I created new topic as i mixed two issue in prvious post : 

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-firewall-Webauth-using-client-groups/m-p/337407#M50483

So i am going to established secure channel between ldap and srx to authenticate users. I find out that junos is not supporting LDAPs - port 636 but there is a posibility of using port 389 and use TLS :

last post from @ epaniagua :

"I think you need to create a CA profile on the SRX and then upload the server certificate as a CA certificate and link it to the CA profile you just created:

+Create CA profile:

user@host> set security pki ca-profile CA_PROFILE ca-identity [NAME]

user@host> set security pki ca-profile CA_PROFILE ca-identity [NAME] revocation-check disable

+Load the CA cert and link it to the CA profile:

https://www.juniper.net/documentation/en_US/junos/topics/example/certificate-ca-local-manual-loading..."

Honestly still not working on my side. Problems seems to be even with loading ca-certifacate using server cer. I cannot sucessfully verified cert : 

request security pki ca-certificate verify ca-profile LDAPtls
node0:
--------------------------------------------------------------------------
Error: CA Certificate for certificate <bla bla bla>  not found in local database

anyway i had a success output while loading it : 

request security pki ca-certificate load ca-profile LDAPtls filename /var/tmp/ldap.cer
node0:
--------------------------------------------------------------------------
Fingerprint:
8b5:5b:00 (sha1)
269:93 (md5)
CA certificate for profile LDAPtls loaded successfully

i just noticed that verification is sucesfull once i load Root cer as CA, then no error

so my question, according to my knowledge i should have a chain - root - public server, shoudl not i  ? 

how it should be done step by step ? Am i missing something?

I have Root  cer and serverpub.cer . What next ? 

Hello,

I am new to this forum and I do have a few questions to ask people who are working with Juniper SD-WAN offering.

My understanding is that to build SD-WAN with Juniper, one need Juniper Contrail Service Orchestration (CSO) combined with either Juniper vSRX or vMX, but I also understand that it may work with Juniper SRX appliances with advanced license.

My questions are as follow:

1. Is my assumption correct that I need CSO + vSRX or vMX?

2. Can I use physical SRX appliances with CSO?

3. I understand that CSO is licensed per Network Functions Virtualization (NFV), is that correct?
4. I also understand that CSO is sold in package and minimum is 25 units, but may I combine 3 licences to get 75 units?

5. What is a NFV and how many NFV would it take to build SD-WAN in each branch?

6. Will CSO generate tons of "dirty" configurations on the CPE devices?

7. Can anybody point out some serious partners in Europe to help design and deploy Juniper SD-WAN?

Many thanks.

Greg

Hi Folks, I recently attended a Webinar on SkyATP, (How to set it up and operationalize it) and wanted to share a link to replay for anyone who may find it helpful.

https://event.on24.com/wcc/r/1803900/F1608DCBBE4AC678BFA6E38C9424E790

It discusses the technology and benefits of the Sky ATP advanced anti-malware platform service and the security intelligence it provides. There is a demonstration on getting it setup and how to operationalize it in a typical enterprise environment. 

Hi all!

 I've created VPN Site-to-Site using Route-based with NAT-T but cannot create VPN. Can somebody help me troubleshooting problem. Thanks so much!

This is my topo:

And Config file as attach file:

1. SITE A:

1.1. NAT Router (R3):

interface Ethernet0/0
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet0/1
 ip address 200.0.1.3 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
router ospf 1
 log-adjacency-changes
 network 172.16.0.0 0.0.0.255 area 0
 network 200.0.1.0 0.0.0.255 area 0
!
ip nat inside source static 172.16.0.2 200.0.1.3
ip route 0.0.0.0 0.0.0.0 172.16.0.2

1.2. SRX-320-01:

 security {
    log {
        mode stream;
        report;
    }
    ike {
        proposal ike_prop {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
        }
        policy ike_poli {
            mode main;
            proposals ike_prop;
            pre-shared-key ascii-text "$9$iq.569p01hk.p0BRSyaZG"; ## SECRET-DATA
        }
        gateway gw1 {
            ike-policy ike_poli;
            address 200.0.2.2;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec_prop {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
        }
        policy ipsec_poli {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec_prop;
        }
        vpn vpn1 {
            bind-interface st0.1;
            ike {
                gateway gw1;
                ipsec-policy ipsec_poli;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        Site-01 {
            address S1 172.16.1.0/24;
            attach {
                zone trust;
            }
        }
        Site-02 {
            address S2 172.16.4.0/24;
            attach {
                zone untrust;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy to-S2 {
                match {
                    source-address S1;
                    destination-address S2;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy from-S2 {
                match {
                    source-address S2;
                    destination-address S1;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    ping;
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.1;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.0.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.1.1/24;
            }
        }
    }
    fxp0 {
        unit 0;
    }
    st0 {
        unit 1 {
            family inet {
                address 172.16.100.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.0.1;
        route 172.16.4.0/24 next-hop st0.1;
    }
}

