Hi ,

Im trying to setup a simple pppoe + vlan install and its not working . The pppoe appears to go up / down and its not getting any IP .... I have searched the forum and pretty much tried all proposed solution but its not working . Im guessing at this point its something very obvious and im not seeing it

Any help appreciated

Thanks

root@srx210> show pppoe interfaces
pp0.0 Index 71
State: Session up, Session ID: 5661,
Service name: None,
Session AC name: STESPQ3502W, Configured AC name: None,
Remote MAC address: <removed from posting> ,
Session uptime: 00:00:20 ago,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/0.0 Index 70
Ignore End-of-List tag: Disable

Then a minute later :

root@srx210> show pppoe interfaces
pp0.0 Index 71
State: Down, Session ID: None,
Service name: None,
Session AC name: None, Configured AC name: None,
Remote MAC address: 00:00:00:00:00:00,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/0.0 Index 70
Ignore End-of-List tag: Disable

Snippet of config ( see attached for the full one )

interfaces {
    ge-0/0/0 {
        vlan-tagging;
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 35;
        }

pp0 {
unit 0 {
apply-macro pppoe;
ppp-options {
pap {
local-name <hidden>;
local-password "password"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
auto-reconnect 10;
client;
idle-timeout 0;
}
family inet {
negotiate-address;
}

Dear members,

I have tested GroupVPN with vSRX version 17.3R1.10. But after that, I logged in to KS/GC and checked 

" show security group-vpn server ipsec security-associations" and saw the notification as below:

error: the gksd instance gksd is not running

Please help me solve this issue,

Thanks,

Hello,

We have a requirement to bypass the proxy for certain wildcard URL's e.g. "*.outlook.office.com" which is fine but we have the issue in terms of allowing this traffic through out SRX firewall when we don't have all the specific IP addresses to define at the destination address.

I have read that the SRX does not support wildcard DNS address book entries to define within a security policy.

I am looking for advice in what others have done in order to work around this. Or the alternative solutions you had to put in place?

Many Thanks!

Looking for some guidance. 

Currently in my organization we have 2 SRX 650 running version 12.x code.  We have 2 internet provides coming into the office and the SRXs' are setup in a redundant HA pair.  We have have 8 VLANs roughly setup.  Lately we have been having issues with internet capacity.  My management would like us to take the 2 internet conections and be able to route certain traffic (youtube, google drive) over 1 link and everything else (VPN to AWS) over the other link.  Right now we are doing BGP peering to both providers (this was setup prior to me) and OSPF configured as well.  The OSPF and BGP were setup for the previous L2L tunnel that we had connected to our physical datacenters which are now offline.  

My question is how would I go about doing this?  I have 2 spare SRX 650s firewalls from a remote office that I can use.   Can I go about using this link to setup the content routing?   https://www.juniper.net/documentation/en_US/junos/topics/topic-map/ospf-traffic-control.html

I was thinking that I could move the active/passive config to an active/active setup.  This was we still have some redundancy.

I am not  familiar with setting up OSPF or BGP and I have more of a cisco background but have been learning the SRXs.  So any and all help is greatly appreciated.

If you need more information please let me know.

Hi There,

I have a problem where I cannot ping any external IP's or DNS names from my operational prompt.  When I do a ping 8.8.8.8 routing-instance <instance-name> it also does not work.  I have configured name-servers on my SRX.  I have multiple routing instances and I have added routing options also.  I am also importing my internet breakout VR into my other VR's.  I have also setup my junos-host security zone and a security policy for that.  When I ping, there is no return packets and when I do a traceroute, it does not even hit the gateway.  I have also created a source NAT.

Any help will be highly appreciated!

Hi,

Is there any way to prioritize traffic coming from ISP? For exampe start to drop packets from an HTTP transfer(download), but keep UDP VoIP packets when we reach the upper limit of the contracted bandwidth from ISP.

Thank you,

tcp

Hi,

We have a SRX 240 HA cluster and the secondary unit seems to be lost. We can't connect to it via SSH, only on its console port. 

show chassis cluster status says its lost. 

