Happy 20th birthday Junos!
↧
Happy 20th birthday Junos!
↧
return traffic
Hi all,
There is a web page that users can not access internally. When trying to access this web page externally, it is working. I determined that IP address of that server with using tool, nslookup on the Win10. I am trying to investigate whether or not firewall SRX is blocking the this traffic......
On my Win10 PC, when doing telneting (telnet 168.1.79.79 443) on port 443 to the destionation server where the web page sits, concurrently the following command I did perform in the another cmd windows.
H:\>netstat -an 1 | find "168.1.79.79" | find "443"
TCP 10.112.138.238:17153 168.1.79.79:443 ESTABLISHED
TCP 10.112.138.238:17153 168.1.79. 79:443 ESTABLISHED
As you can see here that the connection is establishing over the SRX. Between client and server there is a SRX firewall. When the connection is establlished, security flow session shows as following.....
Session ID: 12474714, Policy name: 111111/1180, State: Active, Timeout: 1334, Valid
In: X.X.X.X/17294 --> 168.1.79.79/443;tcp, Conn Tag: 0x0, If: reth1.1155, Pkts: 3, Bytes: 144, CP Session ID: 12607317
Out: 168.1.79.79/443 --> X.X.X.X/17294;tcp, Conn Tag: 0x0, If: reth1.82, Pkts: 2, Bytes: 104, CP Session ID: 12607317
But when I'am trying to access that web page over https within the chrome at my Win10 PC, the web page is not been accessed as it gives an error and the page is not loading.... Even worse, the security flow session doesn't show any thing on the SRX as the webpage returns an error.... SRX must be showing this traffic on the security flow session.
In this case what should be done further to see reverse traffic over https comes to SRX or not? If the SRX is bloking this session and sending RST Flag to both, why there is no any RST flag is not coming to the my win10 where I am capturing the .pcap over wireshark.
Any help please?
Thanks. Erimax
↧
↧
hit-policies and shadowed policies
Hi,
After investigating, there are a high number of policy being shadowed by other policies on the high end SRX where currently more than 5K policies there are on at the ISP level. This is coming from both primarly migrating NetScreen to SRX and time-to-time putting the new policies on the SRX over 4 years....
Has anyone come across the same situation before? If yes, how wast it fixed? OR can anyone give any ideas about how to fix the high number of shadowed policies?
Thx.
Erixim
↧
Lacp ethernet cahnnel
i want to configure Ethernet Channel between SRX1400 and Cisco Switch 4500, i did the following configuration but still Ethernet Channel not working properly:
SRX1400:
chassis {
aggregated-devices {
ethernet {
device-count 5;
policies {
from-zone untrust to-zone trust10 {
policy untrust-to-trust10 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust10 to-zone untrust {
policy trust10-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust10 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/6.2;
ge-0/0/6.10;
ge-0/0/6.8;
}
security-zone untrust {
interfaces {
ae0.2 {
host-inbound-traffic {
system-services {
all;
}
}
}
ae0.8 {
host-inbound-traffic {
system-services {
all;
}
}
}
ae0.10 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/2 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/3 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/4 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/5 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/6 {
vlan-tagging;
unit 2 {
family bridge {
interface-mode trunk;
vlan-id-list 2;
}
}
unit 8 {
family bridge {
interface-mode trunk;
vlan-id-list 8;
}
}
unit 10 {
family bridge {
interface-mode trunk;
vlan-id-list 10;
}
}
ae0 {
vlan-tagging;
aggregated-ether-options {
lacp {
active;
}
}
unit 2 {
family bridge {
interface-mode trunk;
vlan-id-list 2;
}
}
unit 8 {
family bridge {
interface-mode trunk;
vlan-id-list 8;
}
}
unit 10 {
family bridge {
interface-mode trunk;
vlan-id-list 10;
}
}
}
irb {
unit 2 {
family inet {
address 10.2.0.222/16;
unit 8 {
family inet {
address 10.8.0.10/16;
}
}
unit 10 {
family inet {
address 10.10.10.10/16;
}
}
bridge-domains {
vlan10 {
domain-type bridge;
vlan-id 10;
routing-interface irb.10;
}
vlan2 {
domain-type bridge;
vlan-id 2;
routing-interface irb.2;
}
}
vlan8 {
domain-type bridge;
vlan-id 8;
routing-interface irb.8;
}
vlan9 {
domain-type bridge;
vlan-id 9;
routing-interface irb.0;