2. SITE B:

2.1. NAT-Router (R4):

interface Ethernet0/0
ip address 172.16.24.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet0/2
ip address 200.0.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
router ospf 1
log-adjacency-changes
network 172.16.24.0 0.0.0.255 area 0
network 200.0.2.0 0.0.0.255 area 0
!
ip nat inside source static 172.16.24.2 200.0.2.2
ip route 0.0.0.0 0.0.0.0 172.16.24.2

2.2. SRX-345:

security {
    log {
        mode stream;
        report;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}
interfaces {
    fxp0 {
        unit 0;
    }
}

Dear all,

I have RPM probe timed out in external interface. My SRX firewall has external probe and internal probe.
External probe is via external interface and internal probe is via IPSec tunnel. External probe failed but
internal probe was successful. I could ping 111.111.111.111 via my external IP address, 222.222.222.222 in CLI.

The IPSec tunnel was created between 111.111.111.111 and 222.222.222.222.

I couldn't search any information for similar case in the forum or in the internet.

Please see if you could help. Thanks.

George

Log:

Owner: AU-TS, Test: EXT-ICMP-TEST
Target address: 111.111.111.111, Source address: 222.222.222.222, Probe type: icmp-ping-timestamp, Test size: 15 probes
Probe results:
Request timed out, Sun Aug 19 10:44:04 2018
Results over current test:
Probes sent: 14, Probes received: 0, Loss percentage: 100
Results over last test:
Probes sent: 15, Probes received: 0, Loss percentage: 100
Results over all tests:
Probes sent: 179549, Probes received: 0, Loss percentage: 100

Owner: AU-TS, Test: INT-ICMP-TEST
Target address: 192.168.111.111, Source address: 192.168.222.222, Probe type: icmp-ping-timestamp, Test size: 15 probes
Probe results:
Response received, Sun Aug 19 10:43:33 2018, No hardware timestamps
Rtt: 152137 usec, Round trip interarrival jitter: 199 usec
Results over current test:
Probes sent: 15, Probes received: 15, Loss percentage: 0
Measurement: Round trip time
Samples: 15, Minimum: 151110 usec, Maximum: 159230 usec, Average: 155381 usec, Peak to peak: 8120 usec, Stddev: 2555 usec, Sum: 2330711 usec
Results over last test:
Probes sent: 15, Probes received: 15, Loss percentage: 0
Test completed on Sun Aug 19 10:43:33 2018
Measurement: Round trip time
Samples: 15, Minimum: 151110 usec, Maximum: 159230 usec, Average: 155381 usec, Peak to peak: 8120 usec, Stddev: 2555 usec, Sum: 2330711 usec
Results over all tests:
Probes sent: 182475, Probes received: 182124, Loss percentage: 0
Measurement: Round trip time
Samples: 182124, Minimum: 148003 usec, Maximum: 1630298 usec, Average: 164834 usec, Peak to peak: 1482295 usec, Stddev: 38313 usec, Sum: 30020162302 usec
Measurement: Positive round trip jitter
Samples: 4554, Minimum: 0 usec, Maximum: 143708 usec, Average: 396 usec, Peak to peak: 143708 usec, Stddev: 3394 usec, Sum: 1802263 usec
Measurement: Negative round trip jitter
Samples: 4652, Minimum: 1 usec, Maximum: 171095 usec, Average: 410 usec, Peak to peak: 171094 usec, Stddev: 4159 usec, Sum: 1905371 usec

>show log messages|match AU-TS

Aug 19 10:48:03 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST
Aug 19 10:48:08 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST
Aug 19 10:48:13 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST
Aug 19 10:48:18 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST
Aug 19 10:48:23 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST
Aug 19 10:48:28 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST
Aug 19 10:48:33 NODE1 rmopd[1590]: RMOPD_HW_TIMESTAMP_INVALID: Hardware timestamps in probe were invalid; owner: AU-TS, test: INT-ICMP-TEST