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 9
node0  200      primary        no      no       None
node1  0        lost           n/a     n/a      n/a

Redundancy group: 1 , Failover count: 1
node0  0        primary        no      no       CS
node1  0        lost           n/a     n/a      n/a

Redundancy group: 2 , Failover count: 1
node0  0        primary        no      no       CS
node1  0        lost           n/a     n/a      n/a

Redundancy group: 3 , Failover count: 1
node0  0        primary        no      no       CS
node1  0        lost           n/a     n/a      n/a

Redundancy group: 4 , Failover count: 3
node0  0        primary        no      no       CS
node1  0        lost           n/a     n/a      n/a

When we console on to the secondary device we see that it can't even see its own interfaces:

show interfaces terse
Interface               Admin Link Proto    Local                 Remote
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.x.y/29
fxp1                    up    up
fxp1.0                  up    up   inet     130.16.0.1/2
                                   tnp      0x2100001
fxp2                    up    up
fxp2.0                  up    up   tnp      0x2100001
gre                     up    up
ipip                    up    up
lo0                     up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
tap                     up    up

Primary device can see its own interfaces, but not the secondary's. Control link seems to working but the fabric links are not. 

 show chassis cluster control-plane statistics
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 5184071
        Heartbeat packets received: 4956136
        Heartbeat packet errors: 0
Fabric link statistics:
    Child link 0
        Probes sent: 883891
        Probes received: 0
    Child link 1
        Probes sent: 530051
        Probes received: 0

We've checked the cabling a few times, everything is okay, nobody touched it since last year when it was installed. 

Software image is the same on both devices. 

Model: srx240h2
JUNOS Software Release [12.3X48-D45.6]

When we disabled the clustering on the secondary device, after the reboot the device could see its interfaces. 

We thought the problem is with the secondary unit so we replaced it with another 240. After enabling clustering on it and loading the config on to it, the problem still occurs.. 

Also, when we are on the secondary, we can see error messages:

mgmtfw01-b mgmtfw01-b CMLC: Chassis Manager terminated

Message from syslogd@mgmtfw01-b at Dec 10 12:25:09  ...
mgmtfw01-b mgmtfw01-b CMLC: Chassis Manager terminated

Has anyone seen this kind of behavior? 

Config of the cluster:

set groups node0 system host-name mgmtfw01-a
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.
set groups node1 system host-name mgmtfw01-b
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.
set apply-groups "${node}"
set chassis cluster control-link-recovery
set chassis cluster reth-count 10
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/15 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/15 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 128
set chassis cluster redundancy-group 2 node 0 priority 200
set chassis cluster redundancy-group 2 node 1 priority 100
set chassis cluster redundancy-group 2 interface-monitor ge-0/0/13 weight 255
set chassis cluster redundancy-group 2 interface-monitor ge-5/0/13 weight 255
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 3 node 0 priority 200
set chassis cluster redundancy-group 3 node 1 priority 100
set chassis cluster redundancy-group 3 interface-monitor ge-0/0/11 weight 128
set chassis cluster redundancy-group 3 interface-monitor ge-0/0/12 weight 128
set chassis cluster redundancy-group 3 interface-monitor ge-5/0/11 weight 128
set chassis cluster redundancy-group 3 interface-monitor ge-5/0/12 weight 128
set chassis cluster redundancy-group 4 node 0 priority 200
set chassis cluster redundancy-group 4 node 1 priority 100
set chassis cluster redundancy-group 4 interface-monitor ge-0/0/10 weight 255
set chassis cluster redundancy-group 4 interface-monitor ge-5/0/10 weight 255
set interfaces ge-0/0/10 gigether-options redundant-parent reth4
set interfaces ge-0/0/11 gigether-options redundant-parent reth3
set interfaces ge-0/0/12 gigether-options redundant-parent reth3
set interfaces ge-0/0/13 gigether-options redundant-parent reth2
set interfaces ge-0/0/14 gigether-options redundant-parent reth1
set interfaces ge-0/0/15 gigether-options redundant-parent reth1
set interfaces ge-5/0/10 gigether-options redundant-parent reth4
set interfaces ge-5/0/11 gigether-options redundant-parent reth3
set interfaces ge-5/0/12 gigether-options redundant-parent reth3
set interfaces ge-5/0/13 gigether-options redundant-parent reth2
set interfaces ge-5/0/14 gigether-options redundant-parent reth1
set interfaces ge-5/0/15 gigether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/3
set interfaces reth1 vlan-tagging
set interfaces reth1 gratuitous-arp-reply
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp active
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth2 gratuitous-arp-reply
set interfaces reth2 redundant-ether-options redundancy-group 2
set interfaces reth2 unit 0 description 
set interfaces reth2 unit 0 family inet address 
set interfaces reth3 gratuitous-arp-reply
set interfaces reth3 redundant-ether-options redundancy-group 3
set interfaces reth3 redundant-ether-options minimum-links 1
set interfaces reth3 redundant-ether-options lacp active
set interfaces reth3 redundant-ether-options lacp periodic slow
set interfaces reth3 unit 0 description ****
set interfaces reth3 unit 0 family inet address 
set interfaces reth4 vlan-tagging
set interfaces reth4 gratuitous-arp-reply
set interfaces reth4 redundant-ether-options redundancy-group 4

Thanks!

Scenario:

- upstream QFX pair, connected to SRX HA-pair, 4 ports crossed over for mesh redundancy (reth on SRX to ae on QFX)

- reth has LACP active

Problem:

- ping from QFX to host behind SRX only works for odd numbered IP address

Using capture files, I can see:

- ICMP ECHO-REQUEST arrive on reth from QFX (both odd and even numbered IPs)

- ICMP ECHO-REQUEST sent out physical (for odd numbered IPs)

- ICMP ECHO-REPLY arrive on the other side reth (for odd numbered IPs)

- ICMP ECHO-REPLY sent out physical to QFX (for odd numbered IPs)

Even numbered IP packets disappear.

LACP output:

    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/6       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/6     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      ge-0/0/7       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/7     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      ge-9/0/6       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-9/0/6     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      ge-9/0/7       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-9/0/7     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/0/6                  Current   Fast periodic Collecting distributing
      ge-0/0/7                  Current   Fast periodic Collecting distributing
      ge-9/0/6                  Current   Fast periodic Collecting distributing
      ge-9/0/7                  Current   Fast periodic Collecting distributing

Interfaces are all up:

show interfaces terse | match reth6
ge-0/0/6.0              up    up   aenet    --> reth6.0
ge-0/0/7.0              up    up   aenet    --> reth6.0
ge-9/0/6.0              up    up   aenet    --> reth6.0
ge-9/0/7.0              up    up   aenet    --> reth6.0
reth6                   up    up
reth6.0                 up    up   inet     1.2.3.4/29

The reth looks like this:

show interfaces reth6
Physical interface: reth6  , Enabled, Physical link is Up
  Interface index: 134, SNMP ifIndex: 573
  Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
  Minimum bandwidth needed: 1bps
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Current address: 00:10:db:ED:IT:ED, Hardware address: 00:10:db:ED:IT:ED
  Last flapped   : 2018-12-10 17:08:10 EST (07:07:20 ago)
  Input rate     : 3936 bps (0 pps)
  Output rate    : 272 bps (0 pps)

  Logical interface reth6.0 (Index 95) (SNMP ifIndex 574)
    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :        135576          0      16490480         3936
        Output:         58629          0       4452718          272
    Adaptive Statistics:
        Adaptive Adjusts:          0
        Adaptive Scans  :          0
        Adaptive Updates:          0
    Security: Zone: UNTRUSTED
    Allowed host-inbound traffic : ping ssh
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary

What it feels like is the juniper is discarding the packets because it doesn't like which interface they arrived on.

reth6 is configured:

show configuration interfaces reth6
redundant-ether-options {
    redundancy-group 6;
    lacp {
        active;
    }
}
unit 0 {
    family inet {
        filter {
            input ICMP-CAPTURE;
            output ICMP-CAPTURE;
        }
        address 1.2.3.4/29;
    }
}

show configuration interfaces ge-0/0/6
gigether-options {
    redundant-parent reth6;
}
...

which I imagine to be pretty normal and the ge's are all the same.

I feel like I'm missing something obvious but I don't quite know what.

Dear all,

I would like to know design confusion for virtual chassis and ehterchannel.

