Hi all,
I have two SRX345 running in cluster mode connected to a pair of EX2300 switches (Not clustered).
Sometimes the switches send their packets to the standby SRX node, which ofcourse results in half the network not working. How can I tell the SRX or the EX switches to not send data on the standby node?
Thank you!
Hi Experts,
is there a way in srx to block downloading a file like .exe? i configured content filtering but what it does it blocked the website itself, we just want to stop the downloading when a user attempt to download but not to block the website. please help thanks
Hello,
i have problem with second ipip tunnel ( config maybe ?).
First tunnel is working but second no upping interface at all.
Any ideas ot hints ?
nikolay@r1> show configuration | display set | match ip- set interfaces ip-0/0/0 description Erkan set interfaces ip-0/0/0 unit 0 tunnel source 87.120.xxx.x set interfaces ip-0/0/0 unit 0 tunnel destination 109.120.xxx.x set interfaces ip-0/0/0 unit 0 family inet address 1.1.2.1/30 set interfaces ip-0/0/1 description Stelena set interfaces ip-0/0/1 unit 0 tunnel source 87.120.yyy.y set interfaces ip-0/0/1 unit 0 tunnel destination 93.183.yyy.y set interfaces ip-0/0/1 unit 0 family inet address 1.1.1.1/30 set routing-options static route 192.168.88.0/24 next-hop ip-0/0/1.0 set routing-options static route 172.17.100.0/24 next-hop ip-0/0/0.0 set security zones security-zone untrust interfaces ip-0/0/0.0 set security zones security-zone untrust interfaces ip-0/0/1.0
nikolay@r1> show interfaces ip-0/0/0 brief
Physical interface: ip-0/0/0, Enabled, Physical link is Up
Description: Erkan
Type: IPIP, Link-level type: IP-over-IP, MTU: Unlimited, Speed: 800mbps
Link flags : Scheduler Keepalives DTE
Device flags : Present Running
Logical interface ip-0/0/0.0
Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 109.120.xxx.x:87.120.yyy.y:4:df:64:00000000 Encapsulation: IPIP-NULL
Security: Zone: untrust
inet 1.1.2.1/30
nikolay@r1> show interfaces ip-0/0/1 brief
error: device ip-0/0/1 not found
Hi All,
Can I ask about the Load averages: 0.09 in the last one minute... Is this value (0.09) 90% or 9%?
node0:
--------------------------------------------------------------------------
Routing Engine status:
Slot 0:
Current state Master
Election priority Master (default)
Temperature 29 degrees C / 84 degrees F
CPU temperature 27 degrees C / 80 degrees F
DRAM 3313 MB (16384 MB installed)
Memory utilization 23 percent
5 sec CPU utilization:
User 0 percent
Background 0 percent
Kernel 2 percent
Interrupt 0 percent
Idle 98 percent
Load averages: 1 minute 5 minute 15 minute
0.09 0.05 0.03
node1:
--------------------------------------------------------------------------
Routing Engine status:
Slot 0:
Current state Master
Election priority Master (default)
Temperature 31 degrees C / 87 degrees F
CPU temperature 28 degrees C / 82 degrees F
DRAM 3313 MB (16384 MB installed)
Memory utilization 15 percent
5 sec CPU utilization:
User 0 percent
Background 0 percent
Kernel 1 percent
Interrupt 0 percent
Idle 99 percent
Load averages: 1 minute 5 minute 15 minute
0.02 0.01 0.00
I have an SRX300 that will be used as Customer end of Ethernet link.
So, I need to be able to configure the WAN port to accept 2 VLANs.... one VLAN will be for the customer and one VLAN will be for the Management of the device.
I have tried configuring the irb for the VLAN-ID and it commits successfully. Now, where I am slightly stuck is how to get two VLANs on the interface and is there anything that needs to configuring globally to enable this?
Config so far:
set vlans v10 vlan-id 10
set vlans v10 l3-interface irb.10
set vlans management vlan-id 999
set vlans management l3-interface irb.999
set interface ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interface ge-0/0/5 unit 0 family ethernet-switching vlan members v10
set interface ge-0/0/5 unit 0 family ethernet-switching vlan members management
Now, where does the irb fit into all of this and, I believe, there is some form of global config required?