> show configuration |display set|match AU-TS |match rpm
set services rpm probe AU-TS test EXT-ICMP-TEST probe-type icmp-ping-timestamp
set services rpm probe AU-TS test EXT-ICMP-TEST target address 111.111.111.111
set services rpm probe AU-TS test EXT-ICMP-TEST probe-count 15
set services rpm probe AU-TS test EXT-ICMP-TEST probe-interval 5
set services rpm probe AU-TS test EXT-ICMP-TEST test-interval 230
set services rpm probe AU-TS test EXT-ICMP-TEST source-address 222.222.222.222
set services rpm probe AU-TS test EXT-ICMP-TEST hardware-timestamp
set services rpm probe AU-TS test INT-ICMP-TEST probe-type icmp-ping-timestamp
set services rpm probe AU-TS test INT-ICMP-TEST target address 192.168.111.111
set services rpm probe AU-TS test INT-ICMP-TEST probe-count 15
set services rpm probe AU-TS test INT-ICMP-TEST probe-interval 5
set services rpm probe AU-TS test INT-ICMP-TEST test-interval 230
set services rpm probe AU-TS test INT-ICMP-TEST source-address 192.168.222.222
set services rpm probe AU-TS test INT-ICMP-TEST hardware-timestamp

> show version
node0:
--------------------------------------------------------------------------
Hostname: NODE0
Model: srx240h

node1:
--------------------------------------------------------------------------
Hostname: NODE1
Model: srx240h
JUNOS Software Release [12.1X46-D65.4]

> show ntp status
status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Fri Dec 30 02:50:47 UTC 2016 (1)",
processor="octeon", system="JUNOS12.1X46-D65.4", leap=00, stratum=3,
precision=-17, rootdelay=176.134, rootdispersion=362.192, peer=1621,
refid=192.168.0.5,
reftime=df235a3d.08c6e789 Sun, Aug 19 2018 10:53:49.034, poll=10,
clock=df235ac4.fc64b6fd Sun, Aug 19 2018 10:56:04.985, state=4,
offset=2.776, frequency=-0.388, jitter=119.131, stability=0.072

{primary:node1}
> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.0.4 118.143.17.82 2 - 553 1024 377 171.965 0.599 1.323
*192.168.0.5 118.143.17.82 2 - 143 1024 377 171.190 2.776 22.740

> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2018-08-19 10:54:55 HKT
System booted: 2018-07-08 04:04:42 HKT (6w0d 06:50 ago)
Last configured: 2018-08-18 23:23:54 HKT (11:31:01 ago) by root
10:54AM up 42 days, 6:50, 0 users, load averages: 0.05, 0.06, 0.07

node1:
--------------------------------------------------------------------------
Current time: 2018-08-19 10:58:24 HKT
System booted: 2018-07-08 04:00:51 HKT (6w0d 06:57 ago)
Protocols started: 2018-07-08 04:06:03 HKT (6w0d 06:52 ago)
Last configured: 2018-08-18 23:27:36 HKT (11:30:48 ago) by georgechung
10:58AM up 42 days, 6:58, 3 users, load averages: 0.46, 0.34, 0.31

{primary:node1}

The primary's node time is in sync with NTP server.

I thought I might ask if anyone knows if the Juniper (SRX220H2 with JUNOS 12.1X46-D65.4) can be configured to connect to an NBN ISP directly rather than putting a modem between the ISP and Juniper? The connection will be a FTTN.

My Juniper knowledge doesn't extend far enough to be able to know the possibilities with that idea. I shall research in the meantime.

