Hello, I tried to setup Policy-based VPN from the below Juniper offical document but there has problem between headquater and remote site. It seems that the VPN tunnel cannot be formed. 

https://www.juniper.net/documentation/en_US/junos12.1x44/topics/example/ipsec-policy-based-vpn-configuring.html

Here is the result of 'show security ipsec sa detail: 

Local Gateway: 192.168.2.1, Remote Gateway: 172.16.0.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear , Policy-name: VPN_to_RemoteSite
Port: 500, Nego#: 132, Fail#: 0, Def-Del#: 0 Flag: 0x600829 
Tunnel events: 
Thu Jun 15 2018 10:32:08
: IPSec SA negotiation successfully completed (37 times)
Thu Jun 15 2018 08:00:32
: IKE SA negotiation successfully completed (133 times)
Wed Jun 13 2018 15:12:00
: Negotiation failed with error code NO_PROPOSAL_CHOSEN received from peer (60 times)
Wed Jun 13 2018 14:35:33
: IPSec SA negotiation successfully completed (1 times)
Wed Jun 13 2018 14:35:32
: Negotiation failed with error code NO_PROPOSAL_CHOSEN received from peer (6 times)
Wed Jun 13 2018 13:45:05
: IPSec SA negotiation successfully completed (26 times) 
Wed Jun 13 2018 10:33:00
: Negotiation failed with error code NO_PROPOSAL_CHOSEN received from peer (63 times)
Wed Jun 13 2018 09:33:38
: IPSec SA negotiation successfully completed (2 times)
Wed Jun 13 2018 08:45:11
: Negotiation failed with error code NO_PROPOSAL_CHOSEN received from peer (1 times)

Kind regards,

R

Hello,

i have SRX gateways & switches.

i have a management & monitoring system that execute scripts to devices, i want to ccreate a script that do the following:

save xxx
exit
start shell
tftp 10.240.60.100
put xxx

i have to assign the file name instead of xxx, my question which keyword or serverd syntax to the device can use its hostname and the current date time for the filename?

thanks

Hello.

I'm trying to archive Ipsec STS failover using DPD.

there is three vSRX (12.1X47-D20.7) in my test lab.

1. top router (routing between two routers)

Interfaces

set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.254/24

2. first IPSec router with RPM probe and ip-monitoing

set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 preferred
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.254.1.1/24
set interfaces st0 unit 1 description "IPsec to SRX2"
set interfaces st0 unit 1 family inet address 10.10.0.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254
set routing-options static route 10.254.2.0/24 next-hop st0.1
set security ike policy ike_pol_STS_to_SRX2 mode aggressive
set security ike policy ike_pol_STS_to_SRX2 proposal-set compatible
set security ike policy ike_pol_STS_to_SRX2 pre-shared-key ascii-text ""
set security ike gateway gw_STS_to_SRX2 ike-policy ike_pol_STS_to_SRX2
set security ike gateway gw_STS_to_SRX2 address 192.168.10.1
set security ike gateway gw_STS_to_SRX2 external-interface ge-0/0/1.0
set security ipsec policy ipsec_pol_STS_to_SRX2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_STS_to_SRX2 proposal-set compatible
set security ipsec vpn STS_to_SRX2 bind-interface st0.1
set security ipsec vpn STS_to_SRX2 ike gateway gw_STS_to_SRX2
set security ipsec vpn STS_to_SRX2 ike ipsec-policy ipsec_pol_STS_to_SRX2
set security ipsec vpn STS_to_SRX2 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match source-address addr_10_254_1_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match destination-address addr_10_254_2_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match application any
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 then permit
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_2_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_1_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_10_254_1_0_24 10.254.1.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone STS_Zone address-book address addr_10_254_2_0_24 10.254.2.0/24
set security zones security-zone STS_Zone interfaces st0.1
set services rpm probe DG_1_254 test PING_1_DG target address 192.168.1.254
set services rpm probe DG_1_254 test PING_1_DG probe-count 10
set services rpm probe DG_1_254 test PING_1_DG probe-interval 5
set services rpm probe DG_1_254 test PING_1_DG test-interval 5
set services rpm probe DG_1_254 test PING_1_DG thresholds successive-loss 5
set services ip-monitoring policy GW_failover match rpm-probe DG_1_254
set services ip-monitoring policy GW_failover then preferred-route route 0.0.0.0/0 next-hop 192.168.2.254

