Dear Team,

We have setup like:

Firewall => juniper s/w (Trunk) => juniper s/w new (trunk) => VMware machines

We have three different subnet VMware machines connected through port ge-0/0/32 of EX4200.

If I do ge-0/0/32 port as trunk it will not work, even I tried for aggregation link too but not working

My configuration:

set interfaces ge-0/0/32 ether-options 802.3ad ae2
set interfaces ge-0/0/33 ether-options 802.3ad ae2
set interfaces ge-0/0/32 ether-options 802.3ad lacp force-up
set interfaces ge-0/0/33 ether-options 802.3ad lacp force-up
set interfaces ae2 unit 0 family ethernet-switching port-mode trunk
set interfaces ae2 unit 0 family ethernet-switching vlan members 5
set interfaces ae2 unit 0 family ethernet-switching vlan members 158
set interfaces ae2 unit 0 family ethernet-switching vlan members 200
set interfaces ae2 unit 0 family ethernet-switching vlan members 100

set interfaces ae2 aggregated-ether-options lacp passive periodic fast

Hi,

I have 2 questions:

1.  Why I can't view EX2200 directly connected to SRX210 through the "show lldp nei" command in SRX

admin@SRX> show configuration | display set | match lldp
set protocols lldp interface all

master@EX> show configuration | display set | match lldp
set protocols lldp interface all
set protocols lldp-med interface all

admin@SRX> show interfaces terse | match ge-0/0/1
ge-0/0/1 up up
ge-0/0/1.10 up up inet 10.30.35.1/24
ge-0/0/1.20 up up inet 10.38.35.254/24
ge-0/0/1.30 up up inet 10.42.52.254/22
ge-0/0/1.40 up up inet 10.50.35.1/24
ge-0/0/1.50 up up inet 10.51.35.1/24
ge-0/0/1.32767 up up

admin@SRX> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/0.0 - e1:11:11:11:03:74 1001    <<<< this is the WAN alcatel optical switch

why can't view the EX that is connected to ge-0/0/1 interface ?

admin@SRX> show version
Hostname: SRX
Model: srx210he2
JUNOS Software Release [12.1X44-D35.5]

master@EX> show version
Hostname: EX
Model: ex2200-24p-4g
JUNOS Base OS boot [10.4R1.9]

2.  why i still view this vlan , but it is not configured in the SRX !

admin@SRX> show interfaces terse | match 32767
ge-0/0/1.32767 up up

admin@SRX> show configuration | display set | match 32767

admin@SRX>

And I can't see this is related to this kb : http://kb.juniper.net/InfoCenter/index?page=content&id=KB2277&smlogin=true&actp=search

Bacause I don't have any 802.3ad link in the configuration

Thanks !!!

We have an SRX100H2 that I'm trying to lock down. Basically, it's a branch VPN, and I only want to pass limited traffic thru the tunnel.

I've set everything up (VPN, NAT, etc.), and traffic passes fine as long as the default policy is accept, but nothing passes through the SRX when I change it to deny-all.

As an example, when I try to ping from 10.12.7.2 to 10.252.253.5, I get the following in the traffic log:

Mar 30 00:07:55 VPN-Test-01 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.12.7.2/1->10.252.253.5/23388 icmp 1(8) default-deny(global) vpn trust UNKNOWN UNKNOWN N/A(N/A) st0.0 UNKNOWN policy deny

I've included what I hope are the relevant sections of the config. Again, everything works just how I want it if the default policy is set to accept-all, but not with deny-all.

Thanks!

...Ralph Johnston

Hello,

Wondering if you could give me some advice!

We currently have a SRX550 cluster within which Node 0 has an Ethernet Switch 16-port 10/100/1000Base-T XPIM and Node 1 does not, doh!

I have another PIM to add to Node 1, but my question is would there be an issue with installing the PIM whilst the cluster is up with production traffic flowing through the cluster ?

Many Thanks!

Hi Guys,

a Customer wants to allow IP Protocol 97 through his SRX.

So I created an application like this:

set applications application ip97 protocol 97

The Rule looks like this:

from-zone Zone1 to-zone Zone2 {

            policy Anchor_Controler {

                match {

                    source-address Controller1;

                    destination-address [ Controller2 Controller3 ];

                    application ip97;

                }

                then {

                    permit;

                         }

However the Customer reports, that this is not working.

Since I have never had to allow a Protocol by Number - before i search myself crazy on the SRX - is this correct and the error is elsewhere or do I need more Parameters?

Regards

Chris

HI everyone,

Is there a way to find out where an object is being used? for example, search all the rules containing the object "server-1" or "192.168.5.2" ?

