 00000000 00000000
0x80000320: 00000000 00000000 00000000 00000000
0x80000330: 00000000 00000000 00000000 00000000
0x80000340: 00000000 00000000 00000000 00000000
0x80000350: 00000000 00000000 00000000 00000000
0x80000360: 00000000 00000000 00000000 00000000
0x80000370: 00000000 00000000 00000000 00000000
0x80000380: 00000000 00000000 00000000 00000000
0x80000390: 00000000 00000000 00000000 00000000
0x800003a0: 00000000 00000000 00000000 00000000
0x800003b0: 00000000 00000000 00000000 00000000
0x800003c0: 00000000 00000000 00000000 00000000
0x800003d0: 00000000 00000000 00000000 00000000
0x800003e0: 00000000 00000000 00000000 00000000
0x800003f0: 00000000 00000000 00000000 00000000
Stack trace:
R4K_GetCOUNT+0xc (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x8079a9cc sz 0
DELAY+0x54 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801dc318 sz 32
shutdown_panic+0x54 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801dd608 sz 32
boot+0x7a4 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801ddee4 sz 48
panic+0x580 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x807b43b4 sz 64
panic_on_watchdog_timeout+0x78 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x807da754 sz 32
re_srxsme_watchdog_intr+0x158 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x8078aaac sz 24
mips_handle_this_interrupt+0x8c (0x186a0,0x1,0x80010700,0x508008a1) ra 0x8078ab38 sz 40
mips_handle_interrupts+0x58 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x8078af5c sz 48
mips_interrupt+0x224 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x80a6ed14 sz 32
MipsKernIntr+0x140 (0x1,0,0x80a8969c,0xd5) ra 0x80121e84 sz 368
dadone+0x1a8 (0x1,0,0x80a8969c,0xd5) ra 0 sz 776
pid 30, process: swi5: cambio
Resetting the system now...
cpu_reset: Stopping other CPUs
timeout stopping cpus
SPI stage 1 bootloader (Build time: Dec 9 2017 - 13:45:17)
U-Boot 2013.07-JNPR-3.5 (Build time: Dec 09 2017 - 13:45:17)
SRX_340 board revision major:1, minor:13, serial #: CY5016AF0253
OCTEON CN7130-AAP pass 1.2, Core clock: 1600 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10fc00000, size: 0x400000
DRAM: 4 GiB
Clearing DRAM...... done
Using default environment
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Found valid SPI bootloader at offset: 0x80000, size: 1377808 bytes
U-Boot 2013.07-JNPR-3.5 (Build time: Dec 09 2017 - 13:47:20)
Using DRAM size from environment: 4096 MBytes
SATA0: not available
SATA1: not available
SATA BIST STATUS = 0x0
SRX_340 board revision major:1, minor:13, serial #: CY5016AF0253
OCTEON CN7130-AAP pass 1.2, Core clock: 1600 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10f000000, size: 0x1000000
DRAM: 4 GiB
Clearing DRAM...... done
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
PCIe: Port 0 link active, 1 lanes, speed gen2
PCIe: Link timeout on port 1, probably the slot is empty
PCIe: Port 2 not in PCIe mode, skipping
Net: octrgmii0
octeon_fdt_broadcom_config: Unknown broadcom phy for octrgmii0
Interface 4 has 1 ports (AGL)
Type the command 'usb start' to scan for USB storage devices.
Boot Media: eUSB usb
Found TPM SLB9660 TT 1.2 by Infineon
TPM initialized
Hit any key to stop autoboot: 0
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 1048576 bytes @ 0x200000 Read: OK
## Starting application at 0x8f0000a0 ...
Consoles: U-Boot console
Found compatible API, ver. 3.5
USB1:
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 2 USB Device(s) found
USB0:
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 1 Storage Device(s) found
FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.9
(builder@haku.juniper.net, Thu Nov 5 23:17:51 UTC 2015)
Memory: 4096MB
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
[8]Booting from eUSB slice 1
Loading /boot/defaults/loader.conf
/kernel data=0xba0974+0x152ba4 WARN halted endpoint, queueing URB anyway.
Unexpected XHCI event TRB, type: 33, expected: 32, skipping... (0f3a1430 00000001 13000000 01008400)
Error: Mismatch slot ID or index, 0 != 1, field: 0x0, index: 0xffffffff, expect 0x0
Warning: transfer comp code 0x0 != 0x1a (COMP_STOP)
BUG: failure at xhci-ring.c:589/abort_td()!
BUG!
↧
↧
Security Director don't delivery correct schema configuration for SDSN
uff... sometimes with security director is difficult :-|
Here my case.
I've update the DMI schema from JunosSPACE 17.2 R1, in order to perfectly match my vSRX17.3R1.10.