2. second IPsec router with DPD

set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.254.2.1/24
set interfaces st0 unit 1 description "IPsec to SRX1"
set interfaces st0 unit 1 family inet address 10.10.0.2/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.254
set routing-options static route 10.254.1.0/24 next-hop st0.1
set security ike policy ike_pol_STS_to_SRX1 mode aggressive
set security ike policy ike_pol_STS_to_SRX1 proposal-set compatible
set security ike policy ike_pol_STS_to_SRX1 pre-shared-key ascii-text ""
set security ike gateway gw_STS_to_SRX1 ike-policy ike_pol_STS_to_SRX1
set security ike gateway gw_STS_to_SRX1 address 192.168.1.1
set security ike gateway gw_STS_to_SRX1 address 192.168.2.1
set security ike gateway gw_STS_to_SRX1 dead-peer-detection always-send
set security ike gateway gw_STS_to_SRX1 dead-peer-detection interval 10
set security ike gateway gw_STS_to_SRX1 external-interface ge-0/0/1.0
set security ipsec policy ipsec_pol_STS_to_SRX1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_STS_to_SRX1 proposal-set compatible
set security ipsec vpn STS_to_SRX1 bind-interface st0.1
set security ipsec vpn STS_to_SRX1 ike gateway gw_STS_to_SRX1
set security ipsec vpn STS_to_SRX1 ike ipsec-policy ipsec_pol_STS_to_SRX1
set security ipsec vpn STS_to_SRX1 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match source-address addr_10_254_2_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match destination-address addr_10_254_1_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match application any
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 then permit
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_1_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_2_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_10_254_2_0_24 10.254.2.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone STS_Zone address-book address addr_10_254_1_0_24 10.254.1.0/24
set security zones security-zone STS_Zone interfaces st0.1

while 192.168.1.254 (top router) is available IPsec is working fine.

but when I'm emulating failover by deleting 192.168.1.254 IP address

delete interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24

IPsec tunnel goes dwn and never came up.

ip-monitoring and route change is working at the first SRX.

root@SRX1> show services ip-monitoring status

Policy - GW_failover (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    DG_1_254               PING_1_DG       192.168.1.254    FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         192.168.2.254    APPLIED

it can ping 192.168.10.1 (the second SRX) and the second SRX can ping 192.168.2.1 (the first SRX), but tunnel is down.

root@SRX2> show security ipsec security-associations
  Total active tunnels: 0

root@SRX2> show security ike security-associations

root@SRX2> show security ipsec inactive-tunnels
  Total inactive tunnels: 1
  Total inactive tunnels with establish immediately: 1
  ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
  131073 500   2      0      600a29    192.168.2.1      DPD failover

root@SRX2>

after reenabling 192.168.1.254 at the top router, SRX1 ip-monitoring switch back route

root@SRX1> show services ip-monitoring status

Policy - GW_failover (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    DG_1_254               PING_1_DG       192.168.1.254    PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         192.168.2.254    NOT-APPLIED

but IPsec tunnel is still down.

what is wrong with this config?

Hello there

We have an SRX1500 chassis cluster. It will be set up in an Active\Passive configuration eventually. Currently Active\Active but will revert. I have 2 questions of that's ok?

1. With regards to the fab links, I know that these can be 1G or 10G links. As we are going to be moving forward in an Active\Passive set up would I be right in saying that there would be absolutely no need for 10G link for the Fab links as there will be no transit traffic utilising these or is it possible that the non transit trafffic could possibly generate this sort of throughput?

As a side note I have not not configured anything for the heartbeat intervals and timers, I understand that there is a default but does not show when running the show chassis cluster heartbeat-interval\threshold command.

2. The initial Reth interface failover times in the cluster when testing are almost seamless when failing over from primary node to secondary node when I take a physical link down on the primary node child interface, when I bring the physical link back up on the primary node there is a 12 second loss of connectivity before traffic starts responding again. I suspect (may be wrong) that this may be to do with MAC address aging on the LAN between the chassis pair. Do I need to consider some type of gratuitous ARP setting on the cluster to update the MAC tables on the LAN? If you need any specific configuration supplied please let me know.

Really appreciate any input.