}
Cisco 4500:
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet3/15
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet3/16
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
channel-protocol lacp
channel-group 1 mode active
admin@CIG-HQ# run show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/2 Actor No Yes No No No Yes Fast Active
ge-0/0/2 Partner No Yes No No No Yes Fast Passive
ge-0/0/3 Actor No Yes No No No Yes Fast Active
ge-0/0/3 Partner No Yes No No No Yes Fast Passive
ge-0/0/4 Actor No Yes No No No Yes Fast Active
ge-0/0/4 Partner No Yes No No No Yes Fast Passive
ge-0/0/5 Actor No Yes No No No Yes Fast Active
ge-0/0/5 Partner No Yes No No No Yes Fast Passive
LACP protocol: Receive State Transmit State Mux State
ge-0/0/2 Defaulted Fast periodic Detached
ge-0/0/3 Defaulted Fast periodic Detached
ge-0/0/4 Port disabled No periodic Detached
ge-0/0/5 Port disabled No periodic Detached
admin@CIG-HQ# run show lacp statistics interfaces ae0
Aggregated interface: ae0
LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx
ge-0/0/2 0 5789 0 0
ge-0/0/3 0 3611 0 0
ge-0/0/4 0 0 0 0
ge-0/0/5 0 0 0 0
↧
How to check thresh hold for each component in SRX5800?
Hi all,
Kindly appreciate someone to give the the command that i can see the threshhold for each component on SRX5800 such as RE cpu and memory, FPC, SPC and etc.
Thanks
↧
↧
second ipsec tunnel not working
hi,
i am fighting with a second ipsec vpn tunnel since winter. we got a bigger internet line in the office, i configured a port for this on the office-srx100, all our internet traffic is using this now. we have a vpn to our data center, there is a cluster of two srx100/100H2 vpn endpoint. now i wanted to make a second tunnel to the data center over the new line, transfer all routes and then switch off the old tunnel. i did this before with pf-senses, but on juniper i just cannot understand how this should be done.
i copied the secrets from the config of the first to the second firewall, so this should be ok. what i dont understand is why tunnel1 endpoint from firewall 1 has a completely different secret than tunnel 1 endpoint on firewall2 and it still works. ???
my ( cleaned ) config at the moment, there were so many tries and changes the last 1/2 year i tried this that i cannot recall everything i did until now, i did not push every time:
firewall office:
interfaces {
fe-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
fe-0/0/7 {
description Telekom;
speed 100m;
mtu 1492;
link-mode full-duplex;
fastether-options {
no-auto-negotiation;
}
unit 0 {
description "Feste IP";
family inet {
address 172.10.10.10/29;
}
}
pp0 {
traceoptions;
unit 0 {
apply-macro "telekom dsl";
ppp-options {
chap {
default-chap-secret "$9$/somesecretchap"";
local-name "fixed-ip-telekom";
no-rfc2486;
passive;
}
pap {
local-name "fixed-ip-telekom";
no-rfc2486;
local-password "$9$/somesecretchap";
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/0.0;
idle-timeout 0;
auto-reconnect 10;
}
family inet {
mtu 1492;
negotiate-address;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.210.20/24;
}
}
unit 1 {
description MunichII;
family inet {
address 192.168.210.21/24;
}
}
}
ike {
traceoptions {
flag all;
level 0;
}
policy ike_pol_wizard_dyn_vpn {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$9$xxxxxverylongpassword1";
}
policy ike-policy-cfgr {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$notsolongpassword1";
}
policy ike-policy-sdsl {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$notsolongpassword1";
}
gateway gw_wizard_dyn_vpn {
ike-policy ike_pol_wizard_dyn_vpn;
dynamic {
hostname rt1;
connections-limit 50;
ike-user-type group-ike-id;
}
external-interface pp0.0;
xauth access-profile remote_access_profile;
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 172.10.11.146;
external-interface pp0.0;
}
gateway ike-gate-sdsl {
ike-policy ike-policy-sdsl;
address 172.10.11.146;
external-interface fe-0/0/7.0;
}
}
ipsec {
policy ipsec_pol_wizard_dyn_vpn {
proposal-set compatible;
}
policy ipsec-policy-cfgr {
proposal-set standard;
}
policy ipsec-policy-sdsl {
proposal-set standard;
}
vpn wizard_dyn_vpn {
ike {
gateway gw_wizard_dyn_vpn;
ipsec-policy ipsec_pol_wizard_dyn_vpn;
}
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
vpn ipsec-vpn-sdsl {
bind-interface st0.1;
ike {
gateway ike-gate-sdsl;
ipsec-policy ipsec-policy-sdsl;