The problem is that meanwhile I'm trying to configure SDSN 17.2R1 by Junos Security Director, it's missing some parameterse that JunOS require but security director don't mention.
For example here below. I try to configure manually SDSN by CLI and it's correctly working!
After that I syncronized the policy with security director, update the policy and try to push it.
The problem specifically is that it's trying to remove "match and permit" policy from the service advanced-threat-prevention, but as I said seems that it's required from the system!
Maybe Security Directory is right and I should install one old DMI because "match and permit statenement" was allowed in 15.x version. ...but it's really strange this things BTW.
ANy update please?
##Security Policy Settings##
set security policies policy-rematch
##Security Firewall Policy : contact - Server##
delete security policies from-zone contact to-zone Server policy VPN-Client_to_Server then permit application-services
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match application junos-dns-udp
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address dc_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address synology_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - contact##
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match application junos-dns-udp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match application server-internet_access
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match source-address server-net
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services idp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services utm-policy Advance_internet_antivirus
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application Synology-Torrent
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application synology_internet
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match source-address synology_host
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services idp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-icmp-ping
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-snmp-agentx
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-https
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-ssh
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address fw-edge-inside
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address EX-Core
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address Junos-SPACE
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-https
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ping
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - junos-host##
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-icmp-all
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-snmp-agentx
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application snmp
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address server-net
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - contact##
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Block_from_Reagion
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - Server##
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match application any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
insert security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy HQ_mgmt_FW
##Security Firewall Policy : contact - Server##
insert security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 before policy HQ_to_serverDNS
##Security Firewall Policy : Server - contact##
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 before policy DNS-DC_request
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 before policy server_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 before policy synology_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 before policy Observium_to_HQ
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 before policy Space-MGMT
##Security Firewall Policy : Server - junos-host##
insert security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy SNMP-Monitoring
##Security Firewall Policy : junos-host - Server##
insert security policies from-zone junos-host to-zone Server policy vSRX-Server after policy PolicyEnforcer-Rule1-2
##Security Firewall Policy : global ##
set security policies global policy PolicyEnforcer-Rule1-2 match application any
set security policies global policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies global policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Advanced AntiMalware Policy Configurations##
delete services advanced-anti-malware policy SkyATP_DMZ match (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ then (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ inspection-profile
delete services advanced-anti-malware policy SkyATP_DMZ default-notification
delete services advanced-anti-malware policy SkyATP_DMZ whitelist-notification
delete services advanced-anti-malware policy SkyATP_DMZ blacklist-notification
↧
Firewall srx 340 issues
Hello, i have trunk the fibre port (ge-0/0/15)of srx 340 firewall. However , the same donot work. Any suggestions
↧
NAT via snmp
Good Day,
Has anyone setup or know how NAT graphing can be achieved with the use of SNMP. Some detail that can be extracted using SNMP for example, pool utilization, number of translation and current traslations etc. Similar detail that can be seen as on JWEB. Please no suggestions or links, only if you know how or know of documentation you used sucsessfully. The platform in use is an SRX5800 and solarwinds server.
Thanks,
↧
SRX boot error CHASSISD_IOCTL_FAILURE
hello,
I have a SRX 550 wiout any module in it. when we boot it, we have this message poping at the start :
CHASSISD_IOCTL_FAILURE: readpcireg: ioctl failed for PCIOCREAD (Operation not supported by device)
Some one have a idea on what can cause this failure ? Do this unit need to be replace ?
Thx
↧
↧
Import certificate from Active Directory
Dear all,
I have googled how to import certificate which exported from AD to SRX devices for SSL-proxy but no luck.
Hope I can have some advises here.
Thank you so much!
Tuan
↧
"Could not get stats from pfe" on the SRX Chassis Cluster
Hi all,
Can any one have any idea about why the following messages are occuring on the SRX chassis cluster and how to troubleshooting to understand about why they are generated?
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312080 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089296 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089296
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28311824 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312080 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089040 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82ebe80
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28311824 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82ebe80
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82ebe80
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089296 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089296
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089040 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
Thanks,
Eriydix
↧
Logical interface and Site-to-Site VPN
Hi
I am trying to configure a VPN from Azure to the SRX. I have an aggregated interface labelled as ae2 that is utilised as the gateway interface. This interface has 2 x IP addresses assigned to it.... the VPN interface address is advertised out via eBGP and can be ping'd from our offices. The other interface is not available as it is an internal network address.
When I run the following command on the ae2 interface on the SRX, I see the azure IP attempting to build Phase 1, but I see no response back and also no ike security-association built:
run monitor traffic interface ae2 no-resolve size 1500 (matching "net <ipaddress>")
I have also configured a static route to the exit interface for the azure gateway address.
I am guessing, from my troubleshooting tests that it is using the other IP address for the return even though a static route is configured......
So, my question is : can a site-to-site VPN be configured on an aggregated interface?