Thanks

Hi,

suddenly my ipsec tunnel st interface flapping and i have also checked with disabling vpn monitor from remote end but still issue not resolved. Also check with activate/deactivate tunnel interfaces.

logs are attached:

Does anyone know if multihop BFD for IPv6 BGP on the SRX is supported? I am trying to set up BFD between a few IBGP neighbors on IPv6 and it doesn't seem to want to come up. I have v4 BFD working and IPv6 single-hop BFD working. Platform is SRX240H, 12.1X46-D55.3. I have BFD configured in all the appropriate security zones and I'm allowing it in my lo0 access filter. When I do a 'monitor traffic interface', I see BFD packets going out, but nothing coming in. The behavior is the same on all three IBGP neighbors involved. I am aware of this command:

set routing-options ppm no-delegate-processing

but I don't think that command is relevant on the SRX240. Here's my capture output:

06:20:01.213816 Out IP 192.168.55.4.49152 > 192.168.55.3.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:01.232723  In IP 192.168.55.3.49152 > 192.168.55.4.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:01.413839 Out IP6 2001:db8::1234:aaaa:d004.49152 > 2001:db8::1234:aaaa:d003.4784: BFDv1, Multi-hop Control, State Down, Flags: [none], length: 24
06:20:01.680291  In IP 192.168.55.2.49152 > 192.168.55.4.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:01.722870 Out IP6 2001:db8::1234:aaaa:d004.49152 > 2001:db8::1234:aaaa:d002.4784: BFDv1, Multi-hop Control, State Down, Flags: [none], length: 24
06:20:02.200832 Out IP 192.168.55.4.49152 > 192.168.55.2.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:02.448342  In IP 192.168.55.3.49152 > 192.168.55.4.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:02.507276 Out IP 192.168.55.4.49152 > 192.168.55.3.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:02.846442  In IP 192.168.55.2.49152 > 192.168.55.4.4784: BFDv1, Multi-hop Control, State Up, Flags: [none], length: 24
06:20:02.898902 Out IP6 2001:db8::1234:aaaa:d004.49152 > 2001:db8::1234:aaaa:d003.4784: BFDv1, Multi-hop Control, State Down, Flags: [none], length: 24
06:20:03.211893 Out IP6 2001:db8::1234:aaaa:d004.49152 > 2001:db8::1234:aaaa:d002.4784: BFDv1, Multi-hop Control, State Down, Flags: [none], length: 24

What am I missing here?

EDIT: I did find PR1239016, which is for multihop IPv6 BFD, but the PR is for the SRX5000 series. 

Hi all,

May i know where i can get a list of syslog based on severity level on junos. For example if severity "warning" then what syslog appear in this severity?

Thanks and appreciate any help.

Hi all,

I couldn't find a definitive answer on this by googling so am hoping someone here can help.

I am running a couple of SRX240 and want to know what the default security policy is, or if a default is configured. In other words, say traffic comes from the untrust zone to the trust zone and I have a list of policies in place but none of them match. In this case does the SRX drop the packets with a default deny when it reaches the bottom of the list of policies or would I have to explicitly set a default deny?

The context for this question is that I wish to enable directed broadcast on our internal network for Wake on LAN and want to make sure security is in place to protect against DDoS/Smurf attacks from the Internet.

Hi,

in juniper SRX without applying any policy on zones, all interfaces in different zones can ping each other. Why??

Here are parts of settings applied to the device:

set security zones security-zone DMZ description DMZ
set security zones security-zone DMZ interfaces vlan.4
set security zones security-zone Outside description Outside
set security zones security-zone Outside interfaces vlan.5

          I can ping interface in ouside zone from DMZ zone without applying any policy on zones.

I expect that interfaces do not have access to each other when they are assigned to different Zones. But this goal can not be achieved due to the type of behavior of Inet.0 (routing table).

Please help me to solve this problem.

Thank you in advance for your help.

Hi

I am configuring dynamic vpn on srx240 chasis cluster [[12.1X46-D76]]with pusle client 5.1.5 and if I try to connect I get this error.