}
establish-tunnels immediately;
}
}firewall data center
interfaces {
reth2 {
description "UPLINK IPX";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 172.10.11.146/29;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.210.10/24;
}
}
unit 1 {
family inet {
address 192.168.210.11/24;
}
family inet6;
}
}
ike {
policy ike-policy-cfgr {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$somecompletelydifferentpasswordthentheothers";
}
policy ike_pol_sdsl {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$thesecreticopiedfromotherfirewall";
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 172.old.ppoe.address;
external-interface reth2.0;
}
gateway gw_sdsl {
ike-policy ike_pol_sdsl;
address 172.10.10.62;
external-interface reth2.0;
}
}
ipsec {
policy ipsec-policy-cfgr {
proposal-set standard;
}
policy ipsec_pol_sdsl {
proposal-set standard;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
vpn sdsl {
bind-interface st0.1;
ike {
gateway gw_sdsl;
ipsec-policy ipsec_pol_sdsl;
}
establish-tunnels immediately;
}
}i do change the config in the webinterface cli editor. always.
i enabled kmd logs on both firewalls.
logs say tunnel from RZ to old gateway established perfectly, from new gateway to RZ office log says:
Jul 9 16:40:14 rt1 kmd[65052]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ipsec-vpn-sdsl Gateway: ike-gate-sdsl, Local: 172.10.10.62/500, Remote: 172.10.11.146/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0 Jul 9 16:41:09 rt1 kmd[65052]: Config download: Processed 4 - 5 messages Jul 9 16:41:09 rt1 kmd[65052]: Config download time: 0 seconds
i really tried everything now. using the same policy and gateway on RZ ( its the same gate anyway ), making a st0.1 with same ip and different gateway name, using the same policy on office firewall, make a new one....
i am out of options. i tried the
https://www.juniper.net/support/tools/vpnconfig/#remoteSite
configurator and copied the relevant portions into the config, committed and it did not work. i even went as far as making a backdoor around the firewall in datacenter to not lose connectivity and tried the cli set thing, to no avail except the tunnel really went down then. luckily the commit confirmed brought it back after 10 minutes.
so what to do?
↧
JunOS VPN (remote access) options for 15.1X49-D80 and later
Dear experts,
What are JunOS VPN (remote access) options for 15.1X49-D80 and later ? We've mixed bag with Windows 10, Android (8/8.1), iOS and MacOS devices (recent versions).
I'm currently preparing PoC with Juniper devices, any help will be appretiated.
As far as I read, L2TP/IPSec is not supported, Pulse VPN client was discontinued (as of D80) and only NCP Exclusive client is supported ?
I was wondering, are there some plans in the horizon to improve situation (if my understanding of the information is correct)...
We need IPSec and SSL VPN's for remote access (this is vital functionality nowadays). Actualy we've couple of Mikrotik boxes that can handle remote access, but idea is to move step up and to consolidate all the network equipment & management platform (probabaly with Juniper).
↧
LX10 versus LH in SRX550
I have two SRX550 hosting several 1G optics. It's really a basic setup - uplink to my service provider and downlink to distribution switches - and in fact the two SRX550 is connected to make a stacked setup.
All my available optics reads as LX10, but the two links to my service provider behaves weird: They need some switch inserted in the connection to get link. It doesn't matter if I use a Juniper EX4550 or a Cisco ME3400 - but without the switch I get no link to the provider.
All other connections works fine using the LX10!
When asking Juniper, they say that: But the SRX550 doesn't support LX10 - you need an LH.
Does anybody know what the difference is? And does anyone have a clue why I need the switch in place to connect to the provider when using LX10?
Jan Ferré
↧
GTP questions regarding high-end SRXs
Hi Experts,
I have a question regarding RAT (Radio Access Technology) Types.
Do the high-end SRX firewalls support the RAT 6 Type, and RAT 8 Type?
RAT 6 Type is EUTRAN.
RAT 8 Type is EUTRAN-NB-IoT.
Thanks in advance!
Best Regards,
Attila
↧
↧
New Node (SRX300) In Cluster Not Forwarding Traffic
I've got a problem that I can't wrap my head around and I could use any help I can get.