I've found lots of articles on the web about how to make irb work over physicals and plenty on how to get reth to work. Without IRB, I can get both "sides" of my SRX to talk to other devices directly on the local LANs with this configuration:

chassis {
    cluster {
        redundancy-group 5 {
            node 0 priority 100;
            node 1 priority 99;
            interface-monitor {
                ge-0/0/4 weight 255;
                ge-9/0/4 weight 255;
            }
        }
        redundancy-group 6 {
            node 0 priority 100;
            node 1 priority 1;
        }
    }
}
security {
    zones {
        security-zone trusted {
            interfaces {
                reth5.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                reth6.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth5;
        }
    }
    ge-0/0/6 {
        gigether-options {
            redundant-parent reth6;
        }
    }
    ge-9/0/4 {
        gigether-options {
            redundant-parent reth5;
        }
    }
    ge-9/0/6 {
        gigether-options {
            redundant-parent reth6;
        }
    }
    reth5 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 5;
        }
        unit 0 {
            vlan-id 14;
            family inet {
                address 10.26.14.254/24;
            }
        }
    }
    reth6 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 6;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            vlan-id 114;
            family inet {
                address 10.26.114.252/24;
            }
        }
    }
}

But the SRX won't pass packets between the two VLANs (14 & 114).

What I've read on the web is to use IRB and for brievity, I'll just include "what's new":

     irb {
         vlan-tagging;
         unit 14 {
             vlan-id 14;
             family inet {
                 address 10.26.14.254/24;
             }
         }
         unit 114 {
             vlan-id 114;
             family inet {
                 address 10.26.114.252/24;
             }
         } 
    } 
    reth5 {                             
        redundant-ether-options {       
            redundancy-group 5;         
        }                               
        unit 0 {                        
            family ethernet-switching { 
                interface-mode trunk;   
                vlan {                  
                    members vlan14;     
                }                       
            }                           
        }                               
    }                                   
    reth6 {                             
        redundant-ether-options {       
            redundancy-group 6;         
            lacp {                      
                active;                 
                periodic fast;          
            }                           
        }                               
        unit 0 {                        
            family ethernet-switching { 
                interface-mode trunk;   
                vlan {                  
                    members vlan114;    
                }                       
            }                           
        }                               
    }                                   
    reth5 {                             
        redundant-ether-options {       
            redundancy-group 5;         
        }                               
        unit 0 {                        
            family ethernet-switching { 
                interface-mode trunk;   
                vlan {                  
                    members vlan14;     
                }                       
            }                           
        }                               
    }                                   
    reth6 {                             
        redundant-ether-options {       
            redundancy-group 6;         
            lacp {                      
                active;                 
                periodic fast;          
            }                           
        }                               
        unit 0 {                        
            family ethernet-switching { 
                interface-mode trunk;   
                vlan {                  
                    members vlan114;    
                }                       
            }                           
        }                               
    }                                
vlans {
    vlan114 {
        vlan-id 114;
        l3-interface irb.114;
    }
    vlan14 {
        vlan-id 14;
        l3-interface irb.14;
    }
}
protocols {
    l2-learning {
        global-mode transparent-bridge;
    }
}

but when I do this, the SRX stops responding even on the local LANs and more disappointingly, reth6 goes down.

oops... I forgot to set the weight for ge-0/0/4 & ge-9/0/4 but that doesn't bring reth6 up.

Both reth5 & reth6 are connected to Cisco equipment so I'm also having to deal with cross-vendor LACP communication, but I surmise that because it works when not using IRB that I've got that part ok.

What I'm really looking for is a good example of an SRX configuration with two reth's and different IRB's on each. Part of the problem in searching is that there is a bit of matrix problem with supported feature interaction and SRX products

Part of this that is really not straight forward is whether it should be packet mode or transparent mode or mixed mode. Switching from one to another is not straight forward as large sections of configuration need to change.

If anyone could help me either get the SRX to route the traffic between the two VLANs without IRB or how to get the IRB/reth situation to work, it would be much appreciated.

One aspect of this is that it isn't clear to me if the irb is down because reth is down or if reth is down because irb is down, e.g.:

ge-0/0/4                up    up
ge-0/0/4.0              up    up   aenet    --> reth5.0
ge-0/0/6                up    up
ge-0/0/6.0              up    up   aenet    --> reth6.0
ge-9/0/4                up    down      
ge-9/0/4.0              up    down aenet    --> reth5.0
ge-9/0/6                up    up
ge-9/0/6.0              up    up   aenet    --> reth6.0
reth5                   up    up
reth5.0                 up    up   eth-switch
reth6                   up    down      
reth6.0                 up    down eth-switch
irb                     up    up
irb.14                  up    up   inet     10.26.14.254/24
irb.114                 up    down inet     10.26.114.252/24