Thanks
Hello
I try to test SDSN solution with SkyATP. My situation is when user downloaded malware file. It is detected by SkyATP but client isn't blocked by SRX firewall and still access internet and internal network.
Moreover, I've checked host detail - It seems like PE can't retrive MAC address infomation
Do I need to enroll both SRX device and Policy Enforcer?
Now, My enroll page shown only SRX enrolled. Is it correct?
Thank you
I am having a problem trying to remove a single port on an SRX300 from the default "ethernet-switching" mode.
Is this possible or is it a global configuration that cannot be changed per single interface?
Basically, we have an end CPE device that cannot be placed into a VLAN.
From the Core I can create a VLAN to an ethernet-switched port on the SRX300 and can connect to it. No problem. But the other side we have a CPE that cannot be assigned a VLAN so therefore the port it connects to needs to have an IP address assigned directly to unit 0 on the interface.
I am not sure if this is possible?
I guess there's a simple answer to this problem, but I don't seem to find it.. How do you configure a route based VPN tunnel when the traffic endpoint (and remote proxy-id) is same as the remote gateway? I guess the remote gateway is a single linux box, don't have access to it so cannot say for sure.
So basically I have clients in internal subnets needing to access things on 123.123.123.123/32 host via VPN tunnel. The remote VPN gateway address is the same 123.123.123.123/32 address. I now have a basic route based VPN in place, but that of course fails immediatly and phase1 timeouts when the phase2 tunnel comes up and route 123.123.123.123/32 via st0.x comes active.
I guess what I would need is the easiest way to route traffic from the SRX itself to 123.123.123.123/32 via default gateway and everything else via the st0.x tunnel. Of course this could be implemented easily with virtual routers, but it would require major modifications to the entire firewall configuration and I would like to avoid that. Currently there is only the default routing instance in place.
Any easier options? Source-based routing somehow? In other words, how to configure "route all to 123.123.123.123/32 via st0.0 EXCEPT traffic from junos-host/self" ?
@jtacassist; @bobdunn
GOAL STATEMENT: Disable UTM without creating AV profiles. SRX wont accept a commit from factory default because an AV profile does not exist. Dont need AV services.
srx550
Junos: 18.2R1.9
JUNOS Software Release [18.2R1.9]
Hello:
As part of an upgrade and evaluation program where we are considering the wider deployment of SRX550HM/vSRX I am evauating JUNOS 18.2. Our organization is heavily invested in DevOps and Cloud based routing. Having strong API access to the SRX is an attractive feature for this program -- hence the exploration of Junos version 18.
Also, I am being asked to evauate Juniper as a possible contender for a larger project as well. So far, my experience has not been the best. Due to previous poor experiences with JTAC and newer software releases (an ungodly waste of my time on the phone and email), I am hoping the forums might be more helpful.
We are looking to deploy the SRX as a intranet - cloud "access router" with light firewall features -- dont need full utm or AV protections, we do need the 550 to offer fast convergence if a particular route fails. The SRX's "route to any where using any routing protocol" ability has been some thing that made me consider the SRX platform for this project. I am trying to drive the configuration from the CLI. I would prefer not to use J-WEB.
PROBLEM STATEMENTS:
1) Default configuration on a Juniper SRX550HM seems to be buggy and wont accept a commit -- asking for UTM Antivirus Profiles, even when I am trying to turn AV and UTM protection off. I would prefer to disable the enture UTM suite and focus on getting rotuing up and running. All of the KBs I have seen so far assume that I can issue a commit. I cant issue a commit on the default config as the SRX is looking for a default AV profile that does not exist. It appears that I cant define an AV profile as I dont have a license. Since I dont want the AV feature and dont want to have to turn it on only to define it and then shut it off, I could use some help. It appears that i am missing something or Junos has made some serious misteps in the QA process.
