Greeting All,

I am configuring LTE Mini-PIM using verion sim card on srx 320 for the first time and having issues to bring it up. 

set interfaces cl-1/0/0 dialer-options pool 1 priority 1
set interfaces cl-1/0/0 act-sim 1
set interfaces cl-1/0/0 cellular-options sim 1 select-profile profile-id 1
set interfaces cl-1/0/0 cellular-options sim 1 radio-access automatic

set interfaces ge-0/0/0 unit 0 backup-options interface dl0.0
set interfaces dl0 unit 0 family inet negotiate-address
set interfaces dl0 unit 0 dialer-options pool 1
set interfaces dl0 unit 0 dialer-options dial-string "*99***3#"

-----------

root# run show modem wireless profiles cl-1/0/0 slot 1
Profile details
Max profiles: 16
Default profile Id: 1

Profile 1: ACTIVE
Valid: TRUE
Access point name (APN): vzwinternet
Authentication: None

------------------------

root# run show modem wireless network cl-1/0/0
LTE Connection details
Connected time: 0
IP: 0.0.0.0
Gateway: 0.0.0.0
DNS: 0.0.0.0
Input bps: 0
Output bps: 0
Bytes Received: 0
Bytes Transferred: 0
Packets Received: 0
Packets Transferred: 0
Wireless Modem Network Info
Current Modem Status: Connecting
Current Service Status: Normal
Current Service Type: CS
Current Service Mode: Unknown
Current Band: WCDMA 850
Network: unknown
Mobile Country Code (MCC): 0
Mobile Network Code (MNC): 0
Location Area Code (LAC): 0
Routing Area Code (RAC): 0
Cell Identification: 0
Access Point Name (APN): vzwinternet
Public Land Mobile Network (PLMN): VerizonWirele
Physical Cell ID (PCI): 284
International Mobile Subscriber Identification (IMSI): 31148030xxxxxxx
International Mobile Equipment Identification (IMEI/MEID): 35907xxxxxxx
Integrate Circuit Card Identity (ICCID): 891480000xxxxxxxxx
Reference Signal Receiving Power (RSRP): 0
Reference Signal Receiving Quality (RSRQ): 0
Signal to Interference-plus-Noise Ratio (SiNR): 0
Signal Noise Ratio (SNR): 0
Energy per Chip to Interference (ECIO): 0

-----------------------------------

root# run show interfaces dl0.0
Logical interface dl0.0 (Index 85) (SNMP ifIndex 536)
Flags: Up Point-To-Point SNMP-Traps 0x0 Encapsulation: ENET2
Dialer:
State: Connecting, Dial pool: 1
Primary interface: ge-0/0/0.0 (Index 74)
Dial strings: *99***3#
Subordinate interfaces: cl-1/0/0 (Index 151)
Activation delay: 0, Deactivation delay: 0
Initial route check delay: 120
Redial delay: 3
Callback wait period: 5
Load threshold: 0, Load interval: 60
Input packets : 168654
Output packets: 0
Security: Zone: Null
Protocol inet, MTU: 1490
Flags: No-neighbor-learn, Sendbcast-pkt-to-re, Negotiate-Address

I have tried different dial string and chap authentication to n/a. I am aslo unable to find any debug commands to check logs. Any suggestions on config changes and/or logs to check? Thank you. 

Hi all!

 I'm a new bie. I have a problem with my topo when deploy VPN, topo is:

Datacenter: Inside_01 ---ge-0/0/1- SRX 345 -ge-0/0/0--- Modem_01  ---- Internet ---- ge-0/0/0- SRX 320 -ge-0/0/1--- Inside_02: Branch

I want to create VPN between 5 Sites Brachs to connect to Datacenter. Which kind of VPN I should use?

With topo above: what I have to do?

-1. Because IP between SRX and Modem is private IP, i can't using it to create connection --> So I have using NAT to IP Public on Modem, Can you guide to me the command to configure it and on VPN configuration.

