Hi,

We have an issue with TCP port-scanning & tcp-sweeping from several well-known abusive IP addresses.

Such scans leading our SRX cluster to send tons of "RT_FLOW - RT_FLOW_SESSION_DENY / policy deny" events to our syslog server.

As far as I understand, we could use "screen ids-option" against those attacks in order to drop such packets earlier, before they even reach security policies.

So, I have created such screen:

> show configuration security screen
ids-option untrust-screen {
tcp {
port-scan threshold 1000000;
tcp-sweep threshold 1000000;
}
}

And attached it to the untrust security zone.
In statistics I see attack attempts:

> show security screen statistics zone extfw_untrust node primary | except " 0"
node0:
--------------------------------------------------------------------------
Screen statistics:

IDS attack type Statistics
TCP port scan 5601
TCP sweep 20056

{primary:node0}

But, I can't see any significant change in the amount of "RT_FLOW - RT_FLOW_SESSION_DENY / policy deny" " logs.

Do I miss something?

ps: 

Model: srx345
Junos: 15.1X49-D120.3

Hi,

This is an add on to a previous SNMP issue.

As the SRX I am using is ALL VR related then there is no default context as such. All the physical interfaces and logical tunnel interfaces belong to a VR on the system. This means also that there is no inet.0..... 

With regards to SNMP, I have managed to get information out of the system via PRTG that relates to the particular context. So, for example, the main context is Customer-VR and everything else connects to that context. I use that context for SNMP and what comes back is the LT interfaces and contexts, but that is it. Nothing else.

I still cannot get the ACTUAL CPU, RAM etc.... core information....... It always seems to read from the context no matter what I try.....

Any ideas on how to read the CPU and the RAM please?

Hi all,

A few questions..

Please could anyone explain the reasons why services/alg is the final step (except for installing the session in slow-path) in both the first and fast path processing orders?

Why the flow chart shows after the session is created in slow path why does it go next to the fast path screens option, rather than filtering and shaping before egress?

Why is TCP only present in the fast path, what does this involve?

Lastly, if these devices are stateful, when it's written that the filtering happening in the data plane/PFE is stateless, could anyone explain more about this?

Many thanks!

As we all know, there have always been a problem connecting Linux clients to SRX-based dynamic VPN service. For quite some time we tended to ignore this and work with Pulse Secure under Windows VM's. But since Pulse Secure stopped working reliably lately (TSB17441) we needed another solution. Windows boxes manage somehow with Shrew VPN but I thought that maybe if Shrew client does work with plain IPSec we can use Linux box without any external clients to connect to SRX (Shrew does have Linux client but it doesn't work on new systems).

And so I came up with a solution which works for me. YMMV.

The "server-side" configuration is pretty normal for a dyn-vpn with LDAP authentication:

user@fw# show security ike
proposal Proposal1 {
    authentication-method pre-shared-keys;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
}

policy Dyn-vpn-P3 {
    mode aggressive;
    proposals Proposal1;
    pre-shared-key ascii-text "aaaaaa"; ## SECRET-DATA
}

gateway dyn-vpn {
    ike-policy Dyn-vpn-P3;
    dynamic {
        hostname myhostname;
        ike-user-type shared-ike-id;
    }
    external-interface ge-0/0/0.0;
    aaa {
        access-profile vpn-ldap;
    }
}
[edit]

user@fw# show security ipsec
proposal Proposal1 {
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
}

policy dyn-vpn-policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals Proposal1;
}
vpn dyn-vpn {
    ike {
        gateway dyn-vpn;
        ipsec-policy dyn-vpn-policy;
    }
}
[edit]

user@fw# show access
profile vpn-ldap {
    authentication-order ldap;
   address-assignment {
        pool VPN-POOL;
    }
    ldap-options {
        base-distinguished-name dc=company,dc=com;
        search {
            search-filter samaccountname=;
            admin-search {
                distinguished-name cn=junvpn,OU=Users,DC=company,DC=com;
                password "password"; ## SECRET-DATA
            }
        }
    }
    ldap-server {
        192.168.100.100;
    }
}

address-assignment {
    pool VPN-POOL {
        family inet {
            network 10.0.10.0/24;
            range POOL1 {
                low 10.0.10.11;
                high 10.0.10.200;
            }
            xauth-attributes {
                primary-dns 192.168.100.101/32;
                secondary-dns 192.168.100.102/32;
            }
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile vpn-ldap;
    }
    web-authentication {
        default-profile vpn-ldap;
    }
}
 