Please see the below diagram and help me. According to https://kb.juniper.net/InfoCenter/index?page=content&id=KB22474

1. Juniper recommand Design one,correct ?
2. Let me know my cable connectivity is correct or not ?
3. Let me know weight mornigoring need to configure all interface ge-0/0/0,g0/0/1,g-7/0/0,ge-7/0/0/1 ?

   Eg:

   (set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
   set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
   set chassis cluster redundancy-group 1 interface-monitor ge-7/0/0 weight 255
   set chassis cluster redundancy-group 1 interface-monitor ge-7/0/1 weight 255)

4. if i didn't add interface mornitoring,what is disadvantage ?
5. May i know pros and cons for  lacp periodic slow or fast ?
6. in juniper etherchannel can support fail-over link ? I mean i don't want Traffic loadbalace  adn  i want to use 1 cable of Ex2300 is primary and second link is backup , juniper support ?
7. If we didn't use etherchannel ,can i use trunk only ?

Hello, I am able to reach the public routable ip if assigned to the WAN interface and a public routable ip from a different subnet depending on the configuration. Stuck on traffic not reaching internet or gateway from device with an ip on the public routable block.

/30 link to ISP /27 customer routed block

srx -- xe-0/0/17 - wan 192.168.1.2/30 - - has existing ipsec tunnels on link ip

srx -- xe-0/0/0 - existing private lan 10.1.0.0/16

srx -- ge-0/0/1 - first available ip in customer routed block ex. 193.168.1.1 with 192.168.1.2 on device directly connected.

What may I be missing?

I have SRX240 which is connected to Two ISP's on Eth0/0(Auntrust) and Eth15/0(Buntrust) with their separate zones. Two local-lan subnets(192.168.222.0/24(Atrust) & 192.168.70.0/24(Btrust)). Now i want that traffic should exit from their respective Untrust interface.

Config is like :

set interfaces vlan unit 0 family inet address 192.168.222.1/24
set interfaces vlan unit 1 family inet address 192.168.70.1/24

set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 0.0.0.0/0 qualified-next-hop x.x.x.x preference 7
set routing-options static route 0.0.0.0/0 install
set routing-options static route 0.0.0.0/0 active

set vlans A-trust description "A's Trust LAN"
set vlans A-trust vlan-id 3
set vlans A-trust l3-interface vlan.0


set vlans B_trust description "B's Trust Lan"
set vlans B_trust vlan-id 4
set vlans B_trust interface ge-0/0/11.0
set vlans B_trust interface ge-0/0/12.0
set vlans B_trust interface ge-0/0/13.0
set vlans B_trust interface ge-0/0/14.0
set vlans B_trust l3-interface vlan.1

set routing-instances A-vr instance-type virtual-router
set routing-instances A-vr interface pp0.0

set routing-instances B-vr instance-type virtual-router
set routing-instances B-vr interface ge-0/0/15.0

Can anyone suggest how can i fix this issue.

Hi All,

Previously, one of our branch office is deployed source routing with DHCP and the DHCP subnet exits on ISP2.

Right now, I'm doing the same thing on other site but facing some issue.

ISP1  <> ge-0/0/2    FW  <>  irb0           192.168.0.0/20   

ISP2  <> ge-0/0/5            <>  ge-0/0/4  172.16.24.128/25

After deployed the whole setting, our enginner can get IP from firewall DHCP server(172.16.24.254).

However, this PC cannot ping/traceroute to 8.8.8.8 (Issue 1a, 1b)

I double compared the configuration with the deployed site and all setting are same. 

Could someone help to have a look?