 - 2. My SRX-345 and SRX-320 are version: 15.1X49-D45. Is it ok for create VPN.

Many Thanks,

I have two route based VPN's each termanating at the same srx550,  Site1 - UKRN  Site2 - GER  Site3 - PHX

Both VPN tunnels from UKRN and GER terminate at PHX, and can talk to resources in PHX withough issues.

I am trying to get the UKRN (10.47.0.0/16) site to talk to the GER (10.0.0.0/16) site, but to do so I need to NAT the traffic going to GER to something in the PHX range 10.213.0.0/16, I pulled a range just for NAT purposes (10.213.54.128/26)

GER routes 10.213.0.0/16 to PHX, UKRN routes 10.213.0.0/16 and 10.0.0.0/16 to PHX. 

I also setup a destination nat from the UKRN interface

set security nat destination pool xxxxx address 10.213.54.129/32
set security nat destination rule-set xxxxx from interface st0.2
set security nat destination rule-set xxxxx rule xxxxxxxxx-nat match destination-address 10.0.0.0/16
set security nat destination rule-set xxxxx rule xxxxxxxxx-nat then destination-nat pool xxxxx

I see hits on the nat rule, but no successful nats and anything in the 10.0.0.0/16 range isn't reachable from UKRN

I attempted to add the NAT IP to the st0.2 interface, but doesn't seem to help, not sure if it is needed.  

Both tunnels terminate in the same untrust-vpn zone. 

Is there a way to pull this off? 

Thanks in advance.

I'm very new to SRX220 and I apologize for asking something potential stupid.

I have a SRX220 which connects at ge-0/0/0 to a VDSL2 modem (configured in bridge mode) to the internet. This connection works fine. At present time I have a simple level 2 switch box which connects the modem with the SRX220. My intention is to use ge-0/0/5 and ge-0/0/6 for that connection. This is because the only way (right now) to verify the modem status is to logon to the modem's web interface. Doing it with my laptop via that level 2 switch works fine. Using the ports of the SRX220 shuts down the PPPoE connection immediately. What is my mistake? Thanks!

I have configured:

vlan4 {
     vlan-id 4;
}

and ge-0/0/5 and ge-0/0/6 as:

ge-0/0/x {
   unit 0 {
      family ethernet-switching {
         vlan {
            members vlan4;
         }
      }
   }
}

We have an SRX320 that uses a BT VDSL connection with an MTU of 1492. We have to use an all-tcp mss setting of 1350. In theory, this should be 1452, but I have also read somewhere in Juniper documentation a value of MTU-60 is recommended i.e. 1432. However, neither of these values allow for successful internet browsing. We have indetical setups elsewhere which require no specific MSS setting. 1350 seems to the be the sweet spot on this router, but my question is why given the tried and tested calculations out there?

First of all, I know Juniper is not happy that some of their equipment is on the secondary market and is being used for various purposes. I am an expert net-savvy person who has purchased an SRX240 for home use. I have learned JunOS in my spare time and have been programming this thing to work in my home. Overall it works great. I have been very happy with the product. Unfortunately, I have not had a good experience with Juniper, the company. I called and offered to set up some sort of support contract, so that I can download updates, etc, but they did not want to have anything to do with me. They are going to have to accept that there are smart people out here capable of using their equipment outside of a corporate setting, but we have not gotten there yet...

I have burned up several of the high end home routers - I need something better.

Anyway, as the SRX240 is designed for enterprise settings, and not home settings, it does not support UPnP, and this is very reasonable. However, the Sony PS4 wants to use UPnP. Therefore we have to work around the problem.

I have set up the correct source and destination NAT for the system. The problem is that I need to open tcp ports 6000-7000 and udp ports 6000-7000 to the gaming console. The version of JunOS that I have, 12.1X44, does not support port range in destination nat. In order to open these ports I will have to do it one port at a time for 2000 ports.