Errors:
[edit security utm utm-policy junos-av-policy anti-virus http-profile]
'http-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus ftp upload-profile]
'upload-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus ftp download-profile]
'download-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus smtp-profile]
'smtp-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus pop3-profile]
'pop3-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus imap-profile]
'imap-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus http-profile]
'http-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus ftp upload-profile]
'upload-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus ftp download-profile]
'download-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus smtp-profile]
'smtp-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus pop3-profile]
'pop3-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus imap-profile]
'imap-profile junos-av-defaults'
An anti-virus profile must be defined
error: commit failed: (statements constraint check failed)
SRX Configuration:
For a fair evaluation, we took an SRX, formatted the WinTec flash card and started from scratch. Install Junos 18 from tftp server. I am now stuck in this almost comical cycle where I cannot disable the utm features or sub features because of this race condition
root# deactivate security utm
[edit]
root# commit
[edit security utm utm-policy junos-av-policy anti-virus http-profile]
'http-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus ftp upload-profile]
'upload-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus ftp download-profile]
'download-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus smtp-profile]
'smtp-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus pop3-profile]
'pop3-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-policy anti-virus imap-profile]
'imap-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus http-profile]
'http-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus ftp upload-profile]
'upload-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus ftp download-profile]
'download-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus smtp-profile]
'smtp-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus pop3-profile]
'pop3-profile junos-av-defaults'
An anti-virus profile must be defined
[edit security utm utm-policy junos-av-wf-policy anti-virus imap-profile]
'imap-profile junos-av-defaults'
An anti-virus profile must be defined
error: commit failed: (statements constraint check failed)
Also appears that I cannot define an antivirus profile because I need a license for that??? Why would i need to get a temporary license for something i dont need?
Our evaluation process is pretty stringent. Vendors have been eliminated for this type of stupidity in the past. I am trying to be generous to Juniper and hopefully get some help -- Also making the hopeful assumption that I have missed something. A few things I am unwilling/unable to do:
1. I cant call the JTAC. Juniper has wasted my time for hours on end with the JTAC in the past. More than once, juniper customers have provided more accurate answers (some on this forum) than the information I received from the JTAC. If I create a ticket with the JTAC, for a default install, it is probably game over for this -- our vendor tickets are monitored closely -- partially due to previous issues with JTAC and Cisco. I truly like the SRX as a platform and the vSRX looks like a pretty good fit. One of the things that keeps me "attached" to Juniper is the passionate customer base. Juniper should do more to recognize the fact that their customers are part of the solution and their strongest advocates, especially in the federal/government space where Cisco is the 2 ton Gorilla.
2. Dow rev to version 15. There are features we need in version 18 (API and improved Netconf) Also I am not allowed to bring firmware / code into my environment that has object libraries released from Kapersky. Our goal is to have field deployable branch routing/security devices that can be hardened and meet known standards while offering heavy devops / API integration for remote maintenance in standardized manner.
Stuff I have done/tried
1. I have read the release notes and the DAYONE guides... they make no mention of this issue
2. Disabling UTM entirely -- the configuration --- unlike previous versions it looks like the AV profiles need to be defined prior to disabling UTM. This seems kinda silly.
3. https://kb.juniper.net/InfoCenter/index?page=content&id=KB16441&actp=METADATA This doesnt work. Even when subsitituting SOPHOS.
=================== Default Config Attached =========================
version 18.2R1.9;
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
file messages {
any critical;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): 'root-authentication'
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
}
}
Hello,
First my words in Juniper forum 
. I have wide experiance with Cisco devices, but now I want to buy some used SRX 240 for home network and for first time experience with JunOS. In my network I have Cisco ASA for VPN, a few Cisco switches 3560, one ESXi. I am interesting in BGP OSPF, MPLS, VPN Site to Site, remote VPN, VLAN, Trunks, EtherChannel, QinQ.... Do I need to find used devices with some extra licences or any SRX240 support these features ? I worked in ISP env. and I want to learn same things but in JunOS.
I will be happy with any advise
Hi All,
Need some help with getting an external modem (Draytek Vigor 130) to work via PPoE on an ADSL connection. I can get this to work with zero issues on a Cisco 881 without issue. Any ideas?