At a remote customer site we have 2 SRX300s set up in an active/passive cluster. Recently one of the SRX300 devices died (node0) and had to be replaced. I followed the steps in the Juniper KB article to install the new firewall as node0 (https://kb.juniper.net/InfoCenter/index?page=content&id=KB21134&actp=METADATA). First I down-graded the OS on the new node0 to match what was installed on node1. node1 is the primary since node0 failed. ge-0/0/2 and ge-1/0/2 are set up as reth1 (5.6.7.8), connected to the customer switch (1.2.3.4). We connect to the customer site via VPN. We have our "internal" network on reth2, ge-0/0/3 and ge-1/0/3.
Everything seems fine. "show chassis cluster information" reports everything is good. "show system alarms" reports no problems. I've done a side by side comparison of the configs on node0 and node1 to verify that they are identical, and they are.
I wanted to be 100% sure that the new node0 worked properly so I rebooted node1 so that node0 would become the primary, and I lost all remote connectivity. I had the customer power cycle node0 so that node1 would become the primary again and I got connectivity back. So last night I scheduled a reboot (outside of production hours) of node1 and another reboot of node0 30 minutes later. On node0 I set up a packet capture and also a cron entry that would ping (ping -c 2 1.2.3.4) the customer default gateway every 5 minutes and also dump the arp table, both into a text file in /var/tmp/. I also set up on-going pings from the internal network to the customer default gateway, as well as on-going pings from my computer through the VPN to the customer router at 1.2.3.4 and node0 at 5.6.7.8. I can't figure out what was going on for the 30 minutes that node0 was the primary.
In that 30 minutes node0 received back 1 ping reply (from the cron entry) from the customer default gateway immediately after node1 started rebooting, and the rest failed for the rest of the 30 minutes. Why would/could that happen? The arp table never changed, other than the fxp entry for node1 disappearing when it rebooted. The packet captures and pings are the stranger to me. Pings from my computer over the VPN to the customer router at 1.2.3.4 were good, I never stopped receiving replies from 1.2.3.4 in that 30 minutes. But I received no replies from node0 at 5.6.7.8 in that 30 minutes. However the packet captures on node0 show that it was receiving those ICMP requests, but the packet captures do not show that node0 replied. Same thing with the pings from "internal"/reth2 to the customer gateway at 1.2.3.4, there were no replies in that 30 minutes. The packet captures show that node0 recieved that ICMP request from the internal computer, but does not forward it on to 1.2.3.4. Why would this be happening? After node0 rebooted 30 minutes later, node1 became the primary again and everything was fine.
I'm not sure if the problem is with the new SRX300 node0, or something on the customer network. I verified with the customer that the cables are in the correct ports, and I verified that with the packet captures from node0, I am seeing the correct IP addresses going in/out on the correct interfaces of node0 in those 30 minutes. I thought that maybe the customer's switch/router (1.2.3.4) that is our default gateway was set up to filter MAC addresses, and since the new node0 obviously has a different MAC address then it wasn't permitted, but the customer assures me that no MAC filtering is in place. Then I thought somehow it was a Juniper licensing problem, but that can't be it either, right?
At this point I'm at a loss, any guidance is very appreciated. Thanks!
↧
New Destination NAT Rules stay inactive
Hi Guys ,
I just joined this company with multiple sites, the 2 offices have Juniper SRX110 and the rest have Netcomm routers. Coming from Cisco background I'm just learning Junos as per request basis on our Network. We recently had an issue with our phone system ( between main office( JuniperSRX110-1)and remote branch ( NetcommNVF4-1), and as per our VOIP Provider requested, I've added ports to be opened on NAT destination rules. The problem is, all the nat rules I've created after commiting them stays inactive. I replicated the config on whats on the other office (SRX110-2)that has no issue with another site (NVF4-2) but stil no luck with this. Please share your expertise on this isssue. Configs below.