There is updated firmware available for my unit, but I am not allowed rto download it outside of a service contract, and Juniper is unwilling to give me a service contract.

Could somebody do me a solid and either email me the latest firmware for this device, or if someone at Juniper is paying attention, figure out how you are going to deal with people like me, because I am not the only one?

Thank you for your consideration.

Any ideas for other workarounds would be appreciated.

Please bear with me, I'm still trying to get to grips with JunOS/SRX.

Site A, with a VDSL connection as its primary connection, and an RF connection as its backup

Site A's connection to our 'core' network is via the primary connection using a VPN - the termination point is Site B

Site A's backup connection into our 'core' network is via the RF connection - the entry point is another site, Site C

All sites are in area 0.0.0.0.

Here's the config. I have that I thought would work:-

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.111.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.0.6/30;
            }
        }
    }
    pt-1/0/0 {
        EDITED OUT 
    }
    pp0 {
        EDITED OUT
    }
    st0 {
        unit 0 {
            family inet {
                address 172.16.0.54/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
    router-id 192.168.111.254;
}
protocols {
    ospf {
        traceoptions {
            file OSPF;
            flag error;
            flag hello;
        }
        preference 10;
        external-preference 150;
        reference-bandwidth 10g;
        area 0.0.0.0 {
            interface ge-0/0/0.0 {
                passive;
            }
            interface ge-0/0/1.0 {
                metric 2000;
            }
            interface st0.0;
        }
    }
}

In theory, what should happen I hope, is that OSPF routes traffic via the st0.0 interface, which it does, but if the underlying VDSL connection should drop or just the tunnel, traffic should then be routed via the secondary RF (ge-0/0/1.0) interface, hence the metric of 2000, however this does not happen. I have tried changing the interface-type for both ge-0/0/1.0 and st0.0 to p2p and then combinations, but nothing helps. I have similar scenarios at 2 other sites and both failover without an issue, although they use ADSL and VDSL respectively as their secondary connections.

Can anyone point out where I'm going wrong please?

Hi,

I have a SRX1500, how can I determinie what capacty % I am using of the firewall when at my peak traffic time for the day? Around 10am is when the firewall is being used most, but aside from looking at CPU all looks as if its not doing much. I want to know from my current traffic how much more I can increase it by. So ideally I can say I'm using X % of the SRX 1500. 

Routing Engine status:
    Temperature                 40 degrees C / 104 degrees F
    CPU temperature             40 degrees C / 104 degrees F
    Total memory              1954 MB Max   586 MB used ( 30 percent)
    Memory utilization          30 percent
    5 sec CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     1 percent
      Interrupt                  1 percent
      Idle                      98 percent
    1 min CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     1 percent
      Interrupt                  1 percent
      Idle                      98 percent
    5 min CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     1 percent
      Interrupt                  1 percent
      Idle                      98 percent
    15 min CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     1 percent
      Interrupt                  1 percent
      Idle                      98 percent
    Model                          SRX Routing Engine
    Serial ID                      BUILTIN
    Start time                     2017-11-01 15:00:37 GMT
    Uptime                         281 days, 18 hours, 2 minutes, 2 seconds
    Last reboot reason             0x10:misc hardware reason
    Load averages:                 1 minute   5 minute  15 minute
                                       0.05       0.07       0.02

FWDD status:
  State                                 Online
  Microkernel CPU utilization         0 percent
  Real-time threads CPU utilization   5 percent
  Heap utilization                   18 percent
  Buffer utilization                 50 percent
  Uptime:                               281 days, 17 hours, 56 minutes, 48 seconds

FPC 0
  PIC 0
    CPU utilization          :    1 %
    Memory utilization       :   18 %
    Current flow session     : 2438
    Current flow session IPv4: 2438
    Current flow session IPv6:    0
    Max flow session         : 2097152
Total Session Creation Per Second (for last 96 seconds on average):  109
IPv4  Session Creation Per Second (for last 96 seconds on average):  109
IPv6  Session Creation Per Second (for last 96 seconds on average):    0

Hi,

An update to my last Draytek question.

