I configured a redundant Ethernet interface in an SRX1500 cluster using a 10 Gbps interface on both devices.  I need to change this reth to use 1 Gbps interfaces; thus, I changed the configuration to remove the 10 Gbps interfaces from the reth and from interface  monitoring; then I added the 1 Gbps interfaces to the reth.  However, the reth does not come up, but the constituent physical interfaces do come up. 

root@SRX1500-cluster> show interfaces reth0

Physical interface: reth0 , Enabled, Physical link is Down

As a test, I configured a new reth with the two 1 Gbps interfaces and it worked.

It seems that the first reth that I configured has a 'memory' of the two 10 Gbps physical interfaces.

I see the entries below in the message file.

Sep 20 18:28:53 SRX1500-cluster SRX1500-cluster COSMAN: policy update failed
Sep 20 18:28:53 SRX1500-cluster /kernel: kernel did not add link reth0, link speeds differ 1000000000 10000000000
Sep 20 18:28:53 SRX1500-cluster/kernel: bundle reth0.1296: link ge-0/0/14 not added due to speed mismatch

May I ask if anyone has seen this before, please?

Hello

First time trying to create a trunk interface in srx router, did some googling and came up with config, but i think something is still missing since i cant ping the interface even from router itself.

Config:

security {

 policies {

	from-zone Vlan_203 to-zone X {
            policy Default {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone X to-zone Vlan_203 {
            policy Default {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }	


	}


 zones {
	security-zone Test {
            interfaces {
                xe-2/2/2.0 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Vlan_203 {
            interfaces {
                vlan.203 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
 }


}

interfaces {
    xe-2/2/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members Vlan_203;
                }
            }
        }
    }

    vlan {
        unit 203 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
}

vlans {
    Vlan_203 {
        vlan-id 203;
        l3-interface irb.203;
    }
}

root@SRX> show vlans

Routing instance        VLAN name             Tag          Interfaces
default-switch          Vlan_203              203
                                                           xe-2/2/2.0*
default-switch          default               1

root@SRX> show interface terse
 vlan 203 is not listen in there

pinging 192.168.3.1 from router = no route to host

version: Model: srx5400, Junos: 17.3R2.10

Hi guys,

I was wondering if you can help me. I have 2 questions on routed subnets.

1. What is a routed subnet?

2. I have a SRX210 and I'm somewhat of a newbie to Juniper. I Just wanted to know how to configure a subnet which will then route to an IP address in a second subnet.

I'll try to paint the picture as clear as I can.

I have a /29 subnet (lets call it 10.10.0.0/29), The first usable IP address will be the WAN facing IP

I also have a /27 subnet (lets call this 10.1.0.0/27), this will be used on the customer side.

I'm tasked with routing all traffic from the /27 range to the first usable IP address in the /29. Is this possible? If so, what sort of configuration will I need to make this happen?

Thanks in advance for your help!

Hi

I'm confused about destination-address-excluded and source-address-excluded. I tyr to read an example following these link "https://www.juniper.net/documentation/en_US/junos/topics/example/security-policy-negated-address-configuring.html" but I don't understand 

If I have a three address books, It's

address a1 10.10.10.0/24

address a2 20.20.20.0/24

address a3 30.30.30.0/24

And security policies is below

Hi All, 

I am having a strange issue on an SRX340 Cluster pair - with strange unknown traffic egressing out of a Reth interface that is configured as a trunk port on an ethernet switch - with a few vlans added as members :

(some information has been sensitised)

redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ CORE-DMZSL7SZ00 CORE-DMZSL7SZ08 TRANSIT-EFTS-XXX-117 CORE-TRANSIT-XXX-YYY CORE-TRANSIT-XXX-ZZZ ];
}

CORE-DMZSL7SZ00 {
vlan-id 1385;
l3-interface irb.1385;
}

CORE-DMZSL7SZ08 {
vlan-id 1022;
l3-interface irb.1022;
}

TRANSIT-EFTS-XXX-117 {
vlan-id 117;
l3-interface irb.117;
}

CORE-TRANSIT-XXX-YYY {
vlan-id 1896;
l3-interface irb.1896;
}
CORE-TRANSIT-XXX-ZZZ {
vlan-id 1895;
l3-interface irb.1895;
}

The issue I am facing is that there is a discrepancy between the sum of the traffic of the attached vlans compared to the interface itself, by a considerable order.  The traffic rate seems to steadly increase until it plateaus at around 850mpbs - whereapon our upstream provider complains.

Reth2 Interface :

frwl-a-hre-a Seconds: 2 Time: 12:39:15
Delay: 0/0/30
Interface: reth2, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics: Current delta
Input bytes: 1045155938 (29432 bps) [7977]
Output bytes: 2857182432517 (71683848 bps) [17967992]
Input packets: 1842470 (33 pps) [72]
Output packets: 44342101615 (139500 pps) [278501]
Error statistics:
Input errors: 0 [0]
Input drops: 0 [0]
Input framing errors: 0 [0]
Carrier transitions: 0 [0]
Output errors: 0 [0]
Output drops: 0 [0]

irb.1385 Interface :

frwl-a-hre-a Seconds: 2 Time: 12:41:47
Delay: 6/6/14
Interface: irb.1385, Enabled, Link is Up
Flags: SNMP-Traps 0x4000
Encapsulation: ENET2
Local statistics: Current delta
Input bytes: 0 [0]
Output bytes: 0 [0]
Input packets: 0 [0]
Output packets: 0 [0]
Remote statistics:
Input bytes: 0 (0 bps) [0]
Output bytes: 0 (0 bps) [0]
Input packets: 0 (0 pps) [0]
Output packets: 0 (0 pps) [0]
Traffic statistics:
Input bytes: 0 [0]
Output bytes: 0 [0]
Input packets: 0 [0]
Output packets: 0 [0]

irb.1022 Interface :

frwl-a-hre-a Seconds: 2 Time: 12:40:35
Delay: 5/5/15
Interface: irb.1022, Enabled, Link is Up
Flags: SNMP-Traps 0x4000
Encapsulation: ENET2
Local statistics: Current delta
Input bytes: 7751464 [0]
Output bytes: 44702558 [530]
Input packets: 54476 [0]
Output packets: 179808 [2]
Remote statistics:
Input bytes: 1258830365 (152 bps) [40]
Output bytes: 541960551 (360 bps) [91]
Input packets: 2306811 (0 pps) [1]
Output packets: 2071016 (0 pps) [1]
Traffic statistics:
Input bytes: 1266581829 [40]
Output bytes: 586663109 [621]
Input packets: 2361287 [1]
Output packets: 2250824 [3]

irb.117 Interface:

frwl-a-hre-a Seconds: 1 Time: 12:41:16
Delay: 9/8/9
Interface: irb.117, Enabled, Link is Up
Flags: SNMP-Traps 0x4004000
Encapsulation: ENET2
Local statistics: Current delta
Input bytes: 0 [0]
Output bytes: 0 [0]
Input packets: 0 [0]
Output packets: 0 [0]
Remote statistics:
Input bytes: 0 (0 bps) [0]
Output bytes: 0 (0 bps) [0]
Input packets: 0 (0 pps) [0]
Output packets: 0 (0 pps) [0]
Traffic statistics:
Input bytes: 0 [0]
Output bytes: 0 [0]
Input packets: 0 [0]
Output packets: 0 [0]

irb.1895 Iterface :

frwl-a-hre-a Seconds: 2 Time: 12:43:31
Delay: 6/6/59
Interface: irb.1895, Enabled, Link is Up
Flags: SNMP-Traps 0x4000
Encapsulation: ENET2
Local statistics: Current delta
Input bytes: 0 [0]
Output bytes: 1016784 [0]
Input packets: 0 [0]
Output packets: 22104 [0]
Remote statistics:
Input bytes: 97140 (0 bps) [0]
Output bytes: 0 (0 bps) [0]
Input packets: 1291 (0 pps) [0]
Output packets: 0 (0 pps) [0]
Traffic statistics:
Input bytes: 97140 [0]
Output bytes: 1016784 [0]
Input packets: 1291 [0]
Output packets: 22104 [0]

irb.1896 Interface :

frwl-a-hre-a Seconds: 3 Time: 12:43:53
Delay: 17/6/17
Interface: irb.1896, Enabled, Link is Up
Flags: SNMP-Traps 0x4000
Encapsulation: ENET2
Local statistics: Current delta
Input bytes: 0 [0]
Output bytes: 1016600 [46]
Input packets: 0 [0]
Output packets: 22100 [1]
Remote statistics:
Input bytes: 4944 (0 bps) [0]
Output bytes: 64 (0 bps) [0]
Input packets: 81 (0 pps) [0]
Output packets: 1 (0 pps) [0]
Traffic statistics:
Input bytes: 4944 [0]
Output bytes: 1016664 [46]
Input packets: 81 [0]
Output packets: 22101 [1]

From these statistics it can clearly be seen that irb.1022 is the only vlan with any real traffic on it - however that particular vlan is rate limited to 2mpbs by the provider, and the average bps of the vlan is around 200000 - 700000 bps, with the other 4 vlans having miniscule traffic.

However the bps rate on the Reth2 interface - at present is around 74325336 bps - and if left will continue to rise to around 812358480 bps on average - and will remain so, until the interface is disabled and brought back up again, where it will start off low and continually climb again.

There is no other configurations on the Reth2 interface - especially any L3 interfaces so I am extremely confused as to what is generating this traffic.

I have tried to run a pcap on Reth2 - however since there is no L3 interface, there are no packets to capture.

I have supplied some screenshots showing the issue at it worst.

I have tried manually failing over the cluster to node1 - and the issue persists even while node1 being active.

The cluser was recently upgraded to firmware 15.1X49-D140.2

Any assistance with this issue would be greatly appreciated.

Kind regards, 

Liam

Hi!

I have the followig problem:

Site A: Network 192.168.12.0/22

Site B: Network 192.168.20.0/24 (Networks 192.168.13.0/24, 192.168.14.0/24 and 192.168.15.0/24 are assigned to other services on Site B)

How do I manage to get traffic from 192.168.12.0/22 to 192.168.20.0/24?

I thought to static NAT from 192.168.12.0/22 to 192.168.20.0/24 using 172.21.8.0/22 but srx said that the subnet masks from source to host didn't match (/22 to /24).

I want NAT from 192.168.12.0/22 to this network 192.168.20.0/24 using this transfer network 172.21.8.0/22.

How do I configure this?

Kind regards

Andy

I have a simple consumer grade ADSL router that has a DMZ configured to a local ip of 192.168.1.1 . At this address sits the WAN interface of an OPNsense box. This is configured as an end point for VPN tunnels with traffic being passed to servers on the LAN. Outbound traffic from the LAN is unrestricted and is required for fetching updates, some browsing etc.

I want to replace the aforementioned ADSL router with an SRX320. How do I re-create the above i.e. create a DMZ-like setup that allows traffic to flow in and out as described above?

Hi All,

can you please confirm what i could be missing here.. I am simply trying to get VRRP working between two SRX devices, config to follow (same config on both sides other side using .216);

set security zones security-zone mgmt interfaces reth1.24 host-inbound-traffic protocols vrrp
set interfaces reth1 unit 24 family inet address 192.168.xx.215/24 vrrp-group 24 virtual-address 192.168.xx.217
set interfaces reth1 unit 24 family inet address 192.168.xx.215/24 vrrp-group 24 priority 100
set interfaces reth1 unit 24 family inet address 192.168.xx.215/24 vrrp-group 24 preempt hold-time 30
set interfaces reth1 unit 24 family inet address 192.168.xx.215/24 vrrp-group 24 accept-data
set interfaces reth1 unit 24 family inet address 192.168.xx.215/24 vrrp-group 24 authentication-type md5
set interfaces reth1 unit 24 family inet address 192.168.xx.215/24 vrrp-group 24 authentication-key "$9$qPT3B1hlK869OREcvMJGDHP5Fn/pO1QzKMX7VbQF3"

law@fw3# run show vrrp
VRRP is not running

{primary:node0}[edit]

there is a juniper EX switch inbetween to provide the layer 2 connectivity... Note that both SRXs are within their own cluster, we need to do this as part of a migration... 

Is there anything else that shoudl be enabled? I enabled the vrrp trace option though it didn't log anything.

Dear Sir,

I would like to use SRX 4100 with HA. May I know.

1. I would like to know can i use 1G or 10 G DAC cable for HA links (control and fab ports) ?
2. i might use 1 G sfp or 10 SFP + module ?
3. if i use SFP module ,can i use multimode or single mode depend on SFP module type ?

Hi,

We have two separate sites running Juniper MX240 LNS with dynamic-profiles.

I am now testing site 2 with VoiP. Site 1 has been tested and works fine with no problem at all. I can fill the best effort queue so that ping packets are dropping and yet, VoiP is perfect still. Exactly what I wanted.

So, naturally, I copy the config from one system to the other system and the CoS does not work.  Here is the route taken:

SIP Phone --> CPE --> LAC --> LNS --> Core -- Upstream ISP --> Other end of VoiP

The Core seems to be placing the traffic into the correct queue as when I look at the statistics on the interface, they are exactly as I would expect, and to confirm, I cleared them and re-tested.

However, on the LNS, NO packets are going into the SIP-VOICE queue..... However, on THW with the exact same configuration, using the same phone, the VoiP traffic goes into the SIP-VOICE queue ......  I have set queue 2 to be SIP-VOICE.

I have tried various troubleshooting techniques with no luck at all as to finding out why the traffic is not going into the correct queue.

Here is the dynamic-profile config and the relevant CoS:

set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix next-hop "$junos-framed-route-nexthop"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix metric "$junos-framed-route-cost"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix preference "$junos-framed-route-distance"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix tag "$junos-framed-route-tag"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access-internal route $junos-subscriber-ip-address qualified-next-hop "$junos-interface-name"
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options l2tp-interface-id l2tp-encapsulation
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options dedicated
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" keepalives interval 30
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet6 tcp-mss 1452
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet6 unnumbered-address "$junos-loopback-interface"
set dynamic-profiles dyn-hex-lns-profile protocols router-advertisement interface "$junos-interface-name" other-stateful-configuration
set dynamic-profiles dyn-hex-lns-profile protocols router-advertisement interface "$junos-interface-name" prefix $junos-ipv6-ndra-prefix
set dynamic-profiles dyn-hex-lns-profile class-of-service traffic-control-profiles test scheduler-map normal
set dynamic-profiles dyn-hex-lns-profile class-of-service traffic-control-profiles test shaping-rate 80m
set dynamic-profiles dyn-hex-lns-profile class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" output-traffic-control-profile test
set dynamic-profiles dyn-hex-lns-profile class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" classifiers dscp sip-voice
set dynamic-profiles dyn-hex-lns-profile class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" rewrite-rules dscp steves-test

Here is the CoS:

set class-of-service classifiers dscp sip-voice forwarding-class SIP-VOICE loss-priority high code-points 101111
set class-of-service classifiers dscp sip-voice forwarding-class SIP-VOICE loss-priority low code-points af31
set class-of-service classifiers dscp sip-voice forwarding-class SIP-VOICE loss-priority low code-points ef
set class-of-service classifiers inet-precedence sip-voice forwarding-class SIP-VOICE loss-priority low code-points 101
set class-of-service classifiers inet-precedence sip-voice forwarding-class SIP-VOICE loss-priority low code-points 010
set class-of-service drop-profiles low-drop fill-level 95 drop-probability 0
set class-of-service drop-profiles low-drop fill-level 100 drop-probability 100
set class-of-service drop-profiles med-drop fill-level 75 drop-probability 0
set class-of-service drop-profiles med-drop fill-level 95 drop-probability 30
set class-of-service drop-profiles high-drop fill-level 50 drop-probability 0
set class-of-service drop-profiles high-drop fill-level 95 drop-probability 50
set class-of-service forwarding-classes queue 2 SIP-VOICE
set class-of-service interfaces xe-1/1/1 scheduler-map normal
set class-of-service rewrite-rules dscp steves-test forwarding-class SIP-VOICE loss-priority low code-point ef
set class-of-service rewrite-rules ieee-802.1 test-1p forwarding-class SIP-VOICE loss-priority low code-point 010
set class-of-service scheduler-maps normal forwarding-class best-effort scheduler be
set class-of-service scheduler-maps normal forwarding-class expedited-forwarding scheduler ef
set class-of-service scheduler-maps normal forwarding-class SIP-VOICE scheduler sv
set class-of-service scheduler-maps normal forwarding-class network-control scheduler nc
set class-of-service schedulers be transmit-rate percent 65
set class-of-service schedulers be buffer-size percent 65
set class-of-service schedulers be priority medium-low
set class-of-service schedulers be drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers be drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers be drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers be drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers nc transmit-rate percent 5
set class-of-service schedulers nc buffer-size percent 5
set class-of-service schedulers nc priority medium-high
set class-of-service schedulers nc drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers nc drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers nc drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers nc drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers ef transmit-rate 5k
set class-of-service schedulers ef transmit-rate exact
set class-of-service schedulers ef buffer-size temporal 1
set class-of-service schedulers ef priority low
set class-of-service schedulers ef drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers ef drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers ef drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers ef drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers sv transmit-rate percent 30
set class-of-service schedulers sv buffer-size percent 30
set class-of-service schedulers sv priority high
set class-of-service schedulers sv drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers sv drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers sv drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers sv drop-profile-map loss-priority low protocol any drop-profile low-drop

Here is the firewall filter:

set firewall filter cos1 interface-specific
set firewall filter cos1 term 1 from dscp 46
set firewall filter cos1 term 1 from dscp 26
set firewall filter cos1 term 1 then count SIP-VOICE
set firewall filter cos1 term 1 then forwarding-class SIP-VOICE
set firewall filter cos1 term 1 then accept
set firewall filter cos1 term 4 from source-address 200.80.16.2/32
set firewall filter cos1 term 4 from source-address 200.80.16.3/32
set firewall filter cos1 term 4 from source-address 200.80.16.4/32
set firewall filter cos1 term 4 from source-address 200.80.16.5/32
set firewall filter cos1 term 4 from source-address 200.80.16.154/32
set firewall filter cos1 term 4 then count ADEN
set firewall filter cos1 term 4 then log
set firewall filter cos1 term 4 then forwarding-class SIP-VOICE
set firewall filter cos1 term 4 then accept
set firewall filter cos1 term 2 then count BEST
set firewall filter cos1 term 2 then forwarding-class best-effort
set firewall filter cos1 term 2 then accept
set firewall filter test-dscp interface-specific
set firewall filter test-dscp term 1 from dscp ef
set firewall filter test-dscp term 1 then count dscp-ef
set firewall filter test-dscp term 1 then accept
set firewall filter test-dscp term 2 then accept

And the interface configuration:

set interfaces xe-1/1/1 unit 0 family inet filter input-list cos1
set interfaces xe-1/1/1 unit 0 family inet filter input-list filter-ssh
set interfaces xe-1/1/1 unit 0 family inet filter output filter-ssh-out
set interfaces xe-1/1/1 unit 0 family inet address 200.80.0.45/30
set interfaces xe-1/1/1 unit 0 family iso
set interfaces xe-1/1/1 unit 0 family inet6 address 3c61:e840:1143:ffff:ffff:ffff:0000:0001/126

Anyone know any more troubleshooting I can complete for this issue please?

We have the SRX 320.

Our ISP provides several external static IP addresses from the 95.78.228.208/29 subnet.
ISP routes these addresses from the gateway 95.78.251.254 to the address 95.78.251.27, which also needs to be configured on our side.
ISP is connected to the interface ge-0/0/0.

I guess that the addresses 95.78.228.208/29 should be configured on some internal virtual interface, but I did not find anything suitable in the documentation.
I tried the configuration where address 95.78.251.27 is configured on the interface ge-0/0/0.0 by using proxy arp.

Something like that:

set security zones security-zone untrust-isp-1 interfaces ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.209/29 primary
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.210/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.211/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.212/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.213/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.214/29

set security nat proxy-arp interface ge-0/0/0.0 address 95.78.251.27/24

set routing-instances isp-1 instance-type virtual-router
set routing-instances isp-1 interface ge-0/0/0.0
set routing-instances isp-1 routing-options static route 95.78.251.27/32 next-hop 95.78.251.254
set routing-instances isp-1 routing-options static route 0.0.0.0/0 next-hop 95.78.251.27 resolve

But this configuration didn't work. The list of routes to the 0.0.0.0/0 for the routing-instance isp-1 was empty.

root@orn-gw-01> show route table isp-1.inet.0 0.0.0.0/0 exact

Therefore pings to google dns returned a "ping: sendto: No route to host" error.

I suspect that I'm doing everything wrong

Could you help me how to configure this in the right way?

Hi all,

My topology is as shown in the attachment. I want have two TCP and two UDP ports open in security policy for my server farm from untrust zone.  I have blocked, all kind of icmp , traceroute etc from untrust to trust. But when I use NMAP tool and run intense scan, it uses same allowed ports and gives complete visibility of all alive servers with complete traceroute topology. I have also idp and appsecure available. Please guide me how should I configure my firewall to detect such reconnaisance attacks and block source IP address and log event to my SEIM solution. 

How to change Infected-Hosts score by security director?

Hi,

Is there any documentation anywhere to show the configuration of CoS/QoS on an SRX300/340?

Is it possibly as simple as the following:

Configure the CoS and assign to an interface (as I have on the MX240s)?

Or, does the CoS have to be assigned to a zone? I guess this is where the difference may well be.

Hi,

I've had success in setting up J-Flow version9 directed at a single flow-server, but cannot find a way to direct the flows to two flow servers.

I have tried creating multiple instances but to no avail.

Is there a quirky way to get around this issue?

Thanks

Dear All,

We have configured policy based VPN in Juniper 240h with Cisco ASA & we are facing packet drop issue every after 10 minutes.

Please help us to get rid of it.

Thanks & Regards,

Achyut Sarma

Hello,

I have a Juniper SRX110H2-VA and have updated the device to JUNOS 12.3X48-D70.3 however I have noticed that the firmware on the VDSL PIC has not updated and is still reporting it is on version 2.10.0 with no newer version available to upgrade to.

My research has lead me to believe that there is a version 2.16.0 and possibly even 2.19.0 or newer however these do not seem to come packaged with the JUNOS update.

Please may someone provide access to the firmware to update the VDSL PIC.

Hi everyone,

Does the  destination  below  only refers to Unicast IP or  it can be multicast  address?

For  example,  SRX  sees  1500 UDP  packets  destined to a group say 238.1.1.1 , SRX has  listeners for that group 238.1.1.1  in a Zone A,  will this   threshold   limit apply ?

Thanks and have a nice  weekend!1

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4821

SUMMARY:

SYMPTOMS:

CAUSE:

SOLUTION: