Dear Juniper guys,

I would like to ask a question about static route , probably someone can help with that.

On our old SSG i could setup two static route's with 0.0.0.0 ip and subnet 0.0.0.0/0 with the next hop gateway "44.23.43.54" without any problems at all

Now the problem is with the SRX650 when i try to configure two static route's with ip 0.0.0.0 ip and subnet 0.0.0.0/0 with different gateways it give's.

" Static route with 0.0.0.0/0 already exist. Please edit the already present entry."

Anyone can help with that.

Best Regards.

Hello Community,

I'm wondering if it's possible to dynamic vpn clients (pulse secure) to access differents vpn site .

I have two vpn sites : site A (172.20.0.0/16) and site B(192.168.2.0/24) both connected using vpn based policy .Clients vpn access site A using pulse secure (through juniper srx300) , however they cannot access vpn site B . Added protected ressource for both site A and site B in dynamic vpn configuration . I have only two security zone in my juniper box (internal and internet).

I would like to know if it's possible (technically) and/or how to do it ?

Many Thanks

Hi, i've installed an SRX100b in my house, it's sole purpose is to provide rate limiting (as my wifi router cannot provide it) 

It's a very simple SRX config (as below) - currently the rate limit policy is disabled whilst i t-shoot, downloads and streaming all start normally but then drop after about 30 seconds... a download will never get beyound 8mb..  the SRX is 192.168.1.254 (VLAN1), all traffic is arriving on VLAN1 fe0/0/0 from 192.168.1.253 which is the upstream wifi router.  The default route on the SRX is 192.168.1.1 which is my broadband router

If you bypass the SRX by setting the client default gateway as 192.168.1.1 there is no issue, any idea's greatly recieved

## Last changed: 2018-12-29 00:24:54 GMT
version 12.1X46-D77.1;
system {
host-name mysrx;
time-zone GMT;
root-authentication {
encrypted-password "****";
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
login {
user Jon {
uid 2001;
class super-user;
authentication {
encrypted-password"****"; 
}
}
}
services {
ssh {
protocol-version v2;
}
netconf {
ssh;
}
web-management {
http {
interface vlan.1;
}
https {
system-generated-certificate;
interface vlan.1;
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server time.google.com prefer;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
vlan {
unit 1 {
family inet {
address 192.168.1.254/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
stp;
}
security {
screen {
inactive: ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
global {
policy default {
description "allow any";
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
}
}
}
firewall {
family inet {
inactive: filter output-limit {
term 1 {
from {
source-address {
0.0.0.0/0;
}
}
then {
policer policer-4mb;
accept;
}
}
}
}
policer policer-4mb {
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 625k;
}
then discard;
}
}
vlans {
vlan1 {
vlan-id 3;
l3-interface vlan.1;
}
}

On the SRX-SRX tunnel if this is a route based tunnel using st0.x interfaces please confirm that a route to the remote site is installed on both sides pointing to the tunnel.

i checked beflow url and noted issue at level 7 ,  how to check and change policy order ? i don't have web-ui access to it, can any one tell me , how to check and change oder , #insert option giving me errors

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=METADATA

Hi there,

I have setup a client to site vpn on an SRX 210:

Model: srx210be
JUNOS Software Release [12.1X46-D76]

I am using Pulse as the client application when checking the messages log I see this:

Dec 30 00:07:56  SRX httpd-gk: DYNAMIC_VPN_AUTH_FAIL: Username/password and token are NULL
Dec 30 00:08:17  SRX httpd-gk: DYNAMIC_VPN_LICENSE_CHECK_OK: Dynamic VPN license check succeed for user jack
Dec 30 00:08:17  SRX httpd-gk: DYNAMIC_VPN_AUTH_OK: user jack with remote IP 192.168.1.125 authenticated successfully.
Dec 30 00:08:17  SRX httpd-gk: DYNAMIC_VPN_AUTH_OK: user jack with remote IP 192.168.1.125 authenticated successfully.
Dec 30 00:09:38  SRX httpd-gk: DYNAMIC_VPN_AUTH_FAIL: Username/password and token are NULL
Dec 30 00:09:52  SRX httpd-gk: DYNAMIC_VPN_LICENSE_CHECK_OK: Dynamic VPN license check succeed for user conor
Dec 30 00:09:52  SRX httpd-gk: DYNAMIC_VPN_AUTH_OK: user conor with remote IP 172.16.10.5 authenticated successfully.
Dec 30 00:09:52  SRX httpd-gk: DYNAMIC_VPN_AUTH_OK: user conor with remote IP 172.16.10.5 authenticated successfully.