Hi All,

I downloaded Juniper vSRX eval version and deployed it on home lab running ESXI. When I power on Juniper VM it takes more than 30 minutes to boot and then will come to DB prompt (( then I need to type cont and hit enter ))

https://ibb.co/nMQW7e

https://ibb.co/m0xYLz

I have attached couple of screen shots for the same. Any suggestions on how can I make it boot faster/normal

Thanks

Greetings Everyone,

Trying to implement one Juniper SRX300(or x2 ) to replacing 3x ZyXELs with following configuration:

## edge router

x1 WAN IP on /30 subnet; 

x2 LAN IPs on /29 subnet;

All IPs are public ones;

No firewall rules configured;

Bandwidth shaping, 60% and 40% for the two organizations respectively.

## x2 Organization routers

x5 WAN IPs on /29 subnet, using LAN ip on the edge router as the gateway;

x3 LAN IPs on private IP ranges for data, voice, and management;

firewall rules, including site to site vpn, dynamic vpn, dmz and zone services.

My questions were:

Can these be done with one SRX300 device?

Can one of the two organizations' firewall/routing managed by another device (one managed locally)?

It would be great if you could point me to the right direction to get started with sample configurations.

Thank you in advance,

Bob

Hello all,

I'd like some help in understanding an OSPF Export Policy we have. I don't understand how and when they should be used. We use OSPF throughout our network with just a single area i.e. 0. Can someone explain what the following is actually doing please?

policy-options {
    policy-statement to-ospf {
        term default {
            from {
                protocol static;
                route-filter 0.0.0.0/0 exact;
            }
            then {
                external {
                    type 2;
                }
                accept;
            }
        }
    }
}

Is the policy actually being exported to a location? Should there be a corresponding import policy somewhere?

Thank you!

First at all sorry for my Eng is not quite good. I newbie with SRX.

I need split internet company and VPN connection with SRX and FGT follow list below

Concurrent (NAT/Policy)

"wan1(1.1.1.254/ge-0/0/1.0 zone untrust)

internal network(192.168.0.254/ge-0/0/2.0 zone trust)--->FGT (wan)Port1(192.168.0.2) ->FGT (internal)Port5"

Additional VPN (request NAT)

"wan2(2.2.2.254/ge-0/0/3.0 zone vpnuntrust)(NAT 2.2.2.1 to 192.168.150.253)

vpn (192.168.150.254/ge-0/0/4.0 zone vpntrust)--->FGT (wan)Port2(192.168.150.253(VPN->Branch))" and static route 0.0.0.0/0 1.1.1.254.

Could you please advice in this case? and Can I create virtual route on interface without effect with concurrent system?

if you have any advice please let me know.

Thank,

Hey Junos

I have issue in my SRX240 where i can't commit any config and once i commit i get:

warning: MD5File failed for /config/juniper.conf.gz
Shutdown NOW!
[pid 2562]

root>

*** FINAL System shutdown message from root@

***** FILE SYSTEM MARKED CLEAN *****
Verified junos signed by PackageProduction_10_0_0
Verified jboot signed by PackageProduction_10_0_0
Verified junos-10.0R3.10-domestic signed by PackageProduction_10_0_0
Can't stat /dev/bo0s3e: No such file or directory
Can't stat /dev/bo0s3e: No such file or directory
mount: /dev/bo0s3e : No such file or directory
WARNING: Mount of /dev/bo0s3e on /config failed
WARNING: Formatting /dev/bo0s3e before attempting mount again
newfs: /dev/bo0s3e: could not find special device
mount: /dev/bo0s3e : No such file or directory
ERROR: Mount of /dev/bo0s3e on /config failed
Can't stat /dev/bo0s3f: No such file or directory
Can't stat /dev/bo0s3f: No such file or directory
mount: /dev/bo0s3f : No such file or directory
WARNING: Mount of /dev/bo0s3f on /cf/var failed
WARNING: Formatting /dev/bo0s3f before attempting mount again
newfs: /dev/bo0s3f: could not find special device
mount: /dev/bo0s3f : No such file or directory
ERROR: Mount of /dev/bo0s3f on /cf/var failed
Loading configuration ...
mgd: error: Cannot open configuration file: /config/juniper.conf
mgd: warning: activating factory configuration
cannot create /config/juniper.conf+.gz: Read-only file system
mgd: error: /config/juniper.conf+: write failed: Broken pipe
mgd: error: /config/juniper.conf+: was not properly closed: Broken pipe
mgd: error: commit failed: commit to file failed during export to /config/junipe
r.conf+

I already following link :

https://forums.juniper.net/t5/Junos/SRX240-Commit-issue/td-p/319224

but not solution

please help me.

Thanks all.

So I have IP-Monitoring and RPM probe setup correctly and it works great but my issue stems from stale xlate sessions where users are getting SSL/TLS errors as the SRX is keeping those old sessions in the table. 

I want to effectively want to do "clear security flow session all" upon IP-Monitoring switch but maybe I need to bootleg this because I'm doing something else wrong?

How do you folks recommend setting up WAN failover? 

HI all,

I have a mac address that keeps switching between two interfaces quite a bit.  I have found nowhere on the SRX320 where i can set an option in regards to this.  Only thing i have found is vpls-mac-move but that is for vlans over an MPLS, which i do not have.  Anyone know the commands to set a drop action after a certain amount of mac moves on a SRX 320?

Hi,

I have a RemoteAccess VPN from home to HQ .. And in HQ, we have site to site VPN connection to Google Cloud. When we connect to GoogleCloud from HQ, there is no issue. But, when I connect to RAS VPN frpm home I can not connect to Google Cloud.  Any advice appreciated please .. What configuration should I check or add ?

What happened if only one SRX5800 node is configured as a cluster node with the control link disconnected and the other node is totally down (Only one node in the cluster). will the activated node enter the primary state and Reth interfaces will be active? OR the node will stuck in the unavailable state? can this node forward traffic.

this situation only considered as a part of migration.

SRX -  I have a requirement for a single tunnel between 2 SRX routers but can't select system-generated-certificate within the ike policy xxx certificate local certificate command. Is this possible?

Can I rename take a copy of the system-generated-certificate and rename it? Please let me know if there's another way? Thanks

Hi guys,

I am trying to set up a pppoe connection with my provider but i have an hard time, using a windows 10 pc everything goes fine but my srx300 does not want to set up the connection, below my configuration and statistics :

## Last commit: 2018-08-26 13:25:48 UTC by root
version 15.1X49-D70.3;
system {
    root-authentication {
        encrypted-password "$5$W4TA6tM.$POHBgQMXH45JYV8L34ne/Hk8xJUu1qMQUcyx/zDS
19D"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        netconf {
            ssh;
        }
        dhcp-local-server {
            group jdhcp-group {
                interface irb.0;
            }
        }
web-management {
            https {
                system-generated-certificate;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
         }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set trust-untrust {
                from zone trust;
                to interface pp0.0;
                rule Egress-Int {
                match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
           }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy allow-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
           }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                }
           }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                pp0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    ge-0/0/1 {
        unit 0 {
          family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
     }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
              vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    pp0 {
      unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "$9$n1cb/9prlM8X-Ct1hSyW8Ndb2JDzF/"; ##SECRET-DATA
                    local-name aliceadsl;
                    passive;
                }
                pap {
                    local-name aliceadsl;
                    local-password "$9$6epc9CuleWLxdApIcyr8L-VwgZjF39"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;
                access-concentrator srx300;
                auto-reconnect 10;
                client;
            }
               mtu 1492;
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
    ppp {
        traceoptions {
            file ppp;
            level all;
            flag all;
        }
    }
    pppoe {
      traceoptions {
            file pppoe;
            level all;
            flag all;
        }
    }
}
access {
    address-assignment {
        pool junosDHCPPool {
            family inet {
                network 192.168.1.0/24;
                range junosRange {
                    low 192.168.1.2;
                    high 192.168.1.254;
                }
                dhcp-attributes {
                    router {
                        192.168.1.1;
                    }
                    propagate-settings ge-0/0/0.0;
                }
            }
       }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface irb.0;
    }

Show ppp statistics :

Active PPPoE sessions: 0
  PacketType                       Sent         Received
    PADI                             18                0
    PADO                              0                0
    PADR                              0                0
    PADS                              0                0
    PADT                              0                0
    Service name error                0                0
    AC system error                   0                0
    Generic error                     0                0
    Malformed packets                 0                0
    Unknown packets                   0                0
  Timeout
    PADI                              2
    PADO                              0
    PADR                              0
  Receive Error Counters
    PADI                              0
    PADO                              0
    PADR                              0
    PADS                              0

Thank you guys.