Hello,

I'll briefly explain the situation - i have DC servers which proviodes DHCP adresses to all VLANS, SRX works as gateway ( also as DHCP server for guest network which doesn't have any issues - every device gets IP addresses and so on...), but devices which are in networks can't get dynamic address - if i set to device address to static - works ( it can connect to internet, servers and etc.). I checked my cfg can't see any issues, but it feels like i'm missing something. (DC server is in Servers zone, LAN in Internal)

set security zones security-zone Servers host-inbound-traffic system-services all
set security zones security-zone Servers host-inbound-traffic protocols all
set security zones security-zone Servers interfaces ge-0/0/4.400 host-inbound-traffic system-services all
set security zones security-zone Servers interfaces ge-0/0/4.400 host-inbound-traffic protocols all

set security policies from-zone Servers to-zone Internal policy servers_to_internal match source-address any
set security policies from-zone Servers to-zone Internal policy servers_to_internal match destination-address any
set security policies from-zone Servers to-zone Internal policy servers_to_internal match application any
set security policies from-zone Servers to-zone Internal policy servers_to_internal match source-identity any
set security policies from-zone Servers to-zone Internal policy servers_to_internal then permit
set security policies from-zone Internal to-zone Servers policy internal_to_serv match source-address any
set security policies from-zone Internal to-zone Servers policy internal_to_serv match destination-address any
set security policies from-zone Internal to-zone Servers policy internal_to_serv match application any
set security policies from-zone Internal to-zone Servers policy internal_to_serv match source-identity any
set security policies from-zone Internal to-zone Servers policy internal_to_serv then permit

set security nat source rule-set nsw_srcnat from zone DMZ
set security nat source rule-set nsw_srcnat from zone IPcam
set security nat source rule-set nsw_srcnat from zone Internal
set security nat source rule-set nsw_srcnat from zone Servers
set security nat source rule-set nsw_srcnat from zone Voip
set security nat source rule-set nsw_srcnat from zone WiFi
set security nat source rule-set nsw_srcnat to zone untrust
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface

I have a question regarding to the permiting policy for DNS application. The case just passed but just wonder the root caused by. I already open a simple policy for DNS using junos-dns-tcp and junos-dns-udp.

policy configuration.

Regarding to this reference.

I presume that the SRX just need to concern the destination address regarding that destination address might related with the route phase (which route phase is before the policy). Many my observe that the policy just need to see the destination address which is has already listed on the route table. The i presume that one-way routing is enough for open policy connection (or people call is as asymetric routing). 

Then i saw this flow session.

flow session listed

Well, i cannot give the entire proof the case of my problem was. The session is listed as above but without packet replied. So some troubleshoot runs, then we add route back on route table to the source address (and so on the destination server adding the route back). Then the destination server replies the packet, then also shown as above. So i presume is should have a symetric route to do.

Then my question is, does the flow module is able to work as asymetic? (if it does, i prefer it to minimize the configuration). If it able in asymetric, why would is happened in DNS service. I only have case only on this DNS service, the rest just work fine asymetric so far.

Hi Community,

I'm trying to use a SRX110 as an FTP server for the ZTP. DHCP is running and FTP service is started. But I can not use the user anonymous. I tried to log in to the SRX from an EX3300 via FTP. But that works only with local users with password.

Can I set up anonymous FTP usage on an SRX?

Thank you in advance.

Michael

Seems like a trivial problem but if the led stays red it becomes useless.

This is a new install of an srx345. During install I created an internet disconnection alarm. This caused 2 alarm entrys - one chassis and one system with the date of the occurrence. (not a management disconnect issue). The internet is connected and functioning now.

I can't clear the leds. I don't care about the log.

I have rebooted, I have tried the CLI entry of   clear led alarm . (This from an SSH via Mac terminal)

If I look for all possible uses of  clear I don't find anything except   clear errors which demands some further entry. 

Unit is running fine otherwise. I have an ips installed.

Is this a software bug? 

Is there some obscure incantation that I'm missing?

Thanks

Mark

" RT: bad next-hop ge-0/0/1.0 -- next-hop ge-0/0/1.0 is not point-to-point"

ge-0/0/1.0 has a dynamically asssigned IP address, so I cannot enter a static IP. How do I define the default route/gateway in this scenario, or simply do I not specify one at all?

Many thanks!

I have a simple SRX cluster connected via MCLAG to two MXes.  All devices have ISIS configured for learning IPv4/6 routes.