Attached is my config, please suggest where i am going wrong or missing here.. my vpn gateway IP is actually a natted from the 192.168.1.0/24 subnet on a router, but i can ping this and the intial connection seems to work fine.

Thanks.

I have aquired a SRX240. I have reset it by using the request system zeroize media. I did this cause it was used and it would not let me use the web management. I can connect using the cli, but not the GUI. The version is 11.4r5. I would like to be able to access this through the GUI. I have been on this for a few days. It's fun and I am learning alot, I use the older Netscreen line. I could use some help. Any Ideas? It does not give an IP address and when I do a manual config, I still cannot connect or ping it. I am plugging it into Port 0/1. I know Port 0/0 is for the outside, untrust.

## Last commit: 2018-12-30 01:27:16 UTC by root
version 11.4R5.5;
system {
    root-authentication {
        encrypted-password "$1$zPQpyY6i$ba1U.0T8PStnWdluzcLz30"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
       dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Hi,

Quick question:

According to the following document, the SRX340 comes WITH a VDSL PIM..... can someone please confirm that this is correct as the SRX340 we have seems to only have 8 standard ethernet ports and 8 x fpc ports (for Fiber or Copper)?

https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000550-en.pdf

A slightly more pertinent question than my last one....

Is there a way of configuring ADSL on an SRX300? I ask because I'm struggling to find the right documentation for this?

According to the following kb article, it appears to be no longer supported?

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15737

It may be that we can use an older version of software that will allow this?

Hi,

I have CoS at Layer 3 working perfectly. However, I now have a scenario where I need to configure CoS for Layer 2.

I am at the point where I have configured the firewall filters and applied them to the VLAN interface (Layer 2) but cannot commit due to it not knowing where the scheduler-map is, even though it is configured with the correct interface.

Any pointers on some great documents for configuring CoS for layer 2?

Thanks

Hi, we have 2 srx devices on both sides

Local: 50.208.33.177 <->   Remote: 64.13.163.35

During the day a few times  the VPN does down, we have a few site to site VPNs but just one goes down every day

When I check :

>> show security ike security-associations

the state seems to be as DOWN

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   

2853423 DOWN   8ad07f60fc6c2500  ccc8ba940b4cf03e  Any            104.196.42.142     

2853427 DOWN   edd10fce18408325  25379263dc240f3a  Any            104.196.42.142  

2853421 DOWN   7d9ee01a946476dc  4c8fb92a02fd9ceb  Any            104.196.42.142 

2849279 UP     94651e0d5a9d7d86  972a87d367a9e54a  Main           104.239.188.167 

2853387 UP     8d2418279585930e  2282d9643421dc8d  Main           64.13.163.35    

Here are the logs from both sides :

Remote Site SRX logs :

Jan  3 18:37:31  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:38:24  srx240-02a kmd[33482]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=M-^M$^X'M-^UM-^EM-^S^N"M-^B?d4!?M-^M, src_ip=<none>, dst_ip=50.208.33.177]

Jan  3 18:38:34  srx240-02a kmd[33482]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=M-^M$^X'M-^UM-^EM-^S^N"M-^B?d4!?M-^M, src_ip=<none>, dst_ip=50.208.33.177]

Jan  3 18:38:34  srx240-02a kmd[33482]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=21d29865, src_ip=64.13.163.35, dst_ip=50.208.33.177]

Jan  3 18:38:34  srx240-02a kmd[33482]: IKE Phase-2: Negotiations failed. Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177

Jan  3 18:39:21  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:39:26  srx240-02a kmd[33482]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=M-^M$^X'M-^UM-^EM-^S^N"M-^B?d4!?M-^M, src_ip=<none>, dst_ip=50.208.33.177]

Jan  3 18:39:36  srx240-02a kmd[33482]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=M-^M$^X'M-^UM-^EM-^S^N"M-^B?d4!?M-^M, src_ip=<none>, dst_ip=50.208.33.177]

Jan  3 18:39:36  srx240-02a kmd[33482]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=a6ef2584, src_ip=64.13.163.35, dst_ip=50.208.33.177]

Jan  3 18:39:36  srx240-02a kmd[33482]: IKE Phase-2: Negotiations failed. Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177

Jan  3 18:40:29  srx240-02a kmd[33482]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=M-^M$^X'M-^UM-^EM-^S^N"M-^B?d4!?M-^M, src_ip=<none>, dst_ip=50.208.33.177]

Jan  3 18:40:39  srx240-02a kmd[33482]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=M-^M$^X'M-^UM-^EM-^S^N"M-^B?d4!?M-^M, src_ip=<none>, dst_ip=50.208.33.177]

Jan  3 18:40:39  srx240-02a kmd[33482]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=6e368fc4, src_ip=64.13.163.35, dst_ip=50.208.33.177]

Jan  3 18:40:39  srx240-02a kmd[33482]: IKE Phase-2: Negotiations failed. Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177

Jan  3 18:41:11  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:43:02  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:44:52  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:46:42  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:48:32  srx240-02a kmd[33482]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is down.