Config used is below:
root@Data_Test# show interfaces ge-0/0/5
unit 0 {
encapsulation ppp-over-ether;
}
root@Data_Test# show interfaces pp0
unit 0 {
ppp-options {
chap {
default-chap-secret "$9$INvRyevMLNVsfTyeWxVb.mf5Q3"; ## SECRET-DATA
local-name "RADIUS-USERNAME-REDACTED";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/5.0;
idle-timeout 0;
auto-reconnect 1;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
}
root@Data_Test# show security zones
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
pp0.0;
ge-0/0/5.0;
}
}
root@Data_Test> show ppp summary
Interface Session type Session phase Session flags
pp0.0 PPP Disabled
}
root@Data_Test> show pppoe statistics
Active PPPoE sessions: 0
PacketType Sent Received
PADI 16999 0
PADO 0 0
PADR 0 0
PADS 0 0
PADT 0 0
Service name error 0 0
AC system error 0 0
Generic error 0 0
Malformed packets 0 0
Unknown packets 0 0
Timeout
PADI 2819
PADO 0
PADR 0
Receive Error Counters
PADI 0
PADO 0
PADR 0
PADS 0
}
root@Data_Test> show pppoe interfaces
pp0.0 Index 76
State: PADI sent, Session ID: None,
Service name: None,
Session AC name: None, Configured AC name: None,
Remote MAC address: 00:00:00:00:00:00,
Auto-reconnect timeout: 1 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/5.0 Index 74
Ignore End-of-List tag: Disable
PPP-Max-Payload tag: 1492
}
root@Data_Test> show interfaces pp0
Physical interface: pp0 , Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 501
Type: PPPoE, Link-level type: PPPoE, MTU: 1532
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Link type : Full-Duplex
Link flags : None
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Logical interface pp0.0 (Index 76) (SNMP ifIndex 544)
Flags: Hardware-Down Up Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
PPPoE:
State: SessionDown, Session ID: None,
Configured AC name: None, Service name: None,
Auto-reconnect timeout: 1 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/5.0 (Index 74)
Ignore End-Of-List tag: Disable
PPP-Max-Payload tag: 1492
Input packets : 0
Output packets: 0
Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
Keepalive: Input: 0 (never), Output: 0 (never)
LCP state: Not-configured
NCP state: inet: Not-configured, inet6: Not-configured, iso: Not-configured, mpls:
Not-configured
CHAP state: Closed
PAP state: Closed
Security: Zone: untrust
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip r2cp webapi-clear-text webapi-ssl tcp-encap
Protocol inet, MTU: 1492
Flags: Sendbcast-pkt-to-re, Protocol-Down, User-MTU, Negotiate-Address
Hello:
I am continuing an evaluation for an SRX550 for wide deployment. So far it has been a disaster for Juniper.
To bring folks up to speed:
18.2 has significant errors in the default config, so I have to downgrade. I got things stable for version 17 but JWeb (a key part of the evaluation is having a working GUI) was corrupted. The Juniper logo, for example, was halfway down the left side of the screen and the buttons were throwing JavaScript errors. I tried several different variants of Chrome and Firefox from Chrome 41 all the way to Firefox Quantum. The page redered incorrectly with the the menus unable to click and GUI elements stacked on top of each other.
On a guess, I have upgraded to version 18.1-R1-S1 to see if there is an issue with browser compatibility and now I am heading backwards at high speed. I can login with an admin user. Instead of a corrupted "screen" I am getting a blank page with tons of JavaScript errors in the web console.
Some of the errors are shown below:
This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] legacy_login.php
This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] ext-theme-classic-all.css
unreachable code after return statement[Learn More] ext-all.js:18:709779
This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] login.php
unreachable code after return statement[Learn More] sajax.js:208:4
unreachable code after return statement[Learn More] sajax.js:280:4
This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] call
XML Parsing Error: syntax error
Location: https://XXXX.XXXX.XXXXX/call
Line Number 1, Column 1: call:1:1
unreachable code after return statement[Learn More] layout_script.js:1354:12
[Show/hide message details.] TypeError: u is null[Learn More] ext-all.js:18:162510
User admin successfully authenticated Slipstream.min.js:1796:114579
got provider:start request for scheme = rbac Slipstream.min.js:1796:38887
starting providers with scheme rbac Slipstream.min.js:1796:38173
providers with scheme rbac have been started Slipstream.min.js:1796:38477
got rbac_provider:init request Slipstream.min.js:1796:45407
[Show/hide message details.] TypeError: menuLevel3 is undefined[Learn More] rbacProvider.js:94:1
unreachable code after return statement[Learn More] ext-all.js:18:709779
unreachable code after return statement[Learn More] sajax.js:208:4
unreachable code after return statement[Learn More] sajax.js:280:4
unreachable code after return statement[Learn More] layout_script.js:1354:12
nothing in /var/log/messages related to jweb. looks pretty clean. The jsd process is thrashing, but I believe JSD is related to python extensibility and not somthing I need.