SRX is able to learn and advertise IPv4 routes but not IPv6.

root@Internet-FW2> show configuration security forwarding-options
family {
    inet6 {
        mode flow-based;
    }
    iso {
        mode packet-based;
    }
}
isis {
    topologies ipv6-unicast;
    level 1 wide-metrics-only;
    level 2 disable;
    interface lo0.0;
    interface reth1.0;
}

Any ideas why MXes/SRX aren't seeing IPv6 routes. Note that isis databse shows IPv6 routes being learned:

MX104-A.00-00 Sequence: 0x5, Checksum: 0xe9bb, Lifetime: 665 secs
IPV4 Unicast IS neighbor: MX104-A.02 Metric: 10
IPV6 Unicast IS neighbor: MX104-A.02 Metric: 10
IP IPV4 Unicast prefix: 10.1.1.0/24 Metric: 10 Internal Up
IP IPV4 Unicast prefix: 192.168.254.104/32 Metric: 0 Internal Up
V6 IPV6 Unicast prefix: fd01:1::1/128 Metric: 0 Internal Up
V6 IPV6 Unicast prefix: fd01:3::/64 Metric: 10 Internal Up

Thanks.

Hi,

I'm trying to get our new SRX 320 to intergrate with our windows AD so that when our staff try to access the internet the SRX will allow/deny access to specific sites etc.

I have found a few documents on how to do this and I undertand that the SRX needs to "see" the Windows event viewer, however, how does the SRX know what IP address a particular user has - I assume the SRX learns that user-x has logged in as has IP address 192.168.100.x, then allows/denys based on the source IP that user-x has.

For the SRX to know what IP address user-x has does the AD need to run a DHCP server - or am I totally missing the way it all works?

Thanks,

Luke

All I want to do is enable simple HA cluster between two SRX 300. Their ge-0/0, 0/1, 0/2 are direct connected with ethernet.

After enabling cluster id 1 it shows below:

root@r0> show chassis cluster status

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 0 disabled no no CF

Here's my config:

{primary:node0}

root@r0> show configuration
## Last commit: 2018-08-01 16:45:43 UTC by root
version 15.1X49-D45;
system {
host-name r0;
root-authentication {
encrypted-password "$5$ByFRmSfA$8wCJ7PxMaB8Pt0kmA71B0fUcgFVdUKSd9Jjda0b.nw5"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
}

{disabled:node1}
root@r1> show configuration
## Last commit: 2018-08-01 16:34:59 UTC by root
version 15.1X49-D45;
system {
host-name r1;
root-authentication {
encrypted-password "$5$l3fymI5B$OIZFWy7mskXFZTmcs4CLFMWK1zEd8GoYTBo.EAQsin."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.2/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
}

Good Afternoon,

I've been having some issues with a route based VPN we have between our SRX clsuter and a customer Checkpoint 

Generally, the VPN is working fine. We have 2 subnets on our side hitting a single subnet on the customer side. 

However, since comissioning, there have been occasions when traffic suddenly stops, despite the tunnel showing as up.

After some troubleshooting and trying to catch the issue in the act, it appears to occur at the expiery of the IKE lifetime.

If I show security ike security-associations I get multiple entries from the remote address, each with a different responder cookie - IE

run show security ike security-associations    

Index   State           Initiator cookie              Responder cookie           Mode            Remote Address   
1680778 DOWN 2f3630c7793bb71d 043d90f6ba3fa714 IKEv2       xxx.yyy.107.112
1680779 DOWN 2f3630c7793bb71d 77519331f7326753 IKEv2      xxx.yyy.107.112
1680780 DOWN 2f3630c7793bb71d 693bfd25d67047c8 IKEv2       xxx.yyy.107.112

1679918 UP        2f3630c7793bb71d  ea64ec80ed888de5  IKEv2    xxx.yyy.107.112  

In the above state - no traffic will pass - although the IPSEC claims to be up...

If I manually clear the Index that is DOWN - the service will restored.

If I leave the firewall alone, eventually it seems to sort itself out and restore traffic

However a several minute outage every 8 hours is growing tiresome

Has anyone ever come accross something like this before or have any suggested solutions?

Much appreciated

Hi all,

I am testing some Juniper devices for possible use as NTE for the Ethernet Core.

I configured and tested the SRX300 and that works fine. I am now configuring an SRX340 and have hit a problem.....

I have configured the following for Interface ge-0/0/5:

set security zones security-zone trust interfaces irb.10
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v10

set interfaces irb unit 10 family inet address 100.100.100.2/30

set vlans v10 vlan-id 10
set vlans v10 l3-interface irb.10

Okay. So, that is the configuration, but the error is even more strange.