Jan  3 18:48:32  srx240-02a kmd[33482]: IKE Phase-1: (Initiator) The symmetric crypto key has been generated successfully [local_ip=64.13.163.35, local_port=500, remote_ip=50.208.33.177, remote_port=500]

Jan  3 18:48:32  srx240-02a kmd[33482]: IKE Phase-1: Negotiation completed; SA expires on Fri Jan 04 2019 18:48:32 { 701272be 02fb954f - b0a532b3 92687e2a } - [local_id=64.13.163.35, local_ip=64.13.163.35, local_port=500, remote_id=50.208.33.177, remote_ip=50.208.33.177, remote_port=500, Exchange Mode:main]

Jan  3 18:48:32  srx240-02a kmd[33482]: KMD_VPN_UP_ALARM_USER: VPN INSTANCE-hq_0012_0015_0000 from 50.208.33.177 is up.

Jan  3 18:48:32  srx240-02a kmd[33482]: KMD_PM_SA_ESTABLISHED: Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xa8748b89, AUX-SPI: 0, Mode: Tunnel, Type: dynamic

Jan  3 18:48:32  srx240-02a kmd[33482]: IKE Phase-2: Completed negotiations, connection established with tunnel-ID:12 and lifetime 28196 seconds/0 KB - Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177, Local Proxy ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote Proxy ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha256, Encryption algo: 3des-cbc, Direction: inbound, SPI: a8748b89, AUX-SPI: 0, Type: dynamic

Jan  3 18:48:32  srx240-02a kmd[33482]: KMD_PM_SA_ESTABLISHED: Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x4ce1aa51, AUX-SPI: 0, Mode: Tunnel, Type: dynamic

Jan  3 18:48:32  srx240-02a kmd[33482]: IKE Phase-2: Completed negotiations, connection established with tunnel-ID:12 and lifetime 28196 seconds/0 KB - Local gateway: 64.13.163.35, Remote gateway: 50.208.33.177, Local Proxy ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote Proxy ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha256, Encryption algo: 3des-cbc, Direction: outbound, SPI: 4ce1aa51, AUX-SPI: 0, Type: dynamic

Jan  3 18:48:32  srx240-02a kmd[33482]: IKE Phase-2: (Initiator) The symmetric crypto key has been generated successfully [local_ip=64.13.163.35, local_port=500, remote_ip=50.208.33.177, remote_port=500]

LOCAL Side Srx Logs : 

Jan  3 16:52:29  srx240-01 kmd[1447]: KMD_VPN_DOWN_ALARM_USER: VPN svcolo from 64.13.163.35 is down. Local-ip: 50.208.33.177, gateway name: gw_svcolo, vpn name: svcolo, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 50.208.33.177, Remote IKE-ID: 64.13.163.35, XAUTH username: Not-Applicable, VR id: 0

Jan  3 16:56:07  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Jan  3 16:56:37  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Jan  3 16:57:07  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Jan  3 16:57:39  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Jan  3 16:58:09  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Jan  3 16:58:39  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Jan  3 16:59:11  srx240-01 kmd[1447]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Anybody had an issue like this or any idea about it ?

Thanks

Hi,

Another CoS question...... Given that in our scenario we cannot utilise ieee-802.1 because it is an access interface, I have changed the configuration to be the below:

CPE (192.168.1.2/30) --> ge-0/0/1 (192.168.1.1/30) SRX340 irb.10 (10.10.10.2/30) ge-0/0/15 (dot1q) --> MX 10.10.10.1/30

All routing works fine and I can access the internet from a laptop attached to the CPE.

So, I apply all of my CoS, as I have on the MX and assign the firewall filter to the ge-0/0/1 interface on the SRX340. All good, configuration accepted as I knew it would be.

I have come across the following problem with testing though.

To confirm the traffic is going to the correct queue, we have to look at the interface stats on the egress interface. In my case this is ge-0/0/15. However, the queues all show up as zero bytes even though everything works.

Am I right in thinking that the following command:

run show interface ge-0/0/15 extensive

Will NOT show any stats because it is a trunk interface (no layer 3). I have 2 VLANs and they are linked to internal irb interfaces. If I look at the output from the IRB interfaces there are no queue counters at all.....

Here are the questions:

1: Is it possible to view queue counters on an irb interface?

2: If the answer to question 1 is "no", how can I view the queue counters on the dot1q trunk interface? Or can't I?