It's not really urgent as I have cabled up a separate port for this if required.
↧
SRX4100 missed heartbeats in cluster
Dear Members,
We are experiencing a weird problem with our HA configurations. The nodes are just installed and configured with basic HA configuration. The problem is the node tranists to disabled state after missing hearbeats. The nodes are connected back to back and we have tried chaning SFP, Cables and even both nodes but the problem persists. Please note that a similar pair is working fine in another location with same software and hardware.
We did upgrade the software to the latest release as recommended by JTAC, but the issue is still same. The case is now pening with ATAC and all the related logs have been provided.
Please let me know if anyone of you have faced a similar situation and what can be the solution. For Juniper Employees, the case number is
2018-0503-0166
Error
May 23 21:14:04 Successfully sent jnxJsChClusterIntfTrap trap with severity minor to inform that Control link - em0 state changed from UP to DOWN on cluster 1; reason: missed heartbeats
May 23 21:14:07 missed heartbeats on control link between 25 to 33
Configuration
## Last commit: 2018-05-24 03:33:16 PKT by tayyab
version 15.1X49-D130.6;
groups {
node0 {
system {
host-name LHR_SRX_CH_FWL01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.12.41.227/23;
}
}
}
}
}
node1 {
system {
host-name LHR_SRX_CH_FWL02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.12.41.228/23;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Asia/Karachi;
root-authentication {
encrypted-password "$5$Ne4994/h$78cjDSVswBRh1lmOSdYwUTny7P/kZDG80bZoKJKCkb5"; ## SECRET-DATA
}
login {
user tayyab {
uid 2000;
class super-user;
authentication {
encrypted-password "$5$/./JeNE3$VGQK0zZrlqibVO7puB.3TJ4u91G0j7d6a4LsQmtv.X4"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 50;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 50;
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet;
}
}
}Thanks & Regards,
Tayyab Bin Tariq
↧
↧
SRX-5400 express path
Hi, we seem to hit the performance bottle neck of SRX-5400 cluster without explictly configuring express-path, the chassis has one 10x10GE IOC II and one SPC II card, the 3 SPU CPU on SPC card will shoot up to100% when roughly 4Gbps/2Mpps traffic is passing through this box, at that point we observed 20% packet drops and delays --- this is rediculously low throughput number considering that we spent 10s of thousand $ on this SRX-5400 cluster, IMHO, the official SRX-5400 spec data looked far more than enough for our use case, but we never expect that the throughput number is less than 1% of what is claimed, although we did not have fully populated SPC cards.
No screen, no ALG, just basic firewalling and NAT.
I did some research, seems that I have to configure "chassis fpc <> pic <> services-offload" to gain more throughput (I am not clear whether this shoud be configured on IOC or SPC or both card) out of the box, I am wondering do you guys always configure this express-path? what is the side effect of this feature? why it is not turned on by default -- why wouldn't anyone want more throughput anyways?
↧
multiple IKE using same gateway?
Hi all,
Can we establish multiple IKE using one gateway on SRX345? Below is my config. The peer unit is Strongswan. The issue is the user2 cannot establish. Even i disconnect user1 the user2 still cannot establish the IKE.
[edit security ike]
test# show
traceoptions {
file ike-debug size 10m files 10;
flag all;
level 15;
}
proposal ike-proposal {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy ike-policy {
mode aggressive;
proposals ike-proposal;
pre-shared-key ascii-text "$9$vA4WNdUDkq.foaz39C0OxN-V24aZU"; ## SECRET-DATA
}
gateway ike-gateway {
ike-policy ike-policy;
dynamic user-at-hostname "user1@test.com.us";
dead-peer-detection optimized;
external-interface ge-0/0/0.0;
version v2-only;
}
gateway ike-gateway2 {
ike-policy ike-policy;
dynamic user-at-hostname "user2@test.com.us";
dead-peer-detection optimized;
external-interface ge-0/0/0.0;
version v2-only;
}
[May 18 17:11:25]iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:7.7.7.7, remote:42.153.23.34 IKEv2
[May 18 17:11:25]iked_pm_phase1_sa_cfg_lookup: IKEv2, initial negotiation case, skip ID lookup
[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: called with local ip:7.7.7.7
[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: IKEv2, doing local-address based gateway lookup
[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: ktu local ip:7.7.7.7
[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr ike-gateway for remote dynamic peer, sa_cfg[ipsec-vpn]
[May 18 17:11:25]iked_pm_phase1_sa_cfg_lookup: dynamic gateway match successful
a_cfg:ipsec-vpn Gateway:ike-gateway
[May 18 17:11:25]ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID IDa(type = email (3), len = 22, value = user2@test.com.us) to IKEv1 ID
[May 18 17:11:25]ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID usr@fqdn(any:0,[0..21]=user2@test.com.us)
[May 18 17:11:25]iked_pm_id_validate called with id usr@fqdn(any:0,[0..21]=user2@test.com.us)
[May 18 17:11:25]iked_pm_id_validate id NOT matched.
Thanks and appreciate any feedback
↧
SRX1400 a new installation
Dear all,
I have a new SRX1400 configuration, after i finish configuration i connect a Laptop interface to ge 0/0/0 , but i cannot reach ge 0/0/0 IP Address from my Laptop and also cannot reach my Laptop IP address from ge 0/0/0 , that is my configuration:
Laptop interface ip address: 192.168.3.1
admin@CIG-HQ# run show configuration
## Last commit: 2018-05-24 11:18:27 UTC by admin
version 12.3X48-D30.7;
system {
host-name CIG-HQ;
root-authentication {
encrypted-password "$1$7q9.bQor$DL82Udw7QTglbnw8QKaLE1"; ## SECRET-DATA
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$zCoWnNIU$ybHRtNyEddKjVv2BPO3oW/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.3.3/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.33.3/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.3.1;
}
}
[edit]
admin@CIG-HQ#
admin@CIG-HQ# run ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3): 56 data bytes
64 bytes from 192.168.3.3: icmp_seq=0 ttl=64 time=0.247 ms
64 bytes from 192.168.3.3: icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=64 time=0.167 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=64 time=0.174 ms
^C
--- 192.168.3.3 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.159/0.187/0.247/0.035 ms
[edit]
admin@CIG-HQ# run ping 192.168.3.1 source 192.168.3.3
PING 192.168.3.1 (192.168.3.1): 56 data bytes
↧
Define and separate traffic by Policy
Hi,
I will try and explain this as best as possible.....
RADIUS --> SRX1(Radius-VR) --> SRX1(Customer-VR) --> CORE --> LNS --> LAC --> CPE
The RADIUS could also access the internet via the core and the upstream provider.
So, the policies between the Customer-VR and the Radius-VR are working exactly as I want them to. This means PPP authentication requests from the LNS to the RADIUS.
However, I have just been asked if I can allow Internet access from the Radius for repo updates. This will be via a separate route if it's possible.
Is there a way, on the SRX, that I can tell UDP ports 1812, 1813 and 1814 to go to the LNS while allowing the repository traffic to go via the core and upstream providers? Or will I have to perfform this action on the core itself?
Thanks
↧
↧
SRX550 VPN to AWS using "unnumbered" feature
We are using a SRX550 for a VPN to AWS. The AWS VPN generated config for SRX's template [JUNOS 9.3 or higher] assumes each tunnel has its own public IP, thus needing BGP for failover. All of our single leg IPSec VPN's use the unnumbered feature. All outbound routes are static routes, while internally we use OSPF. We used a "next-hop preference 10" for the second tunnel's static route syntax. We did use VPN monitoring syntax [per AWS], but comparing the AWS template with the Juniper VPN Configurator, there were some differences.
So, does anyone have any experience or trade secrets with setting up AWS dual tunnels with unnumbered single public IP, without using BGP? Just trying to ensure that we get some type of HA that functions. Thanks for any ideas or help.
↧
mysterious global address-book
I don't see any global address book when I do:
[edit security]
root@r1# show address-book r20 { address 20 10.20.1.0/24; attach { zone r20; } }
But when I try to commit I get an error about there being a global address-book like:
[edit security zones security-zone r20]
'address-book'
Zone specific address books are not allowed when there are global address books defined
error: configuration check-out failed: (statements constraint check failed)Where else should I look to try to delete this mysterious global address book?
↧
Traffic stopped all of a sudden!
Today we have encountered an interesting problem; the SRX3400 (Software Version: 12.1X46-D25.7) device has stopped all traffic going through its all ports.
We could not understand why it happened as symtopms were below;
- We can ping the Juniper SRX from internal network
- We cannot ping Juniper SRX from DMZ (which we should have)
- We cannot reach Juniper using SSH and Web Management, only Console is working
- We cannot ping local devices from other local devices connected to Juniper SRX of different ports
- When trying to connect by SSH it does somehow accept the connection but hangs for a while and then connection drops
- We can ping or reach to any device connected to Juniper from Juniper SRX device
- The uplink interface was UP however we cannot ping peering IP
- When we look at routing-engine it says; 0.01 Load with %50 memory usage and everything is OK
- There are no alarms in chassis
- There are no alarms in system
- There are no changes in config
- We restart the machine and the problem is gone (!)
- The system was up for 750 days
I am suspecting a hardware failure but I am not sure about it.
What do you think the problem is ?
Additional info:
As I investigate I found thousands of "SIP ALG decode packet error" coming from the same IP address. And when I search it on google, I found this KB: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1193679
I believe this caused a DoS.
↧