Jul  1 12:22:47  fwba01 kmd[2550]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=80.94.48.251, dst_ip=81.161.60.203]
Jul  1 12:22:47  fwba01 kmd[2550]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 80.94.48.251/500, Remote: 81.161.60.203/56609, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

I followed Juniper documentation and I not able to get it working. Could you please check the config and let me know if I am missing something. Thanks

Here's my dynamic vpn config

profile RA-VPN {
    client administrator {
        firewall-user {
            password "aaa"; ## SECRET-DATA
        }
    }
    client manager {
        firewall-user {
            password "aaa"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool RA-VPN-POOL;
    }
}
address-assignment {
    pool RA-VPN-POOL {
        family inet {
            network 192.168.252.0/24;
            xauth-attributes {
                primary-dns 192.168.200.65/32;
                secondary-dns 192.168.200.66/32;
            }
        }
    }
}
firewall-authentication {
    web-authentication {
        default-profile RA-VPN;
    }
}

#run show configuration security ike
policy ike-policy-ra {
    mode aggressive;
    description "BACKUP RA VPN";
    proposal-set standard;
    pre-shared-key ascii-text "aaa"; ## SECRET-DATA
}

gateway ike-gw-ra {
    ike-policy ike-policy-ra;
    dynamic {
        hostname dynvpn;
        connections-limit 2;
        ike-user-type shared-ike-id;
    }
    external-interface reth1;
    xauth access-profile RA-VPN;
}

#run show configuration security ipsec
policy ipsec-policy-ra {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}

vpn ipsec-vpn-ra {
    ike {
        gateway ike-gw-ra;
        idle-time 300;
        ipsec-policy ipsec-policy-ra;
    }
    establish-tunnels immediately;
}

# run show configuration security dynamic-vpn 
force-upgrade;
access-profile RA-VPN;
clients {
    service {
        remote-protected-resources {
            10.1.0.0/16;
            192.168.0.0/23;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn ipsec-vpn-ra;
        user {
            manager;
        }
    }
}


# run show configuration security policies from-zone internet to-zone LAN 
policy allow-tunnel {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn ipsec-vpn-ra;
            }
        }
    }
}


# run show configuration security zones security-zone internet 
screen untrust-screen;
interfaces {
    reth1.0 {
        host-inbound-traffic {
            system-services {
                ping;
                ike;
                ssh;
                https;
            }
            protocols {
                all;
            }
        }
    }
}

Hi all,

Is there Junos command to get the number of security polices on the high end SRX device? Or how can be determined about how many security policies there are on the SRX?

Thanks

Erix

Hi All,

i'm quite new to Juniper firewalls, and i'm currently testing with a firewall and some L2 switches. The config in my firewall is quite easy:

ge-0/0/0.0 = untrust

ge-0/0/1.0 = trust 

config = attached

basic config, allow http/https and that's it. Now i'm working on my L2 switches and i have these configured in a diffferent VLAN (vlan 10) and my clients in vlan 20 and servers vlan 30. because my HP switches are L2 i need to setup vlan routing via the SRX320. Is that possible? and if yes, how? i found some threads, but no luck yet.

Somebody please help me on this.
I'm using SRX300 with one Wan connection.

I want to do load balance for one praticular static IP incoming request distributing within 3 servers.

Example: I'm receiving incoming request for Static IP 123.123.123.123 to port 8080 and I want do load balance request within 3 local server (192.168.1.100 , 192.168.1.101 and 192.168.1.102) by Round Robin, Weights parameter to port 8080

Hi,

I am trying to get RADIUS centralised administration working on the SRX1500s we have and it just will not work.

Set up:

RADIUS (radius VR) --- SRX --- Customer VR ---- Core router

So, the Core router authenticates fine with no issues.

It uses the same route to get to the RADIUS that the SRX uses. I am useing the Customer-VR interface as the source address and the correct shared password. All the routing is fine or the Core would not work.

Here is my configuration on the SRX:

set system authentication-order radius
set system authentication-order password

set system radius-server 192.168.100.1 secret "$9$-Gd2aji.5z6qm6Au1yrLxNdYgaZUH.P"
set system radius-server 192.168.100.1 retry 3
set system radius-server 192.168.100.1 source-address 192.168.200.1

set system login user remote full-name "RADIUS Authenticated"
set system login user remote uid 9999
set system login user remote class read-only

set system login user RO uid 2008
set system login user RO class read-only
set system login user SU uid 2009
set system login user SU class super-user

set system login user OP uid 2007
set system login user OP class operator

The RADIUS has been configured correctly too or I would not be able to logon to other systems using it.

When I run a traceoptions tthe file is empty, so it is almost like the SRX is not even attempting to contact the RADIUS Server.

There must be something on the SRX that needs enabling for this to work. Could someone help please.