I know the configuration should work, as it is the same as on the MX and that works fine. The only difference here is the trunk layer 2 interface.

Hi, all,

According to 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-gprs-gtpv1-overview.html

One can setup gtp tunnel idle-timeout to clean up hanging GTP tunnels through SRX, I don't quite understand how this feature works, GTP is over UDP, UDP sessions have default timeout value of 60 seconds, the UDP session of an inactive GTP tunnel over 60 seconds will be cleaned up automatically, how GTP inactive timer is ever going to be effective?

Hi,

Is the any way to get firewall Policy name or Policy details which do not have hit from last one week / one month / Three month time duration.

Like we are looking for the historical hits of the policy.

Regards,

Vengatesh SR

Hello everybody,

I have two DC sites DC-A & DC-B with branch offices . ISG2000 at DC-A and SRX1500 at DC-B with IPSec site to Site VPNs route based between  branch offices and DC's. At branch offices i have SRX320. 

Recently one of the site have been deployed with WAN link by ISP. DC-A is'nt reachable at all  via peer IP but DC-B does. On branch side SRX-320, i checked VPN status and found as below

SRX320-branch> show security ipsec security-associations

VPN shows UP with DC-A 

no SA stats for DC-B

Its kind of wear as no peer ip reachability with DC-A and still shows SA stats even after i clear SA's.

No SA/Ike stats for DC-B (reachable via peer ip)

Branch SRX320 (10.50.66.45)  ---------------WAN IP pingable-----------------------> 172.16.2.1 (SRX1500 DC-B)

Branch SRX320 (10.50.66.45) ---------------WAN ip ping failure------------------------> 10.50.40.1 (ISG2000 DC-A)

One of the thing i am doubtfull is the IKE port, may be blocked by ISP. Please help. 

                              When i only configure one ipsec vpn it works fine. But when i configure a 2nd the 1st VPN stops passing ping but the 2nd vpn passes pings fine. (srx300 to srx210 ...

st0.0 & st0.2 are tunnle , ge-0/0/0 extrenal interface .. routes are good,

Hi everyone

I have 2 SRX3600 and a HA environment is desired, but It has xe interfaces (xe-1/0/0 in the node 0), which is the renumbering constant to the same interface to the node 1?

thanks in advance

Hi everybody

Please consider the following example:

Case:1

PC--199.199.199.10-----199.199.199.1 F1 SRX

F1: Zone A, host inbound ssh

Lo0:0 1.1.1.1 , Zone B host inbound ssh

I observed following:

1) In order to for PC to be able to SSH into using lo0 ( 1.1.1.1), we need to define  Policy to allow such traffic. Even though this is not a transit traffic as it is destined to SRX, but PC is not able to SSH using lo0 unless we have policy to allow ssh traffic.

Is it expected behavior?

Case :2

PC--199.199.199.10-----199.199.199.1 F1 SRX

F1: Zone A, host inbound ssh

Lo0:0 1.1.1.1 ,  management zone ( functional zone) host inbound ssh

We can not use managemnet zone in secuity policies. should we still be able to SSH into SRX using 1.1.1.1 from PC?

I understand the whole point of using managemnet zone is to use physiacl port for MGMT access as branch SRX does not have dedicated MGMT port.

Appreciated and have a good day!!

Hi All,

We are connecting to our remote office via a site-to-site VPN tunnel.

It is working properly without any problem.

Right now, local office want to acess another subnets on the remote office.

I configured the setting by using Proxy identity.

existing VPN

192.168.96.0/20  (NS)  ----VPN----  (SRX)  192.168.0.0/20

New 

192.168.96.0/20  (NS)  ----VPN----  (SRX)   172.16.24.128/25

However, after applied the new setting, only one VPN can be up each time.

Could someone let me know how to make both up?

Cheers,

Kay

We have 14+ Juniper SRX300 Firewalls setup to send traffic and IDP/UTM alerts to a syslog collection servers so can do alerting and proactive detection of issues. The SRX300 Firewalls are setup to check every 24hrs for IDP security package updates and UTM Sophos Anti-Virus updates.

As we have all the traffic and IDP event being sent to a syslog server we have the ability to create alerts based upon text string when issues occur. I want to setup an alert on the syslog server to alert when a Juniper SRX fails to update its IDP and Sophos AV security updates successfully.

Does anyone know if there's a particular string, keywords or example event that would be generated by an SRX300 running 15.1X49-D45 when the IDP security package fails to update and install successfully and when a UTM Sophos AV update package fails to update or install correctly?

This will allow creation of an alert when the IDP and UTM AV updates fail. I assume there will need to be a different string/event for the fialed IDP verse the UTM AV update failure.