[edit]

user@fw# show security dynamic-vpn
access-profile vpn-ldap;
clients {
    OFFICE {
        remote-protected-resources {
            172.16.100.0/24;
            10.0.0.0/24;
        }   
        ipsec-vpn dyn-vpn;
        user-groups {
            VPN;
        }   
    }    
}        
[edit]

Few remarks about this config:

1. I should have probably used stronger algorithms but I needed to downgrade to have backward compatibility with Shrew on Windows
2. The "remote-protected-resources" is not important for plain IPSec connection. It's just used to push configuration using Pulse Secure during the initial WebAPI connection phase. With IPSec we need to manually specify those on client's side.
3. Of course there are additional firewall policies allowing traffic from remote to protected networks but I didn't paste them here for clarity.
4. You can go with ike-user-type group-ike-id but I didn't want to have to specify a different ID per user (wanted a shared config file that I could distribute among users).

And the setup of Libreswan (on Fedora 29, but one of our users uses Ubuntu 18.04 and seems to got it working as well) looks like this:

/etc/ipsec.d/client.conf

conn "client"
        ikev2=no
        keyexchange=ike
        ike=aes256-sha256;dh14
        esp=aes256-sha256;dh2
        left=%defaultroute
        leftsubnets=0.0.0.0/0
        leftxauthclient=yes
        leftmodecfgserver=yes
        leftxauthusername=myuser
        right=111.222.333.444
        rightsubnets={ 10.0.0.0/24, 172.16.100.0/16, 192.168.100.0/24 }
        authby=secret
        rightxauthserver=yes
        rightmodecfgclient=yes
        rekey=yes
        leftid=@myhostname
        pfs=yes
        aggrmode=yes
        auto=add
        modecfgpull=yes
        salifetime=60s
        ikelifetime=60s
        vti-interface=yes
        vti-routing=yes
        vti-shared=yes
        mark=-1

And of course we need some secrets. /etc/ipsec.d/client.secrets:

%any 111.222.333.444: PSK "aaaaaa"
@user: XAUTH "Domain Password"

I'm not sure if you can force libreswan to ask for xauth password instead of writing it down in the secrets file.

Hope this helps someone to set up his/her own IPSec connection

same issue just appeard on our boxes couple of days ago...

was there a solution ?

BR, Christoph

Hi every boday

I have a Juniper device SRX240H2 , and with the detail info as below.

Now, I would like to monitor it by Manage Engine NetFlow Analyzer (version 9.6). Can anyone help me to check is it OK? Do I need to upgrade NetFlow software version or Juniper firmware??

Please help to advise

Hi,

I'm experiencing a perplexing Dynamic VPN issue with my SRX running 12.1X46-D71 using the straightforward example at https://www.juniper.net/documentation/en_US/junos12.1x47/topics/example/vpn-security-dynamic-example-configuring.html. Initially the Pulse client returned error 1804 "Connection method doesn't allow concurrent connections" and the SRX on the WAN side won't resolve to https://<IP>/dynamic-vpn (redirects to https://<IP>/servererror.php?code=404). The problem was "system services web-management https" did not contain the untrust interface. After adding the interface I could connect.