Things I have done:
1) Junos 17 and 18 Different browsers --- Tried IE 11, Edge, Firefox (pre quantum), Chrome (current), Chromium, Seamonkey etc. All produce a corrupted page under JUNOS 17 and blank page on JUNOS-18
2) restart web-management.
3) Full resintall onto the SRX 550M. Same results
So far:
- No core files
- http and https are allowed for web-managment
- single interface with static IP address .. the Interface is in the trusted zone.
Any ideas? As FYI, the browser and the 550 doesnt have internet acces. This is a requirement for the lab validation.
Thanks
Hi, I am trying to figure out what this st0 is.. Should I have a new st0 logical interfaces for every VPN connection ? I currently have st0.0 st0.1 and st0.2 interfaces .. should I create a new logical interface for every new VPN or can I use the current ones ? I did not understand why we are creating new logical st0 interfaces ?
Thanks
I am trying to configure an IPv4 IPSec VPN, where the IKE negotiations take place on an external interface, on a remote SRX 345, that is NOT in the global inet.0, and the route handling behavior between the global routing instance and virtual routing instances is causing me headaches.
The external interface where the IKE negotiations take place is in VR1.inet.0. But I want the VPN to be in another separate virtual routing instance, VR2.inet.0.
I can get the IKE and IPSec tunnel to come up just fine, but I am unable to route traffic through the st0.1 interface. There appears to be a limitation here, due to the fact that I am not using the global inet.0.
In my diagram below, I show how I am able to get a management VPN to this SRX 345, where the tunnel st0.0 resides in the global inet.0, using a virtual routing instance VR1.inet.0 for the IKE negotiations. It works just fine, and I am able to route traffic through st0.0. But if I try to setup a new VPN, with endpoints in VR2.inet.0, the VPN comes up, but I can not seem to route traffic across the VPN.
The reason why the user traffic is in a separate VR1.inet.0, from inet.0, is because I want to keep management traffic separate from user traffic. Likewise, in the new VR2.inet.0, I want to keep traffic separate from management (inet.0) and the other virtual router (VR1.inet.0).
Any clues on how to do this? Can the SRX 345 support such a configuration?
Existing Config code snippet:
.
security {
ike {
policy DYNAMIC {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "abcdefg"; ## SECRET-DATA
}
gateway Interwebs-Mgmt {
ike-policy DYNAMIC;
address 1.1.18.5;
dead-peer-detection {
always-send;
interval 30;
threshold 5;
}
local-identity hostname remote.test.net;
external-interface irb.3;
}
gateway Interwebs-ForNewVPN {
ike-policy DYNAMIC;
address 1.1.3.25;
dead-peer-detection {
always-send;
interval 30;
threshold 5;
}
local-identity hostname remote.test.net;
external-interface irb.3;
}
}
ipsec {
policy IPSEC-POLICY {
proposal-set standard;
}
vpn VPN-Interwebs-Mgmt {
bind-interface st0.0;
df-bit clear;
ike {
gateway Interwebs-Mgmt;
ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;
}
vpn VPN-Interwebs-ForNewVPN {
bind-interface st0.1;
df-bit clear;
ike {
gateway Interwebs-ForNewVPN;
ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;
}
}
}
interfaces {
irb {
unit 2 {
description ForNewVPN;
family inet {
address 172.16.120.1/24;
}
}
unit 3 {
description Interwebs;
family inet {
dhcp-client;
}
}
unit 120 {
description Users;
family inet {
address 192.168.120.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.4.120.1/32;
}
}
}
st0 {
unit 0 {
description Tunnel-Mgmt;
family inet;
}
unit 1 {
description Tunnel-ForNewVPN;
family inet;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop st0.0;
}
}
routing-instances {
ForNewVPN {
instance-type virtual-router;
interface irb.2;
interface st0.1;
routing-options {
static {
route 0.0.0.0/0 next-hop st0.1;
}
}
}
InternetVR {
instance-type virtual-router;
interface irb.3;
interface irb.120;
}
}.
Here is the relevant CLI output that I am working with:
.
testrtr@SRX345# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2313162 UP ea9a53a94d1f9d9d 3c45162b53d0acec Aggressive 1.1.3.25
2313163 UP 05d2b1363c5dbd55 02ff3ab036a4fecb Aggressive 1.1.18.5
[edit]
testrtr@SRX345# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131054 ESP:3des/sha1 f43ff651 1994/ unlim - root 500 1.1.3.25 >131054 ESP:3des/sha1 4e258f1f 1994/ unlim - root 500 1.1.3.25 <131053 ESP:3des/sha1 f8b22305 1985/ unlim - root 500 1.1.18.5 >131053 ESP:3des/sha1 462bd8f2 1985/ unlim - root 500 1.1.18.5
[edit]
testrtr@SRX345# run show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 02:56:02
> via st0.0
10.4.120.1/32 *[Direct/0] 3d 18:23:25> via lo0.0
10.255.0.0/16 *[Direct/0] 4d 22:05:25> via fxp0.0
10.255.10.21/32 *[Local/0] 4d 22:05:25
Local via fxp0.0
VR2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.120.0/24 *[Direct/0] 02:56:26
> via irb.2
172.16.120.1/32 *[Local/0] 23:46:30
Local via irb.2>>>>>>>>> Default route is missing through st0.1 !!!! <<<<<<<<<<<<<<<<<<>>>>>>>>> Where did it go???? !!!! <<<<<<<<<<<<<<<<<<
VR1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Access-internal/12] 02:56:05
> to 8.8.3.1 via irb.3
8.8.3.0/24 *[Direct/0] 02:56:12> via irb.3
8.8.3.46/32 *[Local/0] 02:56:12
Local via irb.3
192.168.120.0/24 *[Direct/0] 02:56:28> via irb.120
192.168.120.1/32 *[Local/0] 4d 21:28:04
Local via irb.120
Hi,
I got a SRX220 device using PPOE. I want to use a pfsense firewall behind SRX220, using a IP LAN of SRX as a WAN of the firewall. Howerever, I got issues of sending files, pictures when using some chat applications as viber, messenger,.. but received ok.
It ‘s not any problems when I use my PC behind SRX220.
Anyone have some idea what's wrong? Any help would be appreciated. Thanks!
172.16.1.2 172.16.1.1
PC-------------PFSense -----------------------------------SRX---------------------------------------------internet
interfaces {
ge-0/0/0 {
description "PPoE Internet";
unit 0 {
encapsulation ppp-over-ether;
}
}
pp0 {
unit 0 {
ppp-options {
pap {
local-name acnt_al1;
local-password "$978$ZlDqn/CuBIaBtpEyK8dVJGdDiP5"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
idle-timeout 0;
auto-reconnect 30;
client;
}
family inet {
negotiate-address;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
protocols {
stp;
}
security {
flow {
tcp-mss {
all-tcp {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
We're currently using SSG devices and are looking to replace them.
One really annoying aspect of the SSGs was not being able to use wildcards in FQDN address entres within firewall policies. This makes whitelisting Office 365 traffic a nightmare; https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
We do this because we otherwise send all other HTTP traffic to Symantec Web Security service (formally Bluecoat Threatpulse) for filtering and Office 365 must be excluded.
I've read online and have been told from resellers that even Juniper's SRX devices still don't offer this wildcard functionality. However, I've just come across KB32012 which seems to indicate that it's now supported. I'm confused.
Can anyone advise on this or elaborate how they manage Office 365 traffic through their SRX's. I'd previously discounted the SRX as replacements simply for this reason (looking instead at Sonicwalls, Fortinet and Watchguards). Truth be told I'd like to remain a Juniper customer if it's possible as they and the SSGs have given us stirling service for the past decade.
Thanks in advance for any help.
Hello experts,
I need some help regarding the autoshifting of IPSec VPN with redundant ISP links.