####################################################
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool pbx {
address 10.190.1.20/32;
}
pool voip_http {
address 10.190.1.22/32 port 80;
}
pool voip {
routing-instance {
default;
}
address 10.190.1.22/32;
}
pool pbx-http {
address 10.190.1.20/32 port 80;
}
rule-set dst-nat {
from zone untrust;
rule voip-http {
match {
destination-address 0.0.0.0/0;
destination-port {
13024;
}
protocol tcp;
}
then {
destination-nat {
pool {
voip_http;
}
}
}
}
rule pbx-1720 {
match {
destination-address 0.0.0.0/0;
destination-port {
1720;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
rule pbx-5060 {
match {
destination-address 0.0.0.0/0;
destination-port {
5060;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
rule pbx-5588 {
match {
destination-address 0.0.0.0/0;
destination-port {
5588;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-6254 {
match {
destination-address 0.0.0.0/0;
destination-port {
6254;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-7000 {
match {
destination-address 0.0.0.0/0;
destination-port {
7000 to 7015;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-7100 {
match {
destination-address 0.0.0.0/0;
destination-port {
7100 to 7115;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-7300 {
match {
destination-address 0.0.0.0/0;
destination-port {
7300 to 7315;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule voip-9000 {
match {
destination-address 0.0.0.0/0;
destination-port {
9000 to 9015;
}
}
then {
destination-nat {
pool {
voip;
}
}
}
}
inactive: rule voip-9100 {
match {
destination-address 0.0.0.0/0;
destination-port {
9100 to 9115;
}
}
then {
destination-nat {
pool {
voip;
}
}
}
}
inactive: rule voip-9300 {
match {
destination-address 0.0.0.0/0;
destination-port {
9300 to 9315;
}
}
then {
destination-nat {
pool {
voip;
}
}
}
}
rule pbx-http {
match {
destination-address 0.0.0.0/0;
destination-port {
13023;
}
}
then {
destination-nat {
pool {
pbx-http;
}
}
}
}
rule pbx-all {
match {
destination-address 0.0.0.0/0;
destination-port {
6000 to 9315;
}
protocol udp;
}
then {
destination-nat {
pool {
voip;
}
}
}
}
rule pbx-7000-all {
match {
destination-address 0.0.0.0/0;
destination-port {
7000 to 7315;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
}
}
}
###########################################################################################
root@> show security nat destination summary
Total pools: 4
Pool name Address Routing Port Total
Range Instance Address
pbx 10.190.1.20 - 10.190.1.20 0 1
voip_http 10.190.1.22 - 10.190.1.22 80 1
voip 10.190.1.22 - 10.190.1.22 default 0 1
pbx-http 10.190.1.20 - 10.190.1.20 80 1
Total rules: 7
Rule name Rule set From Action
voip-http dst-nat untrust voip_http
pbx-1720 dst-nat untrust pbx
pbx-5060 dst-nat untrust pbx
pbx-5588 dst-nat untrust pbx
pbx-http dst-nat untrust pbx-http
pbx-all dst-nat untrust voip
pbx-7000-all dst-nat untrust pbx
##########################################################
These rules are not showing on the NAT Destination Table
voip-9300
voip-9100
pbx-7300
pbx-7100
pbx-7000
pbx-6254
Thanks in advanced .
MudK
↧
SRX Branch Series in Cluster with IPSec NHTB failed after periods of time
Hi, currently i'm working with SRX 340 15.1X49-D100.6 in cluster mode. And I'm using routing-instance, and IPSec NHTB as well.
At the initial setup, all 19 sites are connected and able to reach the Remote LAN.
But, after a while, the NHTB missing while IPSec session still active.
And, I found syslog message as below:
kmd[32609]: ../../../../../../src/usp/usr.sbin/iked/core/iked_nhtb.c:147: insist 'patricia_add(&iked_nhtb_root_by_name, &nhtb_pat_node->nhtb_node_by_name)' failed.
I managed to re-establish the connection with deleting and re-enter the config.
Anyone has idea about this?
↧
how to configure fail-over on srx branch side connected dynamically aggressive mode
Hi,
i have srx 340 series gateway in clustermode at head office and 300 series gateway at branch side. all branches are connected through aggresive mode and working perfectly. we have now plan to purchase backup line in branhces incase primary down. i wanted to configure backup line as failover in branchside. can anyone help me to configure second line as failover in aggresive mode.
↧
↧
how to configure QOS for windows 10 updates
hey i have juniper srx 210 .
i want to set specifiec limit band with to windows 10 updates ,beacuse when it updates automaticly now it takes all my band with
please help .
thanks!! waiting replay
↧
VPN Tunnel failover on redundant circuits.