Thanks !

I have an SRX240 installed. I have default denys on both inbound and outbound. I run a Sophos WS500 internal to the SRX as the proxy and all users have to use the WS500 as their proxy. This means that I have rules in place that deny access to 80 and 443 unless they come from the proxy server. To locate the proxy I use WPAD. This works for all web browsing on all OS platforms for all browsers.

Google Drive for some reason that no one has been able to explain is not picking up the WPAD and is therefore trying to bypass the proxy and access Google directly - being blocked by the rules. Google say to put a list of exceptions in the firewall (https://support.google.com/drive/answer/2589954?hl=en), only many of them are either domain based or wildcard based neither of which the SRX will allow in the configuration. This list also misses the akamaitechnologies.com and 1e100.net addresses that the software is referenceing The number of IP addresses and /or FQDN is never ending. Every time I think I have it another server is leveraged by the software.

So the question is, any ideas on how I get around this? Any suggestions would be helpfull because at the moment it looks like junking the SRX for something else.

Hello all,

I have a case where I have dual isp's, going into a clustered SRX pair.  What I really want to do is setup some traffic (VoIP) to go out ISP1 during normal operation, and all other traffic to go out ISP2.  If either fails I'd like the specific traffic to go out the remaining ISP until service is restored (example, if ISP1 fails, all traffic will use ISP2 until ISP1 is restored, then VoIP goes out ISP1 again - inverse being true as well).  I have setup the ISP's into separate zones, and setup separate routing instances for the oubound traffic, but I get an error when I run commit check.  

[edit routing-instances isp-1]
'interface'
RT Instance: interfaces disallowed under forwarding instances
error: configuration check-out failed

In my routing instance I have:

isp-1 {
instance-type forwarding;
interface reth1.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
}
}

Without even having the RPM setup, I can't even setup the multiple routing instances to a RETH interface?  Is this right?  

These are SRX220h2's, clustered.  Everything seems to be working, NAT is happening if I specify a default or static route, and the failover between units (for complete failure) is working.  Since I don't know exactly the IP's that are used with the VoIP service (and it could change) I want all my VoIP traffic enmasse to just go out ISP1.  I have the internal as a separate subnet, and vlan, and the traffic does appear correctly at the SRX.  

Thanks!

Sean Garland

Garland TECH

Hi,

I need to configure an SRX210 as a cisco router. In cisco its easy but in Junos i cant.

I means use the srx like a Cisco 1801 series or TP-Link router, neutral router, OpenWRT...

In Cisco router i have this configuration:

!
ip dhcp pool LAN
network 10.120.100.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4 87.216.1.65 87.216.1.66
default-router 10.120.100.1
!
interface FastEthernet0
description Interface WAN
ip address dhcpip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
switchport access vlan 10
speed 100
!
interface Vlan10
description LAN
ip address 10.120.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingressip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!ip nat inside source list 10 interface FastEthernet0 overload
access-list 10 permit 10.120.100.0 0.0.0.255

Works Fine.

My current config in SRX is this:

set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.128
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 maximum-lease-time 86400
set system services dhcp pool 192.168.2.0/24 default-lease-time 86400
set system services dhcp pool 192.168.2.0/24 domain-name lan
set system services dhcp pool 192.168.2.0/24 name-server 8.8.8.8
set system services dhcp pool 192.168.2.0/24 name-server 8.8.4.4
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1

set interfaces ge-0/0/0 description WAN TRUNK
set interfaces ge-0/0/0 gigether-options auto-negotiation
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members WAN
set interfaces ge-0/0/0 unit 0 family ethernet-switching native-vlan-id 1

set interfaces fe-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/3 unit 0 family ethernet-switching
set interfaces fe-0/0/4 unit 0 family ethernet-switching
set interfaces fe-0/0/5 unit 0 family ethernet-switching
set interfaces fe-0/0/6 unit 0 family ethernet-switching

set interfaces vlan unit 1 family inet address 192.168.100.2/24
set interfaces vlan unit 10 family inet address 192.168.2.1/24
set interfaces vlan unit 1074 family inet dhcp

set security forwarding-options family mpls mode packet-based
set vlans LAN description "LAN"
set vlans LAN vlan-id 10
set vlans LAN interface fe-0/0/2.0
set vlans LAN interface fe-0/0/3.0
set vlans LAN interface fe-0/0/4.0
set vlans LAN interface fe-0/0/5.0
set vlans LAN interface fe-0/0/6.0
set vlans LAN interface ge-0/0/1.0
set vlans LAN interface fe-0/0/1.0
set vlans LAN l3-interface vlan.10

set vlans WAN description "IP ISP"
set vlans WAN vlan-id 1074
set vlans WAN l3-interface vlan.1074

set vlans default description "ONT Management"
set vlans default vlan-id 1
set vlans default l3-interface vlan.1

i need use this option:

set security forwarding-options family mpls mode packet-based

i want use the ROUTER mode, no like a FIREWALL mode.