Thanks

Hi,

I have just come across a very big problem on the SRX. I have configured zones with Logical Tunnels between the Zones (lt interfaces).

I really locked down the SRX and was informed that the DNS resolutions on the anycast no longer function. Here is the route taken:

Customer-VR - lt-0/0/1 - lt-0/0/2 - test-dns:

So, normally I would expect 4 policies to be in place for this as follows:

Customer-VR to Customer-VR (ae1 interface to lt-0/0/1)

Customer-VR to test-dns VR (lt-0/0/1 to lt-0/0/2)

test-dns VR to test-dns VR (lt-0/0/2 - ge-0/0/6)

test-dns VR to Customer-VR (lt-0/0/2 to lt-0/0/1)

The only one of these policies that seems to do anything is: test-dns VR to test-dns VR.

But that is not the main issue. I can deal with that. I supplied this information to give you an overview:

I am testing anycast where 2 addresses are for subscribes from the LNS and the other 2 for everyone, including the outside.

So, I removed all the configuration for test-dns to test-dns and replaced with an "any any any permit" and the whole anycast started working again. To complete the test I then changed the applicatin to be "junos-dns-udp" and it still worked. Then I placed an implicit deny as follows "any any any deny". So the rule base would look like this for the policy:

from test-dns to test-dns match source any

from test-dns to test-dns match destination any

from test-dns to test-dns match application any

from test-dns to test-dns then permit

from test-dns to test-dns1 match source any

from test-dns to test-dns1 match destination any

from test-dns to test-dns1 match application any

from test-dns to test-dns1 then deny

And everything stopped working again. This does not seem right to me. Surely the packets hit the first rule and should be accepted without even touching the second rule? This will be a really big issue if the packets are not going through the rules in a correct order.

Has anyone seen this behaviour before?

Hello,

I'm wondering if I can connect an SRX 320 to an EX 2200 via a Juniper SFP+ DAC cable. I understand that EX 2200 only supports standard SFP speed but I was hoping a Juniper SFP+ cable could still connect the two.

Hi All

We have a client using a SRX220H with JUNOS 12.1X46-D65.4. Their external data link comes onto their premises through a OneAccess 1424 (internet provider supplied) that then is ethernet patched to the SRX220H through Port 0.

When their link goes down ie issues with provider etc and then is restored, the SRX and the OneAccess don't start talking again until one of them is rebooted. Is there a setting or something that I can do to make the SRX realise that the link it active again without needed to reboot?

Thanks

Steve

Hello all,

This has me scratching my head: 

I have an IPSec VPN beween local LAN (192.168.10.0/24) and remote site (192.168.171.0/24).

Traffic is moving smoothly between sites, but I recently decided to implement configuration auto-archival to FTP server on remote site.

Sadly, the SRX is unable to talk to the remote site.

After configuring a flow filter, I found out that the SRX is sending pings out of the Untrust ge-0/0/0 interface using the SRX's public IP, and therefore don't go up the VPN tunnel.

Sure enough, if I force a ping to go out with the SRX's local LAN IP, I get replies:

>ping 192.168.171.14 source 192.168.10.1

Anyone has an idea why this is happening and how to remedy it?

Thanks.

Here is my config:

## Last changed: 2018-07-06 10:00:01 EDT
version 17.3R2.10;
system {
host-name location_1-srx;
time-zone America/New_York;
root-authentication {
encrypted-password "...";
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
message "\n\n === Location_1 Office SRX === \n\n";
user bart {
uid 2000;
class super-user;
authentication {
encrypted-password "...";
}
}
}
services {
ssh;
telnet;
web-management {
http {
port 2346;
interface [ ge-0/0/0.0 ge-0/0/2.0 st0.0 ];
}
https {
port 2345;
system-generated-certificate;
interface [ ge-0/0/0.0 ge-0/0/2.0 st0.0 ];
}
}
dhcp {
pool 192.168.10.0/24 {
address-range low 192.168.10.100 high 192.168.10.199;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
192.168.171.14;
10.11.17.140;
208.67.222.222;
}
domain-search {
acme.local;
}
router {
192.168.10.1;
}
propagate-settings ge-0/0/0.0;
}
pool 6.6.10.0/24 {
address-range low 6.6.10.100 high 6.6.10.150;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
6.6.10.1;
}
propagate-settings ge-0/0/0.0;
}
pool 192.168.100.0/24 {
address-range low 192.168.100.50 high 192.168.100.200;
maximum-lease-time 172800;
default-lease-time 86400;
name-server {
192.168.171.14;
10.11.17.140;
}
router {
192.168.100.1;
}
}
}
}
syslog {
file kmd-logs {
daemon info;
match KMD;
}
}
archival {
configuration {
transfer-on-commit;
archive-sites {
ftp://192.168.171.14/SRX;
}
}
}
ntp {
server 104.232.3.3;
server 64.99.80.121;
}
}
security {
ike {
policy ike-location_1-SSG {
mode main;
proposal-set standard;
pre-shared-key ascii-text "...";
}
policy ike-policy-location_1-SSG-location_2 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "...";
}
gateway ike-gw-location_1-comcast-SSG {
ike-policy ike-location_1-SSG;
address my.remote.ip;
external-interface ge-0/0/0.0;
}
gateway ike-gw-location_2 {
ike-policy ike-policy-location_1-SSG-location_2;
address my.other.remote.ip;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy vpn-policy-std {
proposal-set standard;
}
policy vpn-policy-std-location_2 {
proposal-set standard;
}
vpn ike-vpn-location_1-comcast {
bind-interface st0.0;
ike {
gateway ike-gw-location_1-comcast-SSG;
proxy-identity {
local 192.168.10.0/24;
remote 192.168.171.0/24;
}
ipsec-policy vpn-policy-std;
}
}
vpn ike-vpn-location_2 {
bind-interface st0.1;
ike {
gateway ike-gw-location_2;
proxy-identity {
local 192.168.10.0/24;
remote 10.11.17.0/24;
}
ipsec-policy vpn-policy-std-location_2;
}
}
}
address-book {
global {
address location_1-lan2 192.168.16.0/24;
address location_1-lan 192.168.10.0/24;
address apc-ups 192.168.10.251/32;
address location_1-wlan 192.168.100.0/24;
address PACS_192_168_10_15 192.168.10.15/32;
address location_1-lan 192.168.171.0/24;
address location_2-lan 10.11.17.0/24;
address SRX-routing-addr 10.255.255.16/28;
address loopback 127.0.0.1/32;
}
}
flow {
traceoptions {
file debug.log;
flag basic-datapath;
packet-filter FILTER1 {
protocol icmp;
source-prefix 0.0.0.0/0;
destination-prefix 192.168.171.14/32;
}
}
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-192_168_10_251m32 {
address 192.168.10.251/32 port 161;
}
rule-set dest-nat {
from zone untrust;
rule rule-snmp-16100 {
match {
destination-address my.public.ip/32;
destination-port {
16100;
}
}
then {
destination-nat {
pool {
dnat-192_168_10_251m32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
my.public.ip.2/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy all-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy vpn-to-location_1 {
match {
source-address location_1-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
policy vpn-to-location_2 {
match {
source-address location_1-lan;
destination-address location_2-lan;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-from-location_1 {
match {
source-address location_1-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
policy vpn-from-location_2 {
match {
source-address location_2-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy unt-to-trust-snmp-16100 {
match {
source-address any;
destination-address apc-ups;
application snmp-16100;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
snmp;
ping;
ssh;
https;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/5.0;
lo0.0;
}
}
security-zone vpn {
interfaces {
st0.0;
st0.1;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address my.public.ip/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.16.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 6.6.10.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input allow-mgmt-ip-only;
}
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
snmp {
description "Location_1 SRX";
location "Somewhere";
contact "Bart";
community my.community.string {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop my.public.gateway.ip;
route 192.168.171.0/24 next-hop st0.0;
route 10.11.17.0/24 next-hop st0.1;
route 10.255.255.16/28 next-hop st0.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
policy-options {
prefix-list mgmt-ip {
10.11.17.0/24;
192.168.171.0/24;
}
}
firewall {
filter allow-mgmt-ip-only {
term block-except-mgmt {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-ip except;
}
protocol [ tcp udp ];
destination-port [ ssh http https snmp 16100 2345 2346 ];
}
then {
inactive: log;
discard;
}
}
term block-ping {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-ip except;
}
protocol icmp;
icmp-type echo-request;
}
then {
discard;
}
}
term allow-everything-else {
then accept;
}
}
}
applications {
application snmp-16100 {
protocol udp;
destination-port 161;
}
}