Many Thanks,

Kay

Hello,

We have a policy based VPN between two of our locations and I can't get them to talk. The issue this that they share the same subnet and I had to do S and D NAT. The IKE comes up but IPSEC shows 0 tunnels. I know that if I switch to route based  VPN my problem will go away, but management insists it to be policy based (don't ask why I don't understand myself).  Configuration is below

 DC-Site

proposal LAS-IKE-Preposal {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
}
policy LAS-IKE-Policy {
    mode main;                          
    proposals LAS-IKE-Preposal;
    pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
gateway LAS-IKE-GATEWAY {
    ike-policy LAS-IKE-Policy;
    address X.X.X.X;
    dead-peer-detection optimized;
    external-interface reth0.0;
}


proposal LAS-IPSEC-Proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-kilobytes 1048576;
}
policy LAS-IPSEC-Policy {
    proposals LAS-IPSEC-Proposal;
}
vpn LAS-IPSEC-VPN {
    ike {
        gateway LAS-IKE-GATEWAY;
        proxy-identity {
            local X.X.210.0/24;
            remote X.X.200.0/24;
        }
        ipsec-policy LAS-IPSEC-Policy;
    }
    establish-tunnels immediately;      
}


from-zone untrust to-zone trust {
    policy LAS-2-DC-VPN {
        match {
            source-address LAS-NAT-X.X.200.0;
            destination-address DC-LOCAL-X.X.110.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn LAS-IPSEC-VPN;
                    pair-policy DC-2-LAS-VPN;
                }
            }
        }
    }
}
from-zone trust to-zone untrust {
    policy DC-2-LAS-VPN {
        match {
            source-address DC-LOCAL-X.X.110.0;
            destination-address LAS-NAT-X.X.200.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn LAS-IPSEC-VPN;
                    pair-policy LAS-2-DC-VPN;
                }
            }
        }
    }
}

source {
    pool DC-LOCAL-2-NAT {
        address {
            X.X.210.0/24;
        }
    }
    address-persistent;
    rule-set NAT-LOCAL {
        from zone trust;
        to zone untrust;
        rule 1 {
            match {
                source-address-name DC-LOCAL-X.X.110.0;
                destination-address-name LAS-NAT-X.X.200.0;
            }
            then {
                source-nat {
                    pool {
                        DC-LOCAL-2-NAT;
                    }
                }
            }
        }
    }
}
destination {
    pool DC-NAT-2-LOCAL {
        address X.X.110.0/24;
    }
    rule-set NAT-BACK-2-LOCAL {
        from zone untrust;
        rule 1 {
            match {
                source-address-name LAS-NAT-X.X.200.0;
                destination-address X.X.210.0/24;
                application any;
            }
            then {
                destination-nat {
                    pool {
                        DC-NAT-2-LOCAL;
                    }
                }
            }
        }
    }
}

LAS-Site

proposal DC-IKE-Preposal {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
}
policy DC-IKE-Policy {
    mode main;
    proposals DC-IKE-Preposal;
    pre-shared-key ascii-text "XXXXXXX"; ## SECRET-DATA
}
gateway DC-IKE-GATEWAY {
    ike-policy DC-IKE-Policy;
    address X.X.X.105;
    dead-peer-detection optimized;
    external-interface ge-0/0/0;
}

proposal DC-IPSEC-Proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-kilobytes 1048576;
}
policy DC-IPSEC-Policy {
    proposal-set standard;
}
vpn DC-IPSEC-VPN {
    ike {
        gateway DC-IKE-GATEWAY;
        proxy-identity {
            local X.X.200.0/24;
            remote X.X.210.0/24;
        }
        ipsec-policy DC-IPSEC-Policy;
    }
    establish-tunnels immediately;
}

from-zone trust to-zone untrust {
    policy LAS-2-DC-VPN {
        match {
            source-address LAS-LOCAL-X.X.110.0;
            destination-address DC-NAT-X.X.210.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DC-IPSEC-VPN;
                    pair-policy DC-2-LAS-VPN;
                }
            }
        }
    }
}
from-zone untrust to-zone trust {
    policy DC-2-LAS-VPN {
        match {
            source-address DC-NAT-X.X.210.0;
            destination-address LAS-LOCAL-X.X.110.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DC-IPSEC-VPN;
                    pair-policy LAS-2-DC-VPN;
                }
            }
        }
    }
}


source {
    pool LAS-LOCAL-2-NAT {
        address {
            X.X.200.0/24;
        }
    }
    address-persistent;
    rule-set NAT-LOCAL {
        from zone trust;
        to zone untrust;
        rule 1 {
            match {
                source-address-name LAS-LOCAL-X.X.110.0;
                destination-address-name DC-NAT-X.X.210.0;
            }
            then {
                source-nat {
                    pool {
                        LAS-LOCAL-2-NAT;
                    }
                }
            }
        }
    }
}
destination {
    pool LAS-NAT-2-LOCAL {
        address X.X.110.0/24;
    }
    rule-set NAT-BACK-2-LOCAL {
        from zone untrust;
        rule 1 {
            match {
                source-address-name DC-NAT-X.X.210.0;
                destination-address X.X.200.0/24;
                application any;
            }
            then {
                destination-nat {
                    pool {
                        LAS-NAT-2-LOCAL;
                    }
                }
            }
        }
    }
}