Ping from LAN vlan no response.

admin@SRX210> ping 8.8.8.8 source 192.168.2.1 
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

Ping from WAN vlan OK.

admin@SRX210> ping 8.8.8.8 source 192.168.137.214 
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=10.252 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=5.227 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=17.560 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss

My WAN IP from ISP is recived via DCHP

¿ Any help?

Thanks!!!

Hi, all,

I struggled hours to bring up IKEv2 between SRX and Cisco ASA which we have no control of, SRX is the initiator, ASA side immediately returns "no proposal chosen" when IKEv2 is initiated from SRX side. Finally I gave up and ask ASA side admin to send me their side configuration, I was suprised to find that ASA's IKEv2 policy has a seperate entry for PRF, PRF has the same algorithm as authenticationin IKEv1 but Cisco ASA obviously gives user the option to choose a different algorithm for PRF than the authentication algorithm in IKEv2. After asking ASA side admin to match the PRF algorithm with authentication algoritm, both P1 and P2 came up right away (why the discrepency between actual configuration and proposals exchanged over email is a totally different story).

My question: SRX does not allow user to choose PRF in IKEv2 proposal at all, is this the right implementation?

Hi Guys,

I have two nodes in cluster mode connected to a Cisco switch. I am able to see the ARP entry of Switch IP on my SRX but the Cisco switch show the ARP entry as Incomplete for SRX reth interface IP. Wondering if anyone has faced this or have any pointers to root cause.

Topology: [Switch1] ------- [SRX1] ------- [SRX2] ------- [Switch2]
Switches have a trunk between them and SRX are in cluster connected to SW ports in access mode.

SW01#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.205.141.9 0 Incomplete ARPA

SRX01> show arp
MAC Address Address Name Interface Flags
b8:38:61:3b:c4:c1 10.205.141.10 10.205.141.10 reth3.0 none

TIA.

Deal All,

I tried to configure srx240 to DIA circuit ISP with static IPs but faild. The srx is configured with the below configuration:

set version 12.1X44-D35.5
set system host-name SRX240STV
set system time-zone MET
set system root-authentication encrypted-password "$1$WZ9iX6Mv$/PPfq6cuHFigpqD2dfK6.."
set system name-server 10.1.1.90
set system name-server 10.1.1.94
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system services ssh protocol-version v2
set system services telnet
set system services netconf ssh
set system services web-management http interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management session idle-timeout 60
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set interfaces ge-0/0/1 unit 0 family inet address 192.168.34.100/24
set interfaces ge-0/0/2 unit 0 family inet address 10.110.4.3/22
set interfaces ge-0/0/3 unit 0 family inet address 192.168.1.10/24
set routing-options static route 192.168.150.0/24 next-hop 192.168.34.1
set routing-options static route 0.0.0.0/0 next-hop 10.110.4.1
set protocols stp
set security address-book global address inews-a 192.168.34.61/32
set security address-book global address server1 192.168.3.155/32
set security nat source rule-set nsw_srcnat from zone STV1
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security nat source rule-set nsw_srcnat1 from zone Internet
set security nat source rule-set nsw_srcnat1 to zone STV1
set security nat source rule-set nsw_srcnat1 rule nsw_srcnat1 match source-address-name inews-a
set security nat source rule-set nsw_srcnat1 rule nsw_srcnat1 then source-nat off
set security nat destination pool 192_168_34_100_ address 192.168.34.100/32
set security nat destination rule-set nsw_destnat from zone Internet
set security nat destination rule-set nsw_destnat rule 0_Default--Internal_ match source-address 0.0.0.0/0
set security nat destination rule-set nsw_destnat rule 0_Default--Internal_ match destination-address 10.110.4.3/32
set security nat destination rule-set nsw_destnat rule 0_Default--Internal_ then destination-nat pool 192_168_34_100_
set security nat destination rule-set nsw_dest from zone STV1
set security nat destination rule-set nsw_dest rule int match destination-address 192.168.34.61/32
set security nat destination rule-set nsw_dest rule int then destination-nat off
set security nat static rule-set inews from zone Internet
set security nat static rule-set inews rule r1 match destination-address 10.110.4.5/32
set security nat static rule-set inews rule r1 then static-nat prefix 192.168.34.61/32
set security nat static rule-set inews rule r2 match destination-address 10.110.4.6/32
set security nat static rule-set inews rule r2 then static-nat prefix 192.168.34.62/32
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 match source-address any
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 match destination-address any
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 match application any
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 then permit
set security policies from-zone STV1 to-zone Internet policy permit-all match source-address inews-a
set security policies from-zone STV1 to-zone Internet policy permit-all match destination-address any
set security policies from-zone STV1 to-zone Internet policy permit-all match application any
set security policies from-zone STV1 to-zone Internet policy permit-all then permit
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 match source-address any
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 match destination-address any
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 match application any
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 then permit
set security policies from-zone Internet to-zone STV1 policy server-access match source-address any
set security policies from-zone Internet to-zone STV1 policy server-access match destination-address inews-a
set security policies from-zone Internet to-zone STV1 policy server-access match application any
set security policies from-zone Internet to-zone STV1 policy server-access then permit
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet
set security zones security-zone Internet interfaces ge-0/0/2.0 host-inbound-traffic system-services ping