We have a SRX320 at branch end and SRX1500 at the Datacentre.
Branch config is as follows (SRX320)
1. Triple ISP links
2. Three (3) IPSec VPN's all configured with Proxy-identity specified local/remote LAN's
3. Un-numbered tunnels bind to each IPSec VPN
St0.2 ----> first VPN Primary VPN (By-default carries traffic)
St0.3 -----> Second VPN ( Carries traffic when primary vpn down)
St0.4 ------> Third vpn (carries traffic when secondary vpn down)
4. VPN-monitor-optimized turned-ON on first two VPN's ( Primary & Secondary VPN's)
5. Custom IPSec policy (Proposal ----> lifetime defined ) on first two VPN's
6. Static Routing as follows
(i) route traffic on st0.2 default metric/preference
(ii) Route traffic on st0.3 metric 50 preference 50
(iii) route traffic on st0.4 metric 60 preference 60
DataCentre End(SRX1500) settings
1. Triple ISP links
2. Three IPSec VPN's
(i) First VPN (Primary vpn) configured with traffic selector
(ii) Second vpn (Secondary vpn) with Proxy-identity specified Local/remote subnets
(iii) Third vpn with Proxy-identity specified Local/remote subnets.
3. Tunnels as follows
(i) St0.214 bind to Primary vpn
(ii) St0.215 bind to Secondary vpn
(iii) St0.273 bind to Third vpn
4. static routes for second and third vpn as follows
(i) route traffic on st0.214 default metric/preference (auto injected to routing table bcoz of traffic-selectors)
(ii) Route traffic on st0.215 metric 50 preference 50
(iii) route traffic on st0.273 metric 60 preference 60
What i am facing is as follows.
When i deactivate the primary VPN on SRX1500 (Datacentre end ), route shifts to st0.3 on branch end (secondary vpn) and st0.215 on DC end as well , Which is good and operations resumes on secondary ISP link
But when i deactivate Secondary VPN on SRX1500(DC end ), route shifts to st0.4 (third vpn) on branch end (SRX320) but on DC-end (SRX1500) , it does'nt make a shift to st0.73 the third vpn but keeps following st0.215 which is secondary vpn and is down.
Please help me what changes i need to autoshift the route to third tunnel on DC end (SRX1500).
Hi,
Just had an issue where I could only logon via the Console to the SRX300. After logging on as root, I noticed the following error continuously displaying on the screen:
kern.maxfiles limit exceeded by uid 65534, please see tuning(7)
I read kb article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21548 and applied the workaround, which gives you a workaround for 8 seconds, not much time to do anything. It also mentions this is a bug in older Junos versions. I am currently running version: 15.1X49-D140.2 and as far as I can see, this bug should not be present in this version of junos.
Completing the command "sysctl -a | grep files" shows the following:
root@ethernet-test% sysctl -a | grep files
kern.maxfiles: 2500
kern.maxfilesperproc: 2500
kern.openfiles: 1108
The "kern.openfiles" is increasing all the time and I'm guessing that when it hits 2500 the error will happen again?
Is there a way to increase this 2500 please or another option to stop this occuring?
Anyone seen this error before because of anything in particular, like turning on some IDS?
Thanks
Hello,
I'm new with Juniper and looking forward for help. I have basic configuration (which will change in near future). So i want to have few VLANS over same Interface ge-0/0/4 (for now it's only 1), but i have an issue with services - can't ping from SRX to Host and back. I red Juniper KB but i can't find solution so far....
system {
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy Inter_to_Inter {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/4.100 {
host-inbound-traffic {
system-services {
ping;
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
vlan-tagging;
unit 100 {
vlan-id 100;
family inet {
address 10.10.2.254/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Ping from SRX cli to interface gw works
Hi Experts, I have a requirements of Dynamic VPN where the user with the Pulse client to connect to SRX for dynamic vpn. Till now it is straight forward requirement; However client wants only specific laptops using broadband / dongles(dynamic public ip) to connect it? Is there any possibility of achieving the same using SRX features? or binding the connection request with mac-address or any unique identity so that only specific laptop only connects to dynamic vpn using pulse?
Note, authentication is happening locally however can do it via AD if required to achieve this requirement.