I have now narrowed the issue down to the routing on the SRX340.

I have placed a static route on the SRX340 inet6.0 routing table to the Draytek IPv6 LAN DHCPv6-PD interface. Here is what is happening:

IPv6 ping to CPE WAN address - Successful

IPv6 Ping from CPE to Facebook IPv6 address - Successful

IPv6 ping from SRX340 to CPE LAN Global address - Failure

So, when looking at the routing table for the CPE LAN Global address it see it going to the default and out of the wrong interface. Even though I have told it to go to the CPE WAN Address for the next-hop, and that address is working fine.

This is why I cannot ping facebook IPv6 address from a laptop connected to the CPE but I CAN ping it from the CPE itself.

The SRX340 does not know about the route so sends it out the default.

Any ideas?

Hello,

A possible easy question, but i am not able to figure it out.

I want to monitor traffic from the internet to a web server though a couple of **bleep** 340 set up in a cluster

I found:

run monitor traffic interface ge-0/0/0 matching "host 10.130.38.94" no-resolve

But i do not have a ge interface any more.

So i tried:

run monitor traffic interface reth1.0 matching "host 10.130.38.94" no-resolve

But i only get arp messeges... ?

I would be grate if someone had the anserv.. )

Kind regards Gert

Hey all,

I have 2 SRX240H units that are standalong both doing the same thing where I can't upgrade them past 12.1X44-D60.2

I had one in production running 12.1X46-D72.2 3 days ago. I rebooted it to enable IPv6 and it never came back.

Ran 

set security forwarding-options family inet6 mode flow-based
request system reboot

On boot it is saying: 

panic: Error: Failed to find a valid wired memory profile

From loader I couldn't get it to boot, so I decided to reinstall it 

install file:///junos-srxsme-12.1X46-D72.2-domestic.tgz

It produced:

loader> install file:///junos-srxsme-12.1X46-D72.2-domestic.tgz
Target device selected for installation: internal media 
/kernel data=0xb09064+0x13459c syms=[0x4+0x8ae70+0x4+0xc9858]
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 512 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
kld_map_v: 0x8ff80000, kld_map_p: 0x0
panic: Error: Failed to find a valid wired memory profile

cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_z8530_class+0x0 (0,0,0,0) ra 0 sz 0
pid 0, process: 
KDB: enter: panic
[thread pid 0 tid 0 ]
Stopped at      breakpoint+0x4: jr      ra
db> 

To skip a whole bunch of code, the only one that worked was junos-srxsme-12.1X44-D60.2-domestic.tgz

I can boot that version fine. But from Junos or loader, I can't load any other version above that one, not even junos-srxsme-12.1X45-D10-domestic.tgz

I also tried (from Junos) 

request system software add /tmp/usb/junos-srxsme-12.1X45-D10-domestic.tgz no-copy no-validate partition

And same error on boot (Failed to find a valid wired memory profile)

So I have no idea what I'm doing wrong or why I can't upgrade these units.

Whilst they are Just the SRX240H (not the H2) they do have 2GB memory so they should be supported (according to https://www.juniper.net/support/downloads/?p=srx240 and https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476#srx_series) through to 12.1X46-D77

Any ideas or help appreciated. 

in the SRX enable UTM and we  policy only below  

set security utm feature-profile anti-spam sbl profile spam-profile-2 sbl-default-server
set security utm feature-profile anti-spam sbl profile spam-profile-2 spam-action tag-subject
set security utm feature-profile anti-spam sbl profile spam-profile-2 custom-tag-string ***SPAM***
set security utm utm-policy UTMP1 anti-spam smtp-profile spam-profile-2

but the in-going  mail traffic  was  been block undelivery and reture  ; (if source mail have attach file ) 

the (UTM custom objects) is  default .

how to check the in - come  and resolve undelivery and return mail . 