I want to connect the new internet circuit to srx240 ge-0/0/0 then connect ge-0/0/3 to my switch to distribute the internet.

First of all, I configured the check the internet on srx but the gateway 10.0.0.5 is not pingable.

root@SRX240STV# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.6/30
root@SRX240STV# set routing-options static route 0.0.0.0/0 next-hop 10.0.0.5
root@SRX240STV# set system name-server 84.235.6.55

Your support and suggestions are highly appreciated

Hi, I encountered a situation that may totally change my understanding of how IPsec works ..., I need you guys help to clear my doubts. Refer to the following topology:

HostA(70.36.241.106) -----SRX ----- Internet ----- ASA ---- Customer Internal network --- HostB(66.95.19.46)

Host A in my side needs to talk to host B in customer side securely over Internet, so we set up an IPsec tunnel between my VPN GW (SRX) and Customer's VPN gateway (ASA), in my side I have proxy-id local: 70.36.241.106/32 and remote  66.95.19.46/32 in IPsec config, I know in ASA side, crypto ACL is "permit ip host 66.95.19.46 host 70.36.241.106),  everything is fine, IPsec P1/P2 came up, we can ping each other, everything, IPsec security association in my side clearly shows that only traffic between the two /32 hosts is being encrypted.

But when I traceroute from my side HostA to customer side Host B, I see RFC1918 hops behind customer VPN GW in traceroute output, I am baffled, I can understand that customer will use RFC1918 addresses in their internal network, but how could those TTL expiration ICMP packets get passed beyond their side ASA? the traffic obviously does not match the crypto ACL, and more importantly, why SRX would decrypt IP traffic not matching IPsec SA, I expect to see *s until the last hop in my traceroute output.

Please help...

I am facing the following issue when I was setting up ipv6 NAT64 , VPN does not work when the below rule is enabled , I removed the below  Static Nat statement and VPN started working again , here  is the command I removed from the SRX 

"

"

Now question is why did the VPN stop when I issued the above command , secondly  I am not able to configure source-address in the static Nat, I see that this is possible in VSRX and in SRX240H,  We have two SRX240H2 in cluster  the version is as below , refer to the url below a source-address is required for smooth working .

So My questions are 

1) why did the above Static NAT configuration stop VPN

2) Why is the SRX static NAT not allowing source address - I believe if source address is added it should solve the issue.

https://forum.ivorde.com/juniper-srx-nat64-static-nat-inet-impacts-non-nat-ipv4-traffic-t19837.html

root@SRX-HA1# set security nat static rule-set nat64 rule NAT64Static match ?       

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> destination-address  Destination address

> destination-address-name  Address from address book

> destination-port     Destination port

{primary:node0}[edit]

root@SRX-HA1> show version 

node0:

--------------------------------------------------------------------------

Hostname: SRX-HA1

Model: srx240h2

JUNOS Software Release [12.1X44-D35.5]

node1:

--------------------------------------------------------------------------

Hostname: SRX-HA2

Model: srx240h2

JUNOS Software Release [12.1X44-D35.5]

{primary:node0}

I have the below static NAT for VPN

set security nat static rule-set one-to-one-nat from zone UNTRUST

set security nat static rule-set one-to-one-nat rule SSLVPN match destination-address x.x.x.x/32

set security nat static rule-set one-to-one-nat rule SSLVPN then static-nat prefix 10.10.10.10/32

set security nat proxy-arp interface reth1.0 address x.x.x.x/32

Hey guys, I need help! I need do a routing, but I don't understand but how made in Juniper SRX240...