The cat5e cable connected to port 5 connects to our Core MX router. Hence the requirement of the VLAN. When I physically connect this canle the physical layer Green lights do not come on. In fact, it does not matter what port I attach this cable to, the port lights do not come on. When I attached this same cable back to the SRX300 it all worked fine. So I know there is nothing wrong with the cable and the config is the same as the SRX300.

Anyone got any ideas with this?

Hi,

Another question regarding the SRX300 Series.

If I have 1 interface that is routed to the CPE (SRX as NTE) and the other interface configured for ethernet-switching (VLAN to the core) and it works fine with IPv4, how can I configure this for IPv6?

For example:

I could configure an IPv6 address on the CPE facing interface and use this as the IPv6 gateway address but can I do the same on the irb to the core? 

I know this seems a basic question and it is. I will test this while I wait for an answer

See who gets there first

I have a SRX 240 Cluster that cannot be polled via SNMP but it responds to SSH i have SNMP allowed under Interface and its vlans and also under routing instance. I checked the traffic logs and from what i can see is the policy that allows SSH also allows SNMP and SNMP is traffic is hitting the same policy but no response is received for SNMP. 

Session ID: 71710, Policy name: From_HOandRV/22, State: Active, Timeout: 1800, Valid
  In: 10.1.0.62/57327 --> 10.1.32.1/22;tcp, If: reth0.34, Pkts: 7, Bytes: 1472
  Out: 10.1.32.1/22 --> 10.1.0.62/57327;tcp, If: .local..4, Pkts: 7, Bytes: 2169

Session ID: 39397, Policy name: From_HOandRV/22, State: Active, Timeout: 8, Valid
  In: 10.1.0.62/57654 --> 10.1.32.1/161;udp, If: reth0.34, Pkts: 1, Bytes: 67
 Out: 10.1.32.1/161 --> 10.1.0.62/57654;udp, If: .local..4, Pkts: 0, Bytes: 0

Yes SNMP is allowed on all the interfaces traffic enters and leaves, i have enabled SNMP traceoptions and here's what i see

 snmpd[5093] >>> Get-Bulk-Request
 snmpd[5093] >>>  Source:      10.1.0.62
 snmpd[5093] >>>  Destination: 10.1.32.1
 snmpd[5093] >>>  Version:     SNMPv2
 snmpd[5093] >>>  Request_id:  0x5093
 snmpd[5093] >>>  Community:   abcxvzxd  ----- the correct SNMP V2 String from the SNMP server
 snmpd[5093] >>>  Non-repeaters:   0
 snmpd[5093] >>>  Max-repetitions: 20
snmpd[5093] >>>   OID  : std
snmpd[5093] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 snmpd[5093] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 snmpd[5093] >>> Get-Bulk-Request
 snmpd[5093] >>>  Source:      10.1.0.62
 snmpd[5093] >>>  Destination: 10.1.32.1
 snmpd[5093] >>>  Version:     SNMPv2
snmpd[5093] >>>  Request_id:  0x5093
 snmpd[5093] >>>  Community:   zxd ------- it removd part of the snmp string and only took the last few characters
 snmpd[5093] >>>  Non-repeaters:   0
 snmpd[5093] >>>  Max-repetitions: 20
 snmpd[5093] >>>   OID  : std
 snmpd[5093] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 10.1.0.62 to 10.1.32.1 ( abcxvzxd)  --- then SRX classifies the entire string as unauthorized community string. Any help to resolve this issue would be appritiated.

I am looking to configure a Interface bridge on an SRX by bridging the WAN interface in the untrust zone to another physical interface in a DMZ zone. We are currently performing this on a SonicWall which allows us to physically assign the servers in the DMZ zone a public IP address and still have zone based rules, dpi, ips, etc. There will be no NAT in this scenario. The applications on the servers in this DMZ do not function properly with NAT hence the bridge requirement.