Hello everyone,
I have an interesting problem. We recently had an issue with our Primary ISP connection and I had to manually switch over to our backup ISP while they fixed the primary connection (physical fiber damage). This cause some serious downtime and people had to be sent home while I worked on this. I had my VPN tunnels set for next hop and qualified next hop with different preferences and my thinking was then when the next hop was unavailabe the traffic would get switched to the qualified next hop route which runs over the backup link. This didn't happen as I think I didn't understand how qualified next hop works and its not for redundancy. So this brought me to RPM and IP monitoring. I can setup the probe and the IP monitoring piece but what I am struggling with is how will this work with VPN tunnels.
My network layout:
SRX 340 Cluster with redundant ISPs
SRX 550 Cluster with Redundant ISPs
SRX 240 Cluster with a single ISP
Each cluster resides in a different physical location throughout the US, each node in the cluster has both ISP connections, except the single 240 cluster which has just the one ISP for each node. Each cluster has a VPN tunnel going to the other SRX cluster, on each ISP connection. So there is a total of six VPN tunnels on the 340 and 550 SRX cluster and four VPN tunnels on the 240 SRX cluster. The VPN tunnels are setup ( So I though) in a primary/backup with a next hop going over one tunnel and a qualified next hop over the other tunnel. The route preference is set to 2 for the next hop and 5 for the qualified next hop. So when the pimary link failed on the SRX340 cluster all traffic stopped. The failure occured further up-stream so all links stayed up but the gateway was not available. I had to manually switch all static routes to the other VPN tunnels in order to restore traffic. This is all on static routes. There is no dynamic routing of any kind. Also no BGP. So my question is this. If I implement IP monitoring and have it ping 8.8.8.8 for example, on the primary link and have it set to immediately switch all routes to use the other VPN tunnel, how do make the other firewalls use the backup tunnels too? What I see with IP monitoring and RPM probes is that I can switch the routes over if the link fails but I dont' see how I can get the other SRXes to start sending traffic on the backup tunnel. The only thing would work would be the default route. None of the other routes will work since the other SRXes are not aware of the link failing and will still route traffic based on their routing tables. Should I use equal cost multipathing for the VPN tunnels? Woudn't this just alternate traffic between the primary VPN tunnel and the secondary VPN tunnel so some of the traffic would get there and other traffic won't. Do I set up and complex network of IP monitoring rules on each SRX to monitor all ISPs? (this would be crazy)
The prefered way for me to set this up would be to ditch primary/backup labels and use all links to route traffic but I just dont see a way to mitigate failed links and especially VPN tunnels going over those failed links. Any help would be appreciated.
↧
best practise for replacing high end SRX device
hi All,
Can I ask about what it is the best practice when replacing the high end SRX device in terms of loading huge number of configuration(more than 15K lines )?
Thanks,
Arixnm
↧
SRX1500 memmory and 64 bit rpd?
hi,
playing a little bit around with an srx 1500. I need router and have a srx1500 laying around.
So I configured the box into packet mode and start pushing routes into the box. All looks fine,
convergence time is much faster then an mx80.
But I saw that the junox vm has only 2GB of mem. From the specs the box should be equipt with 16GB ram.
Is it possible to give the junos vm more than 2GB ram and use an 64 bit rpd?
↧
↧
Collect data (Health status of the unit, CPU load, RAM usage) and send it to influxdb
Hi,
I would like to collect the stats from SRX320 (health status, cpu load, ram usage, free space...) and to send that data to influxdb (so after that it can be visualized in Grafana). Does anyone has an idea how it can be done?
Thank you in advance!
↧
NAT Configuration : ASA to SRX
Hello Exprerts,
I need to convert some Cisco NAT configurations to SRX. Can you please verify if my configurations are correct?
Cisco: object network obj-10.10.8.70 nat (inside,outside) static 10.10.80.70 Juniper: set security nat static rule-set RS1 from zone outside set security nat static rule-set RS1 rule 1 match destination-address 10.10.80.70/32 set security nat static rule-set RS1 rule 1 then static-nat prefix 10.10.8.70/32
Any help would be appreciated!
↧
SRX240 H2 POE - Chassis control not running
Hi All, running 12.3X48-D70 on this chassis. There are no red alarms, but theres an orange one. It was part of a clsuter but I removed the cluster configuration with the 'set chassis cluster disable reboot'
Theres no configuration on the unit. The prompt is just root>
I cant show the chassis environment or hardware because the daemon isnt running. A restart doesnt fix the issue - I get the same problem.
Any thoughts?
Thanks
↧