#int the in-out traffic policy is permit all 

show configuration security policies |display set
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit

Hi everyone,

 I have issue witch 2 SRX 650 (run cluster), sometime I had packet loss if ping through them. I found that high memory utilization in FPC 0:

root@FW-Internet-01> show security monitoring fpc 0
node0:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 22 %
Memory utilization : 85 %
Current flow session : 59824
Current flow session IPv4: 59824
Current flow session IPv6: 0
Max flow session : 524288
Total Session Creation Per Second (for last 96 seconds on average): 2145
IPv4 Session Creation Per Second (for last 96 seconds on average): 2145
IPv6 Session Creation Per Second (for last 96 seconds on average): 0

node1:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 2 %
Memory utilization : 85 %
Current flow session : 58237
Current flow session IPv4: 58237
Current flow session IPv6: 0
Max flow session : 524288
Total Session Creation Per Second (for last 96 seconds on average): 2135
IPv4 Session Creation Per Second (for last 96 seconds on average): 2135
IPv6 Session Creation Per Second (for last 96 seconds on average): 0

{primary:node0}

Is the memory utilization normal ? 

Thanks & Best regards !

Hi all,

I need your help on a problem found on the  active directory auth-table on my srx1400 Software Release [12.3X48-D50.6].

I noticed that on my authentication table many many entries have as age-time 0,  and i also can see invalid users.

I configured authentication-entry-timeout 1440.

Now the table has more than 15000 records, i dont want reach 20000.

Have you any advice?

Thanks all very much in advance.

Here my config:

me@RM01> show configuration services user-identification active-directory-access
domain xxxxx.xx.it {
    user {
        pippo;
        password ; ## SECRET-DATA
    }
    inactive: domain-controller 07 {
        address a.b.c.d;
    }
    domain-controller -DC04 {
        address a.b.c.e;
    }
    domain-controller -DC {
        address a.b.c.d;
    }
    ip-user-mapping {
        discovery-method {
            wmi;
        }
    }
    user-group-mapping {
        ldap {
            base dc=xxx,dc=xxx,dxx=it;
        }
    }
}
authentication-entry-timeout 1440;
event-log-identifier [ 528 552 672 673 674 682 4624 4768 4769 4770 ];

show services user-identification active-directory-access active-directory-authentication-table all extensive:

Domain: xxxx.xxxx.xxxx
Total entries: 15515
  Source-ip: 10.131.10.214
    Username: mgranocchia
    State: Valid
    Source: wmic
    Access start date: 2018-07-26
    Access start time: 11:38:47
    Age time: 0
  Source-ip: 10.131.10.224
    Username: fannibaldi
    State: Valid
    Source: wmic
    Access start date: 2018-06-14
    Access start time: 12:46:31
    Age time: 0

  Source-ip: 10.199.200.162
    Username: mtarragoni
    State: Valid
    Source: wmic
    Access start date: 2018-07-04
    Access start time: 09:10:48
    Age time: infinite

Hi ,

We are running dhcp service and set dhcp name-server as below.

One  (10.70.1.2) is Internal DNS and the other (8.8.8.8) is external DNS.

Our plan is we set internalnal DNS primary and external DNS secondary , but I can't find option to set priority.

Some times , clinets get 8.8.8.8 for DNS , but 8.8.8.8 can't resolve internal only name resolved .

set system services dhcp pool 10.30.8.0/24 name-server 10.70.1.22
set system services dhcp pool 10.30.8.0/24 name-server 8.8.8.8

I am currently running 15.1X49-D140 on all my SRX320 and SRX340 devices. Does anyone have any experience of running v18.2R1 on SRX hardware, ideally on the SRX300 series of devices? I am primarily interested in performance and GUI/J-Web differences, good or bad. 