I have this scenary:

ge-0/0/0 = ISP1 (5 WAN IP ONE GATEWAY)
ge-0/0/1= ISP2 (4 WAN IP ONE GATEWAY)
ge-0/0/2= DMZ

I need route webserver on DMZ to first IP on ISP2, mailserver to second IP on ISP2, and proxy server to second IP on ISP1, but I don't know if I should create virtual interfaces, or vlans and, how routing one IP DMZ to other IP WAN...

Someone could guide me a little?

Tank U!!

MarC

Hi Experts,

I was trying to upgrade the SRX220H2 but getting the follwing error:

root> request system software add /tmp/usb/junos-srxsme-12.3X48-D25.3-domestic.tgz no-validate no-copy
WARNING: Package 12.3X48-D25.3 is not compatible with this hardware.
WARNING: Please install an SRX image supported for 2G

root> show version
Model: srx220h2
JUNOS Software Release [12.1X44-D35.5]

I downloaded the software for SRX220 as I didn't find SRX220H2 in the download section.

Thanks,

Hey party people.

We have a site-to-site IPSec tunnel running from an SRX-240 to a NetScreen. Recently (cause or change unknown), the VPN between the two systems has been dropping (and re-connecting) just about exactly every 50 minutes.

We looked into this and here's what we found out - the configuration is set up correctly on both sides:

SRX IKE (Phase1):

proposal $OUR_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;

NetScreen IKE:

set ike p1-proposal $OUR_PROPOSAL preshare group2 esp 3des sha-1 second 86400

SRX IPSEC (Phase2):

proposal P2Proposal {
description P2_Proposal;
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;

NetScreen IPSEC:

set ike p2-proposal P2Proposal no-pfs esp aes256 md5 second 3600

What we found after doing some troubleshooting is the tunnel is dropping and being re-keyed at almost *exactly* 50 minutes, which corresponds *exactly* to the IPSec soft lifetime on the SRX.

Apr 4 10:53:48 Deleted (...) entry from the peer hash table. Reason: lifetime expire

Apr 4 11:43:14 Deleted (...) entry from the peer hash table. Reason: lifetime expire

Apr 4 12:32:44 Deleted (...) entry from the peer hash table. Reason: lifetime expire

I opened a support ticket on this, and the suggestion was to try to reboot the SRX, but I think there's more to it than that here. Anyone got any bright ideas? As it stands, the tunnel re-negotiates automatically after it drops for another 50 minutes.

I appologize for asking this but everything I can find talks about chassis clustering (which is a nice feature but not what I am looking for). With ScreenOS, there was an ability to Track IP addresses off of an interface and if it times out to the chosen IP, it forces the default route to use another interface depending on the preference score.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB7432&smlogin=true&actp=search

Does this ability exist on the SRX? the SRJ conversion tool again has failed me in this. I can see the feature in the ScreenOS, but not anywhere on the SRX. Does it still exist? or perhaps.. there is another method now? thanks for any information.

Hello

I am having hard time to add SRX cluster into Security Director. I am using SNMPV3. I can add only master SRX. For backup SRX, giving the error 

Junos Space is unable to query the device information through SNMP.  Check the SNMP settings on the device to verify SNMP is not blocked and the SNMP settings specified in Junos Space match the device SNMP settings.

My question is:

1- Backup SRX does not support SNMP bcs even SNMP walk is not working with backup SRX

2- Should I use master IP of cluster to add in Space?

I was kind of baffled by a S2J translation of two seperate default routes that  combined into one.. Having two with seperate preferences was intended to work with track-ip, but now I'm not sure what it will do. 

ScreenOS

-------------

set route 0.0.0.0/0 interface ethernet2/6 gateway 2.2.2.2 preference 25
set route 0.0.0.0/0 interface ethernet1/4 gateway 1.1.1.1 preference 15

JUNOS translation (doesn't care about interfaces now, that I get)

-----------

route 0.0.0.0/0 {
next-hop [ 1.1.1.1 2.2.2.2 ];
preference 15;
}

From what I read this is prefix IP round robin load sharing but ... what does that mean exactly?  http://forums.juniper.net/t5/SRX-Services-Gateway/default-route-with-two-next-hop/td-p/28214

I only want to use next-hop 1.1.1.1 unless if its completely down .. to which I learned I can do with rpm probe and ip monitor .. https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052&actp=search

... but doesn't it need the default routes to be there as well? Am I thinking too hard about this, or am I completely off the mark here? Thanks for any help!

(addition)

Is it perhaps this?

route 0.0.0.0/0 {
    qualified-next-hop 1.1.1.1 {
        preference 15;
    }
    qualified-next-hop 2.2.2.2 {
        preference 25;
    }
}