I have 3 subnets in my trust zone, each on a different VLAN.

vlan.0 (192.168.3.0/24) has

• router at 192.168.3.254
• UNIX appliance at 192.168.3.250 (reservation) - ge-0/0/2 (trunk)
• Windows test box at 192.168.3.100 (DHCP) - ge-0/0/3

vlan.72 (x.y.z.0/24) has

• router at x.y.z.254

vlan.82 (x.y.a.0/24) has

• router at x.y.a.254

Once I connected as 192.168.4.104, I can ping all 3 subnets' routers. I can ping the UNIX appliance, but I can't ping the Windows machine. I have set vlan.0's entire /24 in remote-protected-resources. If I login to the SRX I can ping all resources. When logged into the UNIX appliance, I can ping all resources in vlan.0, but not the routers at vlan.72/vlan.82. I'm not too concerned if hosts in vlan.0 can't ping hosts in vlan.72/vlan.82 at this time. I also noticed if I attempt to access J-Web through vlan.0's router IP (192.168.3.254) I get the same response as though I'm accessing through the WAN. Within the Windows machine I can access J-Web through 192.168.3.254. Displaying security flow session indicates 192.168.3.100 does get an ICMP but it's not returned to the VPN client.

It just seems like there is something blocking the packets going from the Windows machine back to the VPN client but the default trust-to-untrust rule should take care of that and also doesn't explain why it works for the UNIX appliance.

Any help greatly appreciated.

# run show dhcp server binding
IP address        Session Id  Hardware address   Expires     State      Interface
192.168.3.100     1           aa:bb:cc:dd:ee:ff  82329       BOUND      vlan.0
192.168.3.250     2           xx:yy:zz:ww:aa:bb  82344       BOUND      vlan.0

# run show security flow session
Session ID: 6396, Policy name: DYN-VPN-policy/6, Timeout: 26, Valid
  In: 192.168.4.104/184 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.100/1 --> 192.168.4.104/184;icmp, If: vlan.0, Pkts: 0, Bytes: 0

Session ID: 6401, Policy name: DYN-VPN-policy/6, Timeout: 36, Valid
  In: 192.168.4.104/185 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.100/1 --> 192.168.4.104/185;icmp, If: vlan.0, Pkts: 0, Bytes: 0

Session ID: 6403, Policy name: DYN-VPN-policy/6, Timeout: 42, Valid
  In: 192.168.4.104/186 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.100/1 --> 192.168.4.104/186;icmp, If: vlan.0, Pkts: 0, Bytes: 0

Session ID: 6406, Policy name: DYN-VPN-policy/6, Timeout: 46, Valid
  In: 192.168.4.104/187 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.100/1 --> 192.168.4.104/187;icmp, If: vlan.0, Pkts: 0, Bytes: 0
 .
 .
Session ID: 6781, Policy name: DYN-VPN-policy/6, Timeout: 2, Valid
  In: 192.168.4.104/198 --> 192.168.3.250/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.250/1 --> 192.168.4.104/198;icmp, If: vlan.0, Pkts: 1, Bytes: 60

Session ID: 6791, Policy name: DYN-VPN-policy/6, Timeout: 2, Valid
  In: 192.168.4.104/199 --> 192.168.3.250/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.250/1 --> 192.168.4.104/199;icmp, If: vlan.0, Pkts: 1, Bytes: 60

Session ID: 6802, Policy name: DYN-VPN-policy/6, Timeout: 4, Valid
  In: 192.168.4.104/200 --> 192.168.3.250/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
  Out: 192.168.3.250/1 --> 192.168.4.104/200;icmp, If: vlan.0, Pkts: 1, Bytes: 60

Config

system {
    services {
        web-management {
            https {
                pki-local-certificate MY-cert;
                interface [ vlan.0 vlan.82 ge-0/0/0.0 ];
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp-client {
                    update-server;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-Management vlan-User ];
                }
                native-vlan-id vlan-trust;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.3.254/24;
            }
        }
        unit 72 {
            family inet {
                address x.y.z.254/24;
            }
        }
        unit 82 {
            family inet {
                address x.y.a.254/24;
            }
        }
    }
}
security {
    pki {
        ca-profile SRX {
            ca-identity MYID;
        }
    }
    ike {
        policy IKE-DYN-VPN-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "XXX"; ## SECRET-DATA
        }
        gateway DYN-VPN-local-gw {
            ike-policy IKE-DYN-VPN-policy;
            dynamic {
                hostname DYNvpn;
                connections-limit 2;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile DYN-VPN-access-profile;
        }
    }
    ipsec {
        policy IPSEC-DYN-VPN-policy {
            proposal-set standard;
        }
        vpn DYN-VPN {
            ike {
                gateway DYN-VPN-local-gw;
                ipsec-policy IPSEC-DYN-VPN-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile DYN-VPN-access-profile;
        clients {
            all {
                remote-protected-resources {
                    192.168.3.0/24;
                    x.y.a.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn DYN-VPN;
                user {
                    Client1;
                    Client2;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool DNAT-SSH-test {
                address 192.168.3.100/32 port 22;
            }
            rule-set DST-NAT {
                from zone untrust;
                rule Rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port nnnn;
                    }
                    then {
                        destination-nat {
                            pool {
                                DNAT-SSH-test;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy UNTRUST-to-TRUST-test {
                match {
                    source-address any;
                    destination-address any;
                    application junos-ssh;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
            policy DYN-VPN-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn DYN-VPN;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address TESThost 192.168.3.100/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.72;
                vlan.82;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ping;
                            ike;
                            https;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile DYN-VPN-access-profile {
        client Client1 {
            firewall-user {
                password "XXX"; ## SECRET-DATA
            }
        }
        client Client2 {
            firewall-user {
                password "XXX"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool DYN-VPN-address-pool;
        }
    }
    address-assignment {
        pool DefaultPool {
            family inet {
                network 192.168.3.0/24;
                range 1 {
                    low 192.168.3.100;
                    high 192.168.3.199;
                }
                dhcp-attributes {
                    name-server {
                        1.1.1.1;
                        1.0.0.1;
                        8.8.8.8;
                    }
                    router {
                        192.168.3.254;
                    }
                }
                host UNIX {
                    hardware-address xx:yy:zz:ww:aa:bb;
                    ip-address 192.168.3.250;
                }
            }
        }
        pool ManagementPool {
            family inet {
                network x.y.a.0/24;
                range 1 {
                    low x.y.a.100;
                    high x.y.a.199;
                }
                dhcp-attributes {
                    name-server {
                        1.1.1.1;
                        1.0.0.1;
                        8.8.8.8;
                    }
                    router {
                        x.y.a.254;
                    }
                }
            }
        }
        pool UserPool {
            family inet {
                network x.y.z.0/24;
                range 1 {
                    low x.y.z.100;
                    high x.y.z.199;
                }
                dhcp-attributes {
                    name-server {
                        1.1.1.1;
                        1.0.0.1;
                        8.8.8.8;
                    }
                    router {
                        x.y.z.254;
                    }
                }
            }
        }
        pool DYN-VPN-address-pool {
            family inet {
                network 192.168.4.0/24;
                range DYN-VPN-address-range {
                    low 192.168.4.100;
                    high 192.168.4.109;
                }
                xauth-attributes {
                    primary-dns 1.1.1.1/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile DYN-VPN-access-profile;
        }
    }
}
applications {
    application SSH-DNAT {
        protocol tcp;
        source-port 1024-65535;
        destination-port nnnn;
    }
}
vlans {
    vlan-Management {
        vlan-id 82;
        l3-interface vlan.82;
    }
    vlan-User {
        vlan-id 72;
        l3-interface vlan.72;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Dear team of Juniper,

Recently we have upgraded from Ssg550m to Srx650 "due to motherboard difect , it's end back for fixing"  Anyway.

On SSG 550 destination went through the VIP translation which it's was great and easy to configurate together with RDP and other protocols.

Srx650 it's otherway around , the problem it's whatever it's configurated it's doesn't open any port at all.

I would like to open ports from destination nat and it's goes that way -

Destination Nat > Destination Nat Pool>Destination Rule Set>Rules in selected rule-set>Address Book>Apply Policy and nothing.

Can anyone give some advice what it's missing to open a port from internal to public.

security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool Rs1 {
                address 192.168.1.6/32 port 443;
            }
            rule-set R1 {
                from zone Internet;
                rule R2 {
                    match {
                        destination-address 93.109.249.46/32;
                        destination-port 443;
                    }
                    then {
                        destination-nat {
                            pool {
                                Rs1;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone internal to-zone Internet {
            policy All_internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone internal {
            policy PORT443 {
                match {
                    source-address any;
                    destination-address RDP;
                    application junos-https;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone internal {
            address-book {
                address RDP 192.168.1.6/32;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            tcp-rst;
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
    }
}

This is the Cli i have so far.

Best Regards.

Hi,

Im looking a comparison beetween srx branch and high end, all i find in the site just like in the attachment. Planning to use feature fbf,nat,rpm,ip-monitoring,routing in srx, since i dont find ip-monitoring in mx.

Thx

Hi 

I try to configure pass-through auth with web auth. but web auth. is not shown

1. i already designed interface for web auth. and enable web-authentication

[edit interfaces ge-0/0/0]
root# show
unit 0 {
family inet {
address 10.3.0.137/24 {
preferred;
}
address 10.3.0.138/24 {
web-authentication http;
}
}
}

2. I've configured policy 

policy Captive-required {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile profile1;
web-redirect;
}
}
}
log {
session-init;
session-close;
}
count;
}
}

3. My profile is tied with AD. Now AD status is connected

4. Error page as below

Hi!

I have a strange issue.

I have a static NAT Rule configured on my chussis cluster. So far so good.

It worked for a couple of months. Today users complain that they cannot connect to the server behind this NAT rule.

set security nat static rule-set static_nat_rule_untrust rule static_nat_rule_test match destination-address 2.2.2.2/32
set security nat static rule-set static_nat_rule_untrust rule static_nat_rule_test match destination-port 60000
set security nat static rule-set static_nat_rule_untrust rule static_nat_rule_test match destination-port to 60050
set security nat static rule-set static_nat_rule_untrust rule static_nat_rule_test then static-nat prefix 192.168.0.1/32
set security nat static rule-set static_nat_rule_untrust rule static_nat_rule_test then static-nat prefix mapped-port 60000
set security nat static rule-set static_nat_rule_untrust rule static_nat_rule_test then static-nat prefix mapped-port to 60050

When I take a look at the securoty flow, I see that the traffic is only hitting the passive node (node0).

show security flow session source-prefix 46.142.2.219 destination-prefix 2.2.2.2    
node0:
--------------------------------------------------------------------------

Session ID: 242003, Policy name: untrust_nach_pritunl/465, State: Backup, Timeout: 1798, Valid
  In: 46.142.2.219/49746 --> 2.2.2.2/60009;udp, If: reth0.1, Pkts: 0, Bytes: 0
  Out: 192.168.0.1/60009 --> 46.142.2.219/49746;udp, If: reth6.1, Pkts: 0, Bytes: 0
Total sessions: 1

node1:
--------------------------------------------------------------------------
Total sessions: 0

 Here's my chassis cluster status:

show chassis cluster status 
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring              
    SP  SPU monitoring              SM  Schedule monitoring
Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 3
node0  100      secondary      no      yes      None           
node1  255      primary        no      yes      None           

Redundancy group: 1 , Failover count: 5
node0  100      secondary      no      no       None           
node1  1        primary        no      no       None        

All the other NAT rules (source/destination/static) are working just fine!

Any idea why node1 is not getting any of this packages?

Greetings

Andy

Hi,

i had a site to site vpn connection between 2 sites until yesterday. Suddenly today i stopped working. In fw logs there seem to be no error. On the peer side, the only error is :

"srx240-02a kmd[33482]: IKE Phase-1 Failure: Invalid cookie recvd [spi=^E)?^NM-^@??0, src_ip=<none>, dst_ip=50.208.33.177]"

However, i could not find a solution related to that error message. While everything was working, today even the IKE phase seems to be down ?

I feel desperate, anybody had this issue or any ideas appreciated 

Thanks

We have a Juniper 650 that keeps spitting out the following error: 

Juniper650 /kernel: vpls_learn_l2addr(): identical addr and ifl existed: addr 00:50:56:9f:77:a7, ifl 93

This occurs on on diffent mac address's and ifl's and is filling our syslog with error messages.

Any idea's?

Thanks.

Hi 

I want to enable web-redirect for user authentication.

All user names is on both LDAP and local user

My problem is

Captive is shown but user on AD can't authenticate. here is my configuration.

set access profile profile1 authentication-order [ ldap password ] 
set access profile profile1 client test firewall-user password "$9$ikPQ1IcevLTzRhcSeK24oJjH"
set access profile profile1 ldap-options base-distinguished-name DC=test,DC=local
set access profile profile1 ldap-options search search-filter sAMAccountName=
set access profile profile1 ldap-options search admin-search distinguished-name CN=ad,CN=users,DC=test,DC=local
set access profile profile1 ldap-options search admin-search password "$9$iHPTQznCpBFnvLXxdVqmf5Qn6/AOBE9AvLxNagGDi"
set access profile profile1 ldap-server x.x.x.x source-address x.x.x.x
set access profile profile1 ldap-server x.x.x.x

set security policies from-zone trust to-zone trust policy Captive match source-address LAN
set security policies from-zone trust to-zone trust policy Captive match destination-address any
set security policies from-zone trust to-zone trust policy Captivematch application any
set security policies from-zone trust to-zone trust policy Captive then permit firewall-authentication pass-through access-profile profile1
set security policies from-zone trust to-zone trust policy Captive then permit firewall-authentication pass-through web-redirect

Note: Ping to AD succeed and user for lookup has read-only authorization

Srx ipsec vpn between srx210 devices is up but not able to ping remote IP, and each srx devices have configured site-site vpn to ssg5 here traffice going down after some time

SRX "A" ---->Srx "b"  == vpn up traffic not passing (googled for solution, suggested to check policy preference levels but #insert option to move is not working & from gui it is disabled )

SRX " A" -----> SSG5 is up and able to reach remote machine but not stable ( 192.168.50.x to 192.168.2.x vpn flactuating )

      plz find attached files

here tunnle is up but no traffice , routing is ok

root@oc-corp-srx> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
487     16.16.14.254   UP     7cebd24dcaa2956f  7822d3ea919f7057  Main         
495     56.16.159.95  UP     1a84af70d59fe007  b2ba53735f91f17c  Main         

root@oc-corp-srx> show security ipsec security-associations
  Total active tunnels: 2
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131074 16.16.14.254  500   ESP:3des/sha1   5f12db89 3126/ unlim   -   root
  >131074 16.16.14.254  500   ESP:3des/sha1   4256a675 3126/ unlim   -   root
  <131073 56.16.159.95 500   ESP:3des/sha1   d22312b6 1105/ unlim   -   root
  >131073 56.16.159.95 500   ESP:3des/sha1   11dbd72c 1105/ unlim   -   root

Hi,

This is the setup i'm trying to achieve:

Whe an attack is detected, the scrubber announces via BGP to the router the attacked IP with:

1. Mask /32

2. BGP community XXXXX:667

3. Next-hop set to the scrubber.

The scrubber itself is a Linux based machine with L3 forwarding enabled. It has static routes to customers via eth4.

Here is more detailed scheme when under attack:

Now, when there is an attack going to the customer having the IP 192.168.17.154, the router has the route 192.168.17.154/32 with next-hop the the scrubber via ge-2/0/9.

The packet reaches the scrubber, passes the firewall and exits via the eth4 interface (because there is a static route).

When it enters the ge-2/0/10 interface on the router, it enters a routing instance that has a route 192.168.17.0/24 to the customer vlan.

That's how it should work. In real life when the packet comes from the scrubber to the router, it goes back to the scrubber until the TTL expires (although there is no such route 192.168.17.154/32 in the table RI-DDOS-CLEAN.inet.0).

Here is the config:

# show routing-instances RI-DDOS-CLEAN
instance-type virtual-router;
interface ge-2/0/10.0;
routing-options {
    rib RI-DDOS-CLEAN.inet6.0 {
        static {
            route ::/0 discard;
        }
    }
    static {
        route 0.0.0.0/0 discard;
    }
    instance-import PS-IMPORT-FROM-MAIN-TO-DDOS-CLEAN;
}

# show policy-options policy-statement PS-IMPORT-FROM-MAIN-TO-DDOS-CLEAN
/* Reject all /32 prefixes having the XXXXX:667 community */
term diverted {
    from {
        instance master;
        community CM-DDOS-DIVERT;
    }
    then reject;
}
term ipv4 {
    from {
        instance master;
        route-filter 192.168.17.0/24 upto /32;
    }
    then accept;
}
term other {
    then reject;
}

# show interfaces ge-2/0/9
description "Scrubber - eth5";
unit 0 {
    family inet {
        address 10.10.102.1/24;
    }
}

# show interfaces ge-2/0/10
description "Scrubber - eth4";
unit 0 {
    family inet {
        address 10.10.103.1/24;
    }
}

Here are the routes:

> show route 192.168.17.154 table inet.0

inet.0: 24604 destinations, 72709 routes (24603 active, 0 holddown, 23785 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.17.154/32  *[BGP/170] 02:12:01, localpref 200, from 10.10.104.2
                      AS path: I, validation-state: unverified
                    > to 10.10.102.2 via ge-2/0/9.0

> show route 192.168.17.154 table RI-DDOS-CLEAN.inet.0

RI-DDOS-CLEAN.inet.0: 146 destinations, 146 routes (146 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.17.0/24    *[Direct/0] 01:14:28
                    > via vlan.105

Apparently even there is direct route to 192.168.17.0/24 via vlan105 in the RI-DDOS-CLEAN.inet.0, the router uses the route /32 from main table.

Can somebody explain why ?

Hi!

I have srx240 cluster over ex-3200 switches.

My topology:

srx-240(node0) ---ex-3200----ISP L2 VPN(q-n-q)-----ex-3200----srx-240(node1)

Cluster work fine, except L2 switching.

swfab0 {
fabric-options {
member-interfaces {
ge-0/0/3;
}
}
}
swfab1 {
fabric-options {
member-interfaces {
ge-5/0/3;
}
}

show chassis cluster ethernet-switching interfaces
swfab0:

Name Status
ge-0/0/3 up
swfab1:

Name Status
ge-5/0/3 up

{primary:node0}

show chassis cluster ethernet-switching status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

Ethernet switching status:
Probe state is DOWN. Both nodes are in separate ethernet switching domain(s).

swfab interfaces in separate vlan, igmp-snooping off, lldp off.

I lose my mind, please help.

HI my openvpn VPN stays up for 50 min, goes down for 10 min and coming back exactly in 10mins.. so every one hour my openvpn it is being flacutating , what could be the issue

this is between srx & ssg5 .i have enable vpn monitor & rekey , disabled optimization in ssg5

2018-12-27 10:14:53    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 10:06:43    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 09:14:34    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 09:06:22    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 08:14:09    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 08:05:57    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 07:14:06    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 07:03:55    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 06:12:15    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 06:03:54    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 05:11:25    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 05:01:14    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 04:09:02    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 04:00:41    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 03:08:22    crit    VPN 'corp-vpn' from 99.35.219.249 is up.
2018-12-27 02:58:11    crit    VPN 'corp-vpn' from 99.35.219.249 is down.
2018-12-27 02:05:51    crit    VPN 'corp-vpn' from 99.35.219.249 is up.

Dear juniper guys.

On my previous post i had some problems with the public ip forward ports, it's solved. I have manage to open couple of ports of just one ip.

But , there is always but...

Seems even if i have open the ports i can telnet them through the internal network of the juniper but not to outside network.

For example .

If i telnet 45.45.45.45 "public ip" with port 3389 or 135 which are perfectly bound to public ip and telneted to internal network shows open.

If i telnet those ports from outside network , they are closed.

Probably it's some small issues , i can't find any salution to it.

Any help will be appreciate , with that.