Hi All... i have been trying to create two active IPSec tunnels via two ISPs to another SRX with a single ISP connection, is this even possible?

              public ip x.x.x.x    st0.0------ISPA-------- st0.0

SRXA                                                                                      ISPZ public ip z.z.z.z  ----      SRXB

              public ip y.y.y.y    st0.1-------ISPB------ st0.1

the problem i have is with traffic routing out of SRXA it has to build two seperate IPSec tunnels to a single desination IP address.. It is obviously prefering a single egress interface via ISPA to build the IPSec tunnel to SRXB.... but is there a way to force traffic out via the other ISPB to build the second IPSec tunnel??

was thinking around source based routing etc.. but it would be for traffic sourced from the SRX itself and as we are using the same destination address it won't work..

Hi folks.
I'm facing abnormal behavior of the SRX VPN failover when two peers configured.
Configuration looks like:

set security ike gateway gate_for_students ike-policy ike-policy
set security ike gateway gate_for_students address 1.1.1.1
set security ike gateway gate_for_students address 2.2.2.2
set security ike gateway gate_for_students dead-peer-detection always-send
set security ike gateway gate_for_students dead-peer-detection interval 10
set security ike gateway gate_for_students dead-peer-detection threshold 2
set security ike gateway gate_for_students external-interface fe-0/0/0

Where 1.1.1.1 is Juniper SRX5800
And 2.2.2.2 Cisco ASA5585
And this side is:

Model: srx100b
JUNOS Software Release [12.1X46-D77.1]

Both VPN tunnel work perfectly when configured individually.
So there is no problems with tunnel, IPSec, IKE, routing, etc.

But when I start testing failover...
Firstly I've tried to delete all VPN Peer configuration from 1.1.1.1 and wait untill SRX100 failover to 2.2.2.2. Nothing happens in this case. SRX100 doesn't even accept incoming VPN packets from 2.2.2.2 when I try to initiate IPSec from 2.2.2.2 Side.

But when I change configuration to this:

set security ike gateway gate_for_students address 1.2.3.4
set security ike gateway gate_for_students address 2.2.2.2

where 1.2.3.4 is any host that doesn't even configured for SRX100 IPSec but pinging. Failover occurs perfectly.
I've tried to change dpd to always-send, optimized  - No result.
Tried vpn-monitoring - Same.

I've tried change SRX100 junos version - No luck.

As I understood, dpd is for IKE tracking, vpn-monitoring is of IPSec traking. That's not where I have problem.

Do you have any idea how make SRX100 failoveer correctly when first peer is responsible but doens't able to build IKE?

Hi all,

I"m getting the error 

"-alg: RT_ALG_ERR_NAT: SIP ALG NAT failed."

but I can't find much about it, nor what may be wrong...

Can someone help with this?

There indeed are some problems with VoIP on the site serviced by this router, would be good to know if errors are due to misconfigured VoIP system or due to misconfigured SRX...

Thanks,

Alex

Hi all!

 I have a problem when i tried to configure VRRP on SRX with simple topo: SRX1 --- Switch --- SRX2

- SRX1 conf:

interfaces ge-0/0/1
unit 0 {
    family inet {
        address 192.168.1.253/24 {
            vrrp-group 1 {
                virtual-address 192.168.1.1;
                priority 254;
                preempt;

-SRX2:

 interfaces ge-0/0/1
  unit 0 {
    family inet {
        address 192.168.1.254/24 {
            vrrp-group 1 {
                virtual-address 192.168.1.1;
                priority 200;

When I show vrrp status: 2 SRX become master, Ping between 2 SRX is ok:

root@srx-345-01> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up              1   master   Active      A  0.494 lcl    192.168.1.253
                                                                vip    192.168.1.1

root@srx-345-02> show vrrp summary
Interface     State       Group   VR state       VR Mode    Type   Address
ge-0/0/1.0    up              1   master          Active    lcl    192.168.1.254
                                                            vip    192.168.1.1

Somebody help me, please?