I belive I have found the equivalent in Juniper by specifying "family bridge" for each interface in the bridge along with an irb interface as well as specifying the specific interface in each zone.  Am I on the right track here?  I am about to test this on a SRX branch series before moving to a SRX 1500.

ge-0/0/1 {
    unit 0 {
        family bridge {
            interface-mode access;
            vlan-id 110;
        }
    }
}
ge-0/0/2 {
    unit 0 {
        family bridge {
            interface-mode access;
            vlan-id 110;
        }
    }
}
irb {
    unit 1 {
        family inet {
            address x.x.x.x/x;
        }
    }
}

security-zone untrust {
    host-inbound-traffic {
        system-services {
            ssh;
            ping;
        }
    }
    interfaces {
        ge-0/0/0.0;
    }

security-zone DMZ {
    host-inbound-traffic {
        system-services {
            ssh;
        }
    }
    interfaces {
        ge-0/0/2.0;
    }
}

Apologies if this has been asked for - I tried to look but couldn't find the same

There's some info on the below mentioned thread but I still couldn't find my answer

https://forums.juniper.net/t5/SRX-Services-Gateway/srx3400-web-filtering/td-p/286490

I have no experience with url/web filtering and need to know if I need to purchase a license for the below scnario or not

We have a customer who will be providing a list of close to 30k URLs they need blocked

Need to filter only those and nothing else needed. Might need to block those and redirect to a customer page.

URLs could have http, https etc.

Do I need a license for it?

Also, is there a limit to maximum no. of URLs I can mention/defined manually in SRX

Any way to directly upload the list to device?

Models being used

SRX3400 and SRX4600

Lots of people have the same issue, but I cant fix mine.

I tried the TTL hack, didnt make a difference. I see the ISP allocating me the IP address, they send an offer and then it does nothing.

I have dhcp-client under the Ethernet Gig0/0/0, I have enabled all services and protocols under the untrust security zone

Here is some debug, does anyone know whats going on? Im running 12.3 X48, latest on this box.

 -----original packet-----
        f0:1c:2d:67:08:80 > Broadcast, ethertype IPv4 (0x0800), length 308: (tos 0x0, ttl  64, id 33173, offset 0, flags [none], proto: UDP (17), length: 294) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from f0:1c:2d:67:08:80, length 266, xid 0x29b2004f, Flags [Broadcast] (0x8000)
          Client-Ethernet-Address f0:1c:2d:67:08:80
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            Requested-IP Option 50, length 4: 121.200.6.129
            DHCP-Message Option 53, length 1: Discover
            Lease-Time Option 51, length 4: 86400
            Hostname Option 12, length 7: "JNPRSRX"
06:48:18.261641 Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 34304
          Logical Interface Index Extension TLV #4, length 4, value: 70
        -----original packet-----
        f0:1c:2d:67:08:80 > Broadcast, ethertype IPv4 (0x0800), length 308: (tos 0x0, ttl  64, id 33359, offset 0, flags [none], proto: UDP (17), length: 294) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from f0:1c:2d:67:08:80, length 266, xid 0x1d4e8eb8, Flags [Broadcast] (0x8000)
          Client-Ethernet-Address f0:1c:2d:67:08:80
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            Requested-IP Option 50, length 4: 121.200.6.129
            DHCP-Message Option 53, length 1: Discover
            Lease-Time Option 51, length 4: 86400
            Hostname Option 12, length 7: "JNPRSRX"
06:48:34.263481 Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 34304
          Logical Interface Index Extension TLV #4, length 4, value: 70
        -----original packet-----
        f0:1c:2d:67:08:80 > Broadcast, ethertype IPv4 (0x0800), length 308: (tos 0x0, ttl  64, id 33828, offset 0, flags [none], proto: UDP (17), length: 294) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from f0:1c:2d:67:08:80, length 266, xid 0x3d11716e, Flags [Broadcast] (0x8000)
          Client-Ethernet-Address f0:1c:2d:67:08:80
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            Requested-IP Option 50, length 4: 121.200.6.129
            DHCP-Message Option 53, length 1: Discover
            Lease-Time Option 51, length 4: 86400
            Hostname Option 12, length 7: "JNPRSRX"

Hello to all.....

We recently set up an L2L VPN tunnel with another company.

The issue is that - even though both the phase I & phase II tunnels came (and remain) up, we also continue to see VPN error messages indicating that there is an IKE negotiation problem with the remote peer.

I confess to being a bit mystified. I don't understand how both the Phase I & Phase II SAs can be up - even though (ostensibly) we have an ongoing problem with the IKE negotiation!

Our firewall is an SRX240H. It is running firmware version 12.1X46-D35.1.

Here is the output with respect to the status of the phase I and phase II SAs - as well as the VPN error messages..........

root@fw-srx01b> show security ike security-associations
node1:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
9662568 UP abbbbf100d327490 1e8b2bc76253b71a Main 200.49.160.170
9663234 UP ae5fef57c805401c e184d499361a303b Main 187.141.14.114
9662919 UP 17e0586991601667 0e502d85d008a341 Main 190.127.254.36
9662740 UP 8f24e91688b5b9fb c37e53f8c5cb287a Main 205.251.233.121
9662498 UP de84e24e58998143 8e6e7a4ebe52232a Main 200.108.35.50
9661888 UP e150f3a25bee3996 bc1ce9d80b9155eb Main 190.13.110.66
9662852 UP 36ef50b7d5125e75 eced2e567d48b803 Main 205.251.233.122
9663297 UP 0915ea3e890bbfa4 4db0758ded19679c Main 200.95.161.2
9663248 UP ea205a0d65607197 ae1250545a1fe78c Main 216.184.96.98
9660862 UP 9a43dc7e5165385a 353ce130cfb27b3a Main 144.160.7.164

{primary:node1}
root@fw-srx01b> show security ike security-associations | grep 216.184.96.98
9663248 UP ea205a0d65607197 ae1250545a1fe78c Main 216.184.96.98

{primary:node1}
root@fw-srx01b> show security ipsec security-associations | grep 216.184.96.98
<131104 ESP:aes-cbc-256/sha1 a81a2a16 1083/ unlim - root 500 216.184.96.98
>131104 ESP:aes-cbc-256/sha1 c062776a 1083/ unlim - root 500 216.184.96.98
<131114 ESP:aes-cbc-256/sha1 4fb0933f 3274/ unlim - root 500 216.184.96.98
>131114 ESP:aes-cbc-256/sha1 37fe7552 3274/ unlim - root 500 216.184.96.98
<131124 ESP:aes-cbc-256/sha1 14acf1a9 1256/ unlim - root 500 216.184.96.98
>131124 ESP:aes-cbc-256/sha1 34c37a0b 1256/ unlim - root 500 216.184.96.98
<131126 ESP:aes-cbc-256/sha1 52095d79 1273/ unlim - root 500 216.184.96.98
>131126 ESP:aes-cbc-256/sha1 25aab46b 1273/ unlim - root 500 216.184.96.98
<131128 ESP:aes-cbc-256/sha1 4ee549bf 1192/ unlim - root 500 216.184.96.98
>131128 ESP:aes-cbc-256/sha1 e6418db9 1192/ unlim - root 500 216.184.96.98
<131130 ESP:aes-cbc-256/sha1 c7eeb18a 1299/ unlim - root 500 216.184.96.98
>131130 ESP:aes-cbc-256/sha1 575cae42 1299/ unlim - root 500 216.184.96.98
<131132 ESP:aes-cbc-256/sha1 92c0090f 2290/ unlim - root 500 216.184.96.98
>131132 ESP:aes-cbc-256/sha1 750ac4a 2290/ unlim - root 500 216.184.96.98

{primary:node1}

root@fw-srx01b> show log kmd-logs | grep 216.184.96.98
Aug 3 17:30:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-451 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:30:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-340 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:30:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-452 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:30:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-453 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:30:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-454 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:31:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-340 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:31:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-451 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:31:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-452 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:31:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-453 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:31:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-454 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4
Aug 3 17:32:06 fw-srx01b kmd[46715]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: vpn-telefon-cam-01-451 Gateway: gw-vpn-telefon-cam-01, Local: 69.26.111.152/500, Remote: 216.184.96.98/500, Local IKE-ID: 69.26.111.152, Remote IKE-ID: 216.184.96.98, VR-ID: 4

I'd be grateful for any explanation that resolves this puzzle.

Thank you.

Very best regards.

John D.

Hi all

Can someone tell what this error means please?

IFP error> ../../../../../../../src/pfe/usp/control/applications/interface/ifp.c@1762errno=1000) ifp_ifa_del_handler : patricia_add failed

patricia_add failed

Hello Team ,

This is with regards to remote access to WACs which is not happening from specific ips and below is the brief explanation on the same .

This installation is for a hospitality group and they have specific ips from which they need to reach one specific server & WACs and the issue is they are able to access the server but not the WACs .

The specific ips have already been added to come in i.e. from untrust to trust and as mentioned they are able to reach the Server but not the WACs and on the other hand my office subnet is also been added to same rule and i am able to access Server and WACs both .

1st rule : My office subnet and other subnets like noc to access rest all devices that should be accessible only from my office subnet and other noc subnets (Server & WACs not included)

2nd rule : My office subnet and Hospitality specific ips to access the Server and WACs.

Regards

shaan