Verification:

show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2655583 UP     109b52008c9929c2  7f69bc9e87cd1395  Main           X.X.X.105

Session ID: 65215, Policy name: LAS-2-DC-VPN/6, Timeout: 60, Valid
  In: X.X.110.100/27083 --> X.X.210.1/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, 
  Out: X.X.210.1/1 --> X.X.200.100/9473;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, 
Total sessions: 12

show security ipsec sa 
  Total active tunnels: 0

Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 12      trust            untrust           LAS-2-DC-VPN   27089  

Any help is greatly appriciated!

Hi All,

Quick question.. Has anyone successfully set up a reliable VPN between a Juniper SRX using IKEv2 (route-based as only that is supported) to a Cisco running IKEv2 policy-based VPN?.... Any issues to expect with this??

Thanks in Advance...

junos-srxsme-12.3X48-D75.4 supports SRX220, does it also support SRX210?

Hi Everyone,

I am familizaring  myself with snapshot feature on my lab SRX 100.

Below I have created a snapshot:

root@AFTER-SNAPSHOT> show system storage partitions
Boot Media: internal (da0)
Active Partition: da0s1a
Backup Partition: da0s2a <----------------------BACK UP
Currently booted from: active (da0s1a)

Partitions information:
Partition Size Mountpoint
s1a 292M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 27M recovery
s4e 2.7M

I want to boot SRX from back up partition shown  da0s2 ?

Below I did that ( there is no option to specify da0s2)

root@AFTER-SNAPSHOT> request system reboot media internal
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 1472]

root@AFTER-SNAPSHOT> show system storage partitions
Boot Media: internal (da0)
Active Partition: da0s1a
Backup Partition: da0s2a
Currently booted from: active (da0s1a)-----------> Still booted from da0s1a not da0s2a as intended

Partitions information:
Partition Size Mountpoint
s1a 292M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 27M recovery
s4e 2.7M

What am i missing?

Thanks and have a nice weekend!!

Hi,

Hi,

I am migrating from SSG to SRX: allow SSH on a non-standard port from the WAN and forwarding it to a machine on the standard port.

WAN:nnnn -> 192.168.3.100:22

Trying to understand why I need to do something that was posted in 2011 from https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-port-forwarding-translation/m-p/100942. Specifically the untrust-to-trust policy needs to match the junos-ssh application in addition to my custom one that refers to the non-standard port. Isn't the destination pool host definition enough?

Thanks

version 12.1X46-D71;

security {
        destination {
            pool DNAT-host-SSH-test {
                address 192.168.3.100/32 port 22;
            }
            rule-set DST-NAT {
                from zone untrust;
                rule Rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port nnnn;
                    }
                    then {
                        destination-nat {
                            pool {
                                DNAT-host-SSH-test;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy UNTRUST-to-TRUST-test {
                match {
                    source-address any;
                    destination-address any;
                    application [ SSH-DNAT junos-ssh ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
}

applications {
    application SSH-DNAT {
        protocol tcp;
        source-port 1024-65535;
        destination-port nnnn;
    }
}

Hey guys,

We recently did an implementation of two SRX's in HA for two locations, SRX 1500 & 550.  Were both devices link back to a Juniper core, where exceptions were made to allow traffic over the devices

An IPsec VPN was configured on both devices to allow for a service to run over the vpn, note the service is up and running and we have access to it using another vpn. 

Configs in place for the VPN;

UTM 

Policy Routes

Static Routes- all route defined

The problem is that we're only able to access the application intermittently, based on whenever it feels like working.  Is there anything that's known to cause an issue within the configurations. I would really like